It’s Xiaomi’s turn on the privacy spotlight.
According to a report from cyber security firm eScan, Xiaomi’s homebrew firmware, MIUI, has some serious security flaws. eScan published their findings earlier this month, listing a number of the MIUI’s vulnerabilities that they believe can be taken advantage of seasoned and newbie hackers alike.
One weakness involves the Mi-Mover app, which allows app and settings transfer from an Android 4.2 device or higher to any Xiaomi handset. The issue arises when both devices are running MIUI. In these situations, the Mi-Mover app copies all system data to the target phone, including confidential information (such as saved payment details) supposed to be protected by Android’s built-in safeguards. A hacker who has access to an MIUI-running smartphone can use this vulnerability to easily scrape off private information from an MIUI handset.
Another problem eScan uncovered was in how MIUI handles device-administrator apps. Security and anti-theft apps like Android Device Manager rely on Android’s administrator permissions to wipe devices. Uninstalling these apps normally requires the user’s password, but in an MIUI phone, the password prompt doesn’t show up.
Xiaomi has released a statement replying to eScan’s report, advising users to always lock their devices:
Escan earlier today shared a report which lists downs few concerns in MIUI. We strongly disagree with the allegations made by Escan in their report. As a global Internet company, Xiaomi takes all possible steps to ensure our devices and services adhere to our privacy policy.
Any perpetrator who gains physical access to an unlocked phone is capable of malicious activity and an unlocked phone is greatly at risk of user data being stolen.
This is why, we at Xiaomi encourage our users to be more aware of guarding their private data using PIN, Pattern locks, or the onboard fingerprint sensor available on most of our smartphones. In fact, prompting users to enable fingerprint lock is a standard step when setting up a Xiaomi smartphone for first use.
Mi Mover is designed to be a convenient tool for our users to move their data from an old smartphone to a new phone. In order for Mi Mover to initiate this process, a password is required.
More importantly, in order to use Mi Mover, the smartphone has to be unlocked.
Thus, there are two layers of protection for the user – phone lock and a Mi Mover password that are necessary.
