Xiaomi devices have taken Asia by storm, providing fierce competition to established players such as Samsung (KRX: 005930). Recently Xiaomi has been under the microscope for security issues, as it has been alleged that these devices serve as a conduit that allows Chinese intelligence services to siphon user’s data. However a new report by security consultancy Bluebox Labs shows that the real threat might come from sloppy coding.
The device tested by Bluebox researchers was the Xiaomi Mi 4. Like many smartphones from Chinese vendors, it ships with a forked (non official) version of Android branded as MIUI. Forked versions of Android do not undergo the same security vetting procedures from Google (NASDAQ: GOOGL) as official versions do.
Being a forked version of Android means that Google services are not available on the device. For example, the phone ships with a Google Play alternative called Mi Market. However the researchers found that this version of Android appeared to be a combination of 4.4.4 and older versions. Doing a deep dive into the OS the researchers found some conflicts at the API level. The devices contains a mixture of API keys from Android 4.4 and Android 4.2 that are both test-keys (not for public use) and release-keys. As test-keys are not finalized they ship with more security bugs than their final counterparts. However the combination of both test and release keys could be incredibly problematic as bugs will no doubt arise just by combining the two.
Bluebox researchers did on the device was a scan for suspicious apps — malware, spyware or adware. They found three apps considered to be risky. The most problematic of which was an app called Yt Service as it disguises its developer package to make it look like it came from Google — which is not the case. Next up were apps called PhoneGuardService which was identified as a Trojan and AppStats which is classified as riskware.
Bluebox gives the device a low trustable score of 2.6. By virtue of the fact that it runs a forked version of Android, Xiaomi devices ship with security flaws that have been long ago patched by Google.
For its part Xiaomi has not responded to Bluebox’s attempts for responsible disclosure — approaching the vendor first before going public.
Bluebox told VR World that it did not accept outside funding for this study.
Update 4:50 China Standard Time:
Xiaomi sent in this response:
“We are investigating this matter now. There are glaring inaccuracies in the Bluebox blog post, as official Xiaomi devices do not come rooted and do not have any malware pre-installed. It is likely that the Mi 4 that Bluebox obtained has been tampered with.”