Android being an open source software means that various smartphone OEM’s like Samsung, HTC, LG and many more can alter bits of the code to fit their individual platforms. While Google does its best to secure the Android operating system at its base, but due to the OEMs often adding multiple layers of their own code on top of stock Android. Some companies like Samsung and LG do provide their own security patches to secure their ROM, these updates are not as frequent as the ones pushed out by Google. A few researchers from the security company eScan tested out Xiaomi devices running MIUI to test just how secure the OS was. The researchers after testing out the devices stated that the ROM contains various security flaws.
The researchers pointed out 5 major flaws that they found in the MIUI ROM.
The Mi-mover app can override the sandbox application
Sandbox is a security mechanism which runs unsecure programs in a separate environment than the operating system, thus providing a layer of security to the device. If any app is able to override the sandbox, it can be a huge threat for the device.
Any app with administrator rights even after being uninstalled will retain administrator rights
Xiaomi doesn’t revoke the administrator rights of an app which were given by the user even after being uninstalled, which can be a huge threat to the device as it can be still remotely accessed from the app server.
Xiaomi has hidden the work-profile admin app under MIUI devices
Other manufacturers remove this profile completely because if this was to fall in the wrong hands, all the user data on the phone could easily be compromised.
The device can be cloned very easily even without rooting it
With the help of the Mi-mover app, the whole device can be cloned easily within a matter of minutes. Which could be a huge security threat for the Xiaomi smartphone users.
The personal and work profiles look extremely similar
Both, the work and personal profiles have a similar look making it a bit difficult for the user to know which profile is he/she currently operating.
Xiaomi responded to eScan’s report highlighting the major flaws in Xiaomi’s MIUI with in a statement reproduced in whole below.
Any perpetrator who gains physical access to an unlocked phone is capable of malicious activity and an unlocked phone is greatly at risk of user data being stolen.
This is why, we at Xiaomi encourage our users to be more aware of guarding their private data using PIN, Pattern locks, or the onboard fingerprint sensor available on most of our smartphones. In fact, prompting users to enable fingerprint lock is a standard step when setting up a Xiaomi smartphone for first use.
Mi Mover is designed to be a convenient tool for our users to move their data from an old smartphone to a new phone. In order for Mi Mover to initiate this process, a password is required.
More importantly, in order to use Mi Mover, the smartphone has to be unlocked.
Thus, there are two layers of protection for the user – phone lock and a Mi Mover password that are necessary.