A vulnerability in Guard Provider, a pre-installed app on mobile devices made by Xiaomi, allowed unsecured network traffic in both directions and could have allowed a threat actor to connect to the same Wi-Fi network and carry out a man-in-the-middle attack, the security firm Check Point says.
In a blog post, Check Point researcher Slava Makkaveev said the attacker could then use a third-party SDK update to disable malware protections and inject any rogue data to steal data, implant ransomware or tracking code. Other malware could also be installed.
Guard Provider is available on all mainstream Xiaomi phones and uses several third-party software development kits as party of the security service it offers. There are three anti-virus brands from among which the user can use: Avast, AVL and Tencent.
Makkaveev said there were disadvantages in using several SDKs within the same app. "Because they all share the app context and permissions, a problem in one SDK would compromise the protection of all the others and the private storage data of one SDK cannot be isolated and can therefore be accessed by another SDK," he noted.
It was natural that users would trust preinstalled apps, especially when those apps were claimed to protect the device, Makkaveev said. But the case of Guard Provider raised the question of who was guarding the guardian.
"And although the guardian should not necessarily need guarding, clearly when it comes to how apps are developed, even those built in by the smartphone vendor, one cannot be too careful," he said.
This attack scenario also illustrated the dangers of using multiple SDKs in one app. "While minor bugs in each individual SDK can be often be a standalone issue, when multiple SDKs are implemented within the same app it is likely that even more critical vulnerabilities will not be far off," Makkaveev said.
INTRODUCING ITWIRE TV
iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.
We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.
In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.
We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.
See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.
SEE WHAT'S ON ITWIRE TV NOW!
