MIUI security flaws allow uninstallation of security apps and easy copying of data

The fragmentation in Android and features such as side-loading have always made security a more contentious issue for Google's operating system. Unfortunately, sometimes weaknesses can come via the manufacturer, as is the case with MIUI after security company eScan released a report on their testing of Xiaomi phones.

There were two major issues among those found by eScan. The first was the way that the MIUI app uninstaller was able to bypass the admin password on security apps allowing uninstallation by anyone with access to the phone. In contrast, the behavior on other android phones was to prompt for password authentication when trying to uninstall the same security applications.

The second was in the Mi Mover application, which is designed to allow easy transfer of "contacts, messages, photos, music, videos, documents, installed apps, and other data." from a previous phone to a new Xiaomi phone. On other Android phones, the transfer action would prompt for the user password or PIN before starting the transfer, where as with Mi Mover it would happily start transferring data without the need for the password.

Xiaomi made a statement to Guiding Tech strongly disagreeing with the allegations made by eScan. They said that the Mi Mover app does ask for a password and that the uninstallation of admin apps (e.g. security apps) without password authentication isn't a problem when the phone is locked using PIN, pattern, password, or fingerprint security.

Guiding Tech tested the vulnerabilities themselves, and found that even when the phone had a pattern or fingerprint lock a phone in an unlocked state would allow the actions as reported by eScan.

Source(s)