Xiaomi Vulnerability: When Security Is Not What it Seems

Smartphones usually come with pre-installed apps, some of which are useful and some that never get used at all. What a user does not expect, however, is for a preinstalled app to be an actual liability to their privacy and security.

Check Point Research recently discovered a vulnerability in one of the preinstalled apps in one of the world’s biggest mobile vendors, Xiaomi, which, with almost 8% market share in 2018, ranks third in the mobile phone market. Ironically, it was the pre-installed security app, ‘Guard Provider’, which should protect the phone from malware, which exposes the user to an attack.

Briefly put, due to the unsecured nature of the network traffic to and from Guard Provider and the use of multiple SDKs within the same app, a threat actor could connect to the same Wi-Fi network as the victim and carry out a Man-in-the-Middle (MiTM) attack. Due to gaps in communication between the multiple SDKs, the attacker could then inject any rogue code he chooses such as password stealing, ransomware, tracking or any other kind of malware. For full technical details on how, please visit Check Point Research.

Like all pre-installed applications like Guard Provider, these kinds of apps are present on all mobile devices out-of-the-box and cannot be deleted. Check Point responsibly disclosed this vulnerability to Xiaomi, which released a patch shortly after.

Fig 1: Xiaomi’s preinstalled Security App, known as ‘Guard Provider’

 

The Pros and Cons of SDKs

A software development kit (SDK) is a set of programming tools to help developers create apps for a specific platform. In the case of mobile devices, mobile SDKs have definitely helped developers by removing the need to spend time writing code and developing back-end stability for functionalities unrelated to the core of their app.

Indeed, as more and more SDKs are developed, new capabilities and opportunities present themselves to app developers and ultimately add better functionality to their end users.

But when so much additional and external code is introduced, it becomes harder to ensure the app remains secure and is contained within best practices and functionality.

Known as ‘SDK Fatigue’, apps, however, become more prone to functionality problems as soon as more SDKs are implemented.

 

The hidden disadvantages in using several SDKs within the same app lie in the fact that they all share the app context and permissions, these main disadvantages are:

  1. A problem in one SDK would compromise the protection of all the others.
  2. The private storage data of one SDK cannot be isolated and can therefore be accessed by another SDK.

 

According to a recent report though, the use of multiple SDKs in a single app is far more common than one might think. On average a single app now has over 18 SDKs implemented within the same app. But by doing so, developers leave organizations and users exposed to potential pitfalls that can be exploited by threat actors to interfere with the regular operation of the device.

 

2 + 2 Does Not Always = 4

While an organization’s IT Security personnel are not expected to know the precise ins and outs of the SDKs used to build the apps that employees may be putting on to their devices, they should be aware that the way apps are built can carry their own hidden security risks. For while one may assume that elements used even within a security app would all be secure, as seen in the above vulnerability in Xiaomi’s pre-installed apps, this is far from the case.

Developers and corporations alike need to also be aware that having a secure element combined with another secure element within an app on their phone does not necessarily mean that when these two elements are implemented together that the device as a whole will remain secure.

The only defense against these types of hidden and obscure threats is to ensure your organization’s fleet of mobile devices are protected from potential Man-in-the-Middle attacks.

Check Point SandBlast Mobile would detect and prevent such attacks, thereby eliminating the potential threats caused by the use of multiple SDK usage within the same app.