Guard Provider, a cybersecurity app Xiaomi pre-installs on the vast majority of its contemporary Android smartphones, is an inherently flawed piece of software that compromised millions of users around the world, threat research company Check Point reports.
The Android app designed to guard against malware — identified by package name com.miui.guardprovider — cannot be removed from the firm’s devices without root, meaning the vast majority of people who end up with Xiaomi handsets (or the rare tablet) are stuck with it from day one. The last several Android versions do allow for such pre-installed apps to be disabled which in practice is as good as uninstalling them, except without the added benefit of some extra space on one’s device.
The app in question is the root of the vulnerability discovered by Check Point Research; the unsecured network traffic involving the app both in the role of a sender and recipient allows for a malicious actor to inject code into its packets, hence carrying out conventional Man-in-the-Middle attacks. Doing so could be as simple as receiving access to the same Wi-Fi network, hence being able to monitor its traffic and discern patterns associated with Guard Provider that could be used for compromising its data and consequently the user device as a whole, the cybersecurity company discovered.
The said vector could potentially allow for the app’s anti-malware mechanism to be disabled or even turned into malware such as ransomware itself.
Xiaomi is estimated to be holding around eight percentage points of the global handset market, with virtually every industry tracker assessing the firm is the fourth largest handset vendor on the planet, only behind Samsung, Huawei, and Apple, in that order. Several research pieces published earlier this year, including one from well-respected analyst company IDC, suggest Xiaomi shipped over 122 million Android smartphones in 2018 alone, thus improving its 2017 performance by about a third.
That info by itself implies tens of millions of users have been in danger of being compromised by attackers taking advantage of Xiaomi’s mistakes in Guard Provider development. A gaffe of this scope is more than a blip on anyone’s record, though Xiaomi appears to be laying low now, even though it was well-aware of Check Point Research’s plans to disclose the vulnerability after it has been patched, as is in line with the company’s existing practices.
To Xiaomi’s credit, the cybersecurity experts at Check Point say it reacted to the private vulnerability disclosure in a relatively swift manner but encrypting app traffic is hardly high-end anti-hacker magic. On the contrary, it’s common sense in 2019, or should be, at least.
This very same case also serves as an example of a clear-cut argument against using multiple SDKs in a single app; more complex systems may be more difficult to reverse-engineer but a larger number of moving components also equates to more potential attack vectors being discovered further down the road. In the grand scheme of things, that’s not a numbers game any manufacturer should want to be playing – vulnerabilities always emerge, so one would at least want to keep their potential area of operations limited, so to speak.