Xiaomi’s MIUI firmware has several security flaws, according to cyber security firm eScan. In a research published earlier this month, the company detailed a number of vulnerabilities that it believes hackers and even some less tech-savvy individuals with malicious intentions could exploit to compromise the privacy of people using Xiaomi’s mobile software suite. One of the main problems outlined by the paper pertains to the manner in which MIUI manages apps with administrator privileges, with eScan stating that MIUI allows users to delete such apps without any authentication, consequently allowing anyone to do so as long as the device is unlocked. This lack of additional protection mechanisms endangers the ability of anti-theft services to work since thieves have a better chance of deleting them once they’re in the possession of a stolen device.
Another issue identified by eScan is specifically associated with the Mi-Mover app which overrides Android’s sandbox protection feature in an effort to transfer all apps and data from a device running MIUI to any other one powered by Android 4.2 Jelly Bean or later versions of Google’s operating system. The app itself is secured by an additional password but if it’s used for transferring data between two MIUI devices, it will clone all information from the first device, even sensitive system data. Likewise, the paper noted a number of minor security vulnerabilities that are also related to MIUI’s supposedly insufficient protection mechanisms and are detailed in the full report that can be accessed by following the source link below.
The authors of the research submitted their findings to Xiaomi and numerous app developers and cyber security specialists in mid-July, seeking a peer review of their findings. The Chinese original equipment manufacturer (OEM) later issued a comment on eScan’s conclusions, stating that all users are strongly advised to lock their devices in order to keep them protected. Xiaomi added that the Mi-Mover vulnerability can hardly be categorized as such since the app has two layers of protection, whereas all other findings require hackers to have physical access to a MIUI device, i.e. pertain to scenarios in which no software can guarantee absolute security. eScan’s tests were performed on a number of Xiaomi and third-party devices running MIUI, though the firm didn’t specify which particular build of the firmware was scrutinized as part of its research. MIUI 9 was only announced recently and is set to start hitting the stable channel in Xiaomi’s home country tomorrow, though the worldwide rollout of its international version still doesn’t have a specific date attached to it.