How Xiaomi installs apps without telling you
Computer scientist Thijs Broenink found out that smartphone maker Xiaomi can silently install apps on its phones
A lot of invisible things happen on our smartphones. But somewhere, someone cares enough to probe deeper.
Security blog The Hacker News reported how computer scientist Thijs Broenink found out that smartphone maker Xiaomi can silently install apps on its phones without user interaction.
He discovered a pre-installed app, called AnalyticsCore.apk, which gets updates in the background and reappears after you delete it.
The app checks for new updates once a day. “While making these requests, the app sends device identification information with it, including phone’s IMEI, Model, MAC address, Nonce, Package name as well as signature,” the article reports.
PTA bans sale of China's Xiaomi smartphones in Pakistan
Thijs questions if this process is secure. He claims no validation took place to ensure the correct app was installed, and that the app updates happened over a non-secure HTTP connection.
As a result, Thijs posits that the process exposes users to malicious and invisible app installs, either from Xiaomi or other sources, as well as man-in-the-middle attacks.
Xiaomi has responded to these claims. “AnalyticsCore is a built-in MIUI system component that is used by MIUI components for the purpose of data analysis to help improve user experience, such as MIUI Error Analytics,” a spokesperson tells Tech in Asia. MIUI is the customized version of Android used in all Xiaomi phones.
Xiaomi added that the self-upgrade feature was meant to ensure a “better user experience.”
In addition, “as a security measure, MIUI checks the signature of the Analytics APK file during installation or upgrade to ensure that only the APK file with the official and correct signature will be installed.”
Xiaomi clarifies not banned by PTA, sets to launch smartphones soon
Because of that, it’s unlikely other apps can be installed on the phone through that method.
Addressing the HTTP connection issue, Xiaomi says that the more secure HTTPS connection has been enabled since April with MIUI version 7.3.
However, this would mean a loophole existed before that.
Anyway, it’s possible Xiaomi isn’t the only Android maker that installs apps for diagnostic or data collection purposes this way.
Android users who want to reject these invisible connections can use a firewall app.
This article originally appeared on Tech in Asia.
Security blog The Hacker News reported how computer scientist Thijs Broenink found out that smartphone maker Xiaomi can silently install apps on its phones without user interaction.
He discovered a pre-installed app, called AnalyticsCore.apk, which gets updates in the background and reappears after you delete it.
The app checks for new updates once a day. “While making these requests, the app sends device identification information with it, including phone’s IMEI, Model, MAC address, Nonce, Package name as well as signature,” the article reports.
PTA bans sale of China's Xiaomi smartphones in Pakistan
Thijs questions if this process is secure. He claims no validation took place to ensure the correct app was installed, and that the app updates happened over a non-secure HTTP connection.
As a result, Thijs posits that the process exposes users to malicious and invisible app installs, either from Xiaomi or other sources, as well as man-in-the-middle attacks.
Xiaomi has responded to these claims. “AnalyticsCore is a built-in MIUI system component that is used by MIUI components for the purpose of data analysis to help improve user experience, such as MIUI Error Analytics,” a spokesperson tells Tech in Asia. MIUI is the customized version of Android used in all Xiaomi phones.
Xiaomi added that the self-upgrade feature was meant to ensure a “better user experience.”
In addition, “as a security measure, MIUI checks the signature of the Analytics APK file during installation or upgrade to ensure that only the APK file with the official and correct signature will be installed.”
Xiaomi clarifies not banned by PTA, sets to launch smartphones soon
Because of that, it’s unlikely other apps can be installed on the phone through that method.
Addressing the HTTP connection issue, Xiaomi says that the more secure HTTPS connection has been enabled since April with MIUI version 7.3.
However, this would mean a loophole existed before that.
Anyway, it’s possible Xiaomi isn’t the only Android maker that installs apps for diagnostic or data collection purposes this way.
Android users who want to reject these invisible connections can use a firewall app.
This article originally appeared on Tech in Asia.