MIUI security flaws allow uninstallation of security apps and easy copying of data

MIUI is compromising device security according to eScan. (Source: Xiaomi)
MIUI is compromising device security according to eScan. (Source: Xiaomi)
eScan, a software security company, has reported on a number of vulnerabilities in Xiaomi's MIUI. The two principal ones allow the uninstallation of security apps and the transferring of phone data without prompting for the user password. Xiaomi disputes the findings of the report, claiming that using a PIN, password, pattern, or fingerprint will avoid these problems.
Craig Ward,

The fragmentation in Android and features such as side-loading have always made security a more contentious issue for Google's operating system. Unfortunately, sometimes weaknesses can come via the manufacturer, as is the case with MIUI after security company eScan released a report on their testing of Xiaomi phones.

There were two major issues among those found by eScan. The first was the way that the MIUI app uninstaller was able to bypass the admin password on security apps allowing uninstallation by anyone with access to the phone. In contrast, the behavior on other android phones was to prompt for password authentication when trying to uninstall the same security applications.

The second was in the Mi Mover application, which is designed to allow easy transfer of "contacts, messages, photos, music, videos, documents, installed apps, and other data." from a previous phone to a new Xiaomi phone. On other Android phones, the transfer action would prompt for the user password or PIN before starting the transfer, where as with Mi Mover it would happily start transferring data without the need for the password.

Xiaomi made a statement to Guiding Tech strongly disagreeing with the allegations made by eScan. They said that the Mi Mover app does ask for a password and that the uninstallation of admin apps (e.g. security apps) without password authentication isn't a problem when the phone is locked using PIN, pattern, password, or fingerprint security.

Guiding Tech tested the vulnerabilities themselves, and found that even when the phone had a pattern or fingerprint lock a phone in an unlocked state would allow the actions as reported by eScan.


+ Show Press Release
Read all 1 comments / answer
static version load dynamic
Loading Comments
Comment on this article
Please share our article, every link counts!
> Notebook / Laptop Reviews and News > News > News Archive > Newsarchive 2017 08 > MIUI security flaws allow uninstallation of security apps and easy copying of data
Craig Ward, 2017-08-12 (Update: 2017-08-12)
Craig Ward
Craig Ward - News Editor
I grew up in a family surrounded by technology, starting with my father loading up games for me on a Commodore 64, and later on a 486. In the late 90's and early 00's I started learning how to tinker with Windows, while also playing around with Linux distributions, both of which gave me an interest for learning how to make software do what you want it to do, and modifying settings that aren't normally user accessible. After this I started building my own computers, and tearing laptops apart, which gave me an insight into hardware and how it works in a complete system. Now keeping up with the latest in hardware and software news is a passion of mine.