Xiaomi Smartphones were found to have multiple vulnerabilities in their system components and applications.
Oversecured, a security research firm, made the revelation.
It began its research in 2023 and found more than 20 existing loopholes that could have allowed malicious attackers to gain easy access.
Furthermore, it reported the findings to Xiaomi from April 25 to April 30, 2023, but not all of them have been fixed.
According to this report, the Xiaomi team’s oversight granted access to “arbitrary activities, receivers, and services with system privileges, theft of arbitrary files with system privileges, disclosure of phone, settings, and Xiaomi account data, and other vulnerabilities.”
Reasons for the Security Shortcomings
Each OEM, including Xiaomi, relies on Google’s AOSP codebase to create its apps and services for the device.
However, these modifications weren’t thoroughly checked for loopholes, exposing the device to security mishaps.
Most of the discovered apps come from the AOSP, and Xiaomi’s “feature improvements” have apparently improved the user experience, but at a grave cost.
Affected Apps by the Vulnerability
The list of affected apps is long and includes all the commonly used apps like
- Gallery (com.android.printspooler)
- Print Spooler (com.android.printspooler)
- Security (com.miui.securitycenter)
- Security Core Component (com.miui.securitycore)
- Settings (com.android.settings)
- GetApps (com.xiaomi.mipicks)
- Mi Video (com.miui.videoplayer)
- MIUI Bluetooth (com.xiaomi.bluetooth)
- Phone Services (com.android.phone)
- ShareMe (com.xiaomi.midrop)
- System Tracing (com.android.traceur)
- Xiaomi Cloud (com.miui.cloudservice)
The Settings apps contained four vulnerabilities that allowed attackers to bind services to any app and read Wi-Fi and Bluetooth data, system files, Xiaomi account details, and phone numbers.
GetApps, an App Store-like service, also had four major security flaws that could lead to memory corruption and expose sensitive data, such as Xiaomi session tokens.
Oversecured mentioned that Xiaomi hasn’t fixed this flaw, which is bad news for the existing users.
These findings are more than a year old and raise concerns about the effort OEMs like Xiaomi put into securing their devices.
Update Your Phone
After all, these are system apps found in all phones (including premium phones like Xiaomi 14 Ultra), making it difficult to trust the brand with personal data.
Xiaomi hasn’t commented on this recent report.
If you use a Xiaomi phone, install all the recently published system updates, which might contain patches for some (or all) of these vulnerabilities.
