Security solutions company eScan on Thursday in a 36-page report alleged that Xiaomi’s MIUI custom Android ROM has multiple flaws that affected the security of user data. Xiaomi system apps such as the uninstall mechanism and Mi Mover were some of the flawed aspects of MIUI, the report stated. The Chinese smartphone company has refuted the allegations however, in a statement to Gadgets 360.
A Xiaomi spokesperson in an emailed statement told Gadgets 360 that all of eScan’s data security concerns are valid only if a perpetrator gains physical access to an unlocked smartphone. Such a scenario already places user data at great risk, and Xiaomi also pointed to the addition of login layers that have been introduced in the user data migration app Mi Mover, as well as its recommendations for users to utilise a lockscreen security feature such as PINs, pattern locks, and the fingerprint sensor.
In its report, eScan claims “Xiaomi’s system apps have unknowingly introduced multiple flaws into the functional working of most of the apps. The functional aspects of Anti-Theft security apps and Android for Work apps are affected by the uninstall procedure implemented by Xiaomi. Furthermore, the MI-Mover app which assists in user data migration also poses significant threats to the installed apps. Although, Xiaomi alone cannot be held responsible; the app developers are also equally responsible for not taking into consideration that there existed a huge possibility of their application’s app-system-data getting cloned/ copied. This particular use-case existed since the day devices started getting rooted and app-system-storage was compromised. It’s surprising that app developers never realized that the data which they are storing on app-system-storage is vulnerable on rooted phones. Although Xiaomi’s MI Mover allows the users to copy all their data, it goes one step ahead and copies from the app-system-storage areas too.”
The eScan report claims that the “uninstallation procedure implemented by Security Apps is adversely affected on Xiaomi Devices,” and “apps based on the guidelines provided for implementing Android for Works are affected by the improper implementation of uninstallation procedure implemented on Xiaomi devices.”
eScan admits that physical access of an unlocked device is required for its concerns to apply, but then asks what precautions do Xiaomi device users have to take into consideration when handing their devices over to service centre employees, and with anti-theft security mechanisms affected, questions how Xiaomi users would ensure their device doesn’t get stolen.
[ Source : ndtv ]