Securing the Smartphone Experience: Xiaomi and Google Address Vulnerabilities
In the ever-evolving realm of mobile security, Oversecured, a vigilant sentinel in the app security landscape, has shed light on a series of vulnerabilities that once peppered the digital infrastructure of Xiaomi’s Android applications and the Android Open Source Project (AOSP) maintained by Google.
It was a year ago when Oversecured’s keen eyes caught twenty vulnerabilities within Xiaomi’s suite of applications. A Xiaomi spokesperson, in a conversation with The Register, assured that the company has since fortified its digital ramparts, stating, “Protecting the data security and privacy of our users is the top priority.” Xiaomi users were urged to keep their devices updated for optimal security.
Google’s AOSP, the blueprint of Android’s ecosystem, was not immune to scrutiny either. Six vulnerabilities, including two that were exclusive to Google’s Pixel devices, have been addressed, with Google swiftly applying the necessary patches.
Oversecured’s report, provided to The Register, detailed the vulnerabilities in Xiaomi’s ecosystem. These ranged from unauthorized access to system privileges, to the theft of files, and the exposure of sensitive user data. The issues were promptly reported to Xiaomi between April 25 and April 30 of the previous year, leading to subsequent fixes.
Many of the vulnerabilities stemmed from custom modifications to the AOSP code. For instance, Xiaomi’s System Tracing app was found to have a shell command injection vulnerability due to custom code that did not properly vet received values. Similarly, Xiaomi’s alterations to the Settings app resulted in the unintended disclosure of information about Wi-Fi and Bluetooth connections, as well as emergency contacts.
The list of affected Xiaomi apps is extensive, including their Security, System Tracing, Settings, GetApps, and several others. These apps are integral to the Xiaomi user experience and thus, the prompt resolution of these issues was critical.
Google’s Pixel devices also faced their share of challenges. Modifications to the AOSP code led to vulnerabilities, such as undeclared permissions in the Pixel’s Settings app, which could have been exploited to alter VPN configurations. Sergey Toshin, CEO of Oversecured, highlighted the misconception of Android being entirely open source, noting that many vendors, including Google, modify the AOSP to suit their devices.
The vulnerabilities identified in Google’s ecosystem included potential geolocation access through the camera, arbitrary file access via WebView, and a Settings app flaw that could allow bypassing VPNs for certain apps. While some were quickly remedied, others, like CVE-2023-20963, were exploited before a fix was implemented, prompting Oversecured to call for a more proactive approach to security from Google.
Google, in response, reaffirmed their commitment to user security and the importance of the security research community in safeguarding the Android ecosystem. They emphasized the complexity of the patching process, which involves development, testing, and ensuring compatibility across various devices without introducing new issues.
Editor’s note: Oversecured’s full report is available, though references to Google have been omitted pending the resolution of an outstanding bug.
