Smartphone security has become one of the features we all look at when buying that shiny new device; be it excellent biometrics or in some cases on-device encryption software like Samsung Knox. However, when buying the said device, moving all your data to it can be quite a chore for some. Companies like Xiaomi and Samsung offerapplications like Smart Switch and Mi Mover to make the transition easier.
However, a recent security analysis of the aforementioned Mi Mover application found that it presented several security flaws that could lead to your device being ‘cloned’ without requiring any security inputs. Research firm Escan ran several tests on devices from the smartphone maker, where a security application called Cerberus Anti-Theft was installed. Normally, when trying to copy or uninstall the said app, it requires you to authenticate yourself through biometrics or password and asks for the security code which was set within the application. However, in the Xiaomi devices, the app simply uninstalled, bypassing all security measures.
Beyond this, Escan found several other vulnerabilities within MIUI; the Android front-end software from Xiaomi, including:
- MI-Mover App overrides the application sandbox of the Android OS
- Any device-administrator app can be uninstalled without revoking its device-admin rights
- Xiaomi with MI-Mover can be cloned in few minutes without needing to root the device
- MIUI devices rather than deleting, hides the Work-Profile Admin app
- Workspace profiles cannot be differentiated from the personal profile posing a serious challenge from the security point of view in Enterprise Mobility Management
These vulnerabilities were confirmed by GuidingTech, who contacted the Chinese smartphone giant asking for comment. However, the company remained adamant that these could all be avoided if the user secured the device with biometrics or PIN in its official response. However, this does not address the fact that Android security protocols including 2FA and others have been put in place regardless of the device being secured by a password.
In a world where malware and phishing attacks have become commonplace, it is quite strange that the company would overlook such a fundamental security flaw.