India-based security firm eScan Antivirus has allegedly discovered some major security flaws in Xiaomi's patented MIUI Android skin. Xiaomi faces a stern test as the report claims that a major vulnerability is exposed by the Mi Mover app wherein users can transfer settings and other confidential data from any Android device to a Xiaomi phone.
According to Guiding Tech, the app reportedly overrides the system's sandbox protection and hence it becomes mandatory to use a password, pattern lock or a fingerprint authentication on your handset in order to prevent data theft from unauthorised personnel who may access your phone in an unlocked state.
Another key vulnerability has been identified as linked with device-administrator apps, wherein uninstalling any anti-theft app does not prompt for administrative password on the device. Additionally, there seems to be a bunch of other issues linked to Work-Profile admin app wherein the work-space profile does not differentiate itself from the personal version.
Here is what the company said in its recent statement:
Any perpetrator who gains physical access to an unlocked phone is capable of malicious activity and an unlocked phone is greatly at risk of user data being stolen.
This is why, we at Xiaomi encourage our users to be more aware of guarding their private data using PIN, Pattern locks, or the onboard fingerprint sensor available on most of our smartphones. In fact, prompting users to enable fingerprint lock is a standard step when setting up a Xiaomi smartphone for first use.
Mi Mover is designed to be a convenient tool for our users to move their data from an old smartphone to a new phone. In order for Mi Mover to initiate this process, a password is required.
More importantly, in order to use Mi Mover, the smartphone has to be unlocked.
Thus, there are two layers of protection for the user – phone lock and a Mi Mover password that are necessary.
Although Xiaomi has advised users to secure their devices with a proper password or fingerprint or pattern lock, the company has not committed to addressing the problems. We can only hope that the MIUI 9 release could patch up the existing security flaws in the Android skin.