Get All The Breaking Android & iOS News, Google, Tech News, Smartphones, Rumors, Leaks, Reviews, Updates, Apps, Games, Custom roms, Health, Movies and More

Xiaomi's Security App puts Millions Users At Risk



Xiaomi is estimated to be holding around eight percentage points of the global handset market, with virtually every industry tracker assessing the firm is the fourth largest handset vendor on the planet, only behind Samsung, Huawei, and Apple, in that order.  So the security flaw is responsible for putting Millions At Risk

Check Point researchers found that the Xiaomi's Security app, which comes Pre-installed straight out of the factory in order to protect users from malware, was actually leaving the door wide open to threat actors courtesy of an SDK fatigue vulnerability. Software Development Kits (SDKs) are part and parcel of the application creation ecosystem, the trouble is that a single app can make use of so many that it exposes the app, and therefore users, to a wider range of potential security issues. It has been reported that Android apps use an average of 18.3 SDKs each. This particular vulnerability is of the Man-in-the-Middle (MitM) variety meaning it was possible for an attacker to inject rogue code into the SDKs used in order to steal passwords or distribute ransomware for example. A failure to secure the communication between the various SDKs used by the app meant that, when connected to the same public Wi-Fi network, an attacker could gain access to the phone and launch an attack.

“Like all pre-installed applications” involved with security such as Guard Provider, Check Point researchers warn these apps are present “out-of-the-box and cannot be deleted.” However, Check Point responsibly disclosed the findings of their research to Xiaomi before publishing the vulnerability report.

 And the Good News is that a patch has, therefore, already been issued. As you cannot delete the Guard Provider app involved, you should ensure that your software is up to date and all security patches have been applied. Andrew van der Stock, senior principal consultant at Synopsys, says “phone manufacturers and software providers have a special responsibility to employ security reviews, supply chain security management, and ensure that any such applications that cannot be removed from the phone are truly safe.”


No comments:

Post a Comment