When you buy a new mobile device with certain apps already pre-installed on, you’re effectively forced to trust that the device maker or reseller (depending on who pre-loaded the apps) is not up to anything shady or try to remove them (sometimes you can’t).
Or, if you’re a computer science student with an interest in cybersecurity like Thijs Broenink, you can reverse-engineer pre-loaded apps and discover for yourself what they do.
In his case, he wanted to known what the AnalyticsCore (AnalyticsCore.apk) in his Xiaomi Mi4 does as there was no information online about it.
What Broenink found
He dug into the code, and discovered that the app sends device information – IMEI, MAC address, Model, Nonce, Package name and signature – to Xiaomi, and checks for updates every 24 hours. If there’s an update ready, it downloads it from Xiaomi’s server and implements it.
Broenink couldn’t find proof that the update is validated before being installed (i.e. is it really an analytics app? Does it really come from Xiaomi?), and posited that an attacker who had access to the company’s server could, in theory, exchange the new update with a malicious app, and get it installed on all devices.
The fact that the download of the update happens over HTTP could also mean that it could be intercepted and tampered with to achieve the same purpose.
This setup also means that Xiaomi “can replace any (signed?) package they want silently on your device within 24 hours,” Broenink noted, effectively making the company capable of tampering with all devices sold by them.
A Xiaomi spokesperson told The Hacker News that a successful attack on the “self-upgrade” feature by a random attacker is impossible, as the MIUI’s (Xiaomi’s Android firmware for mobile devices) checks the signature of the Analytics.apk app during installation, and will not install any app that has not be signed by Xiaomi.
“Starting from MIUI V7.3 released in April/May, HTTPS was enabled to further secure data transfer, to prevent any man-in-the-middle attacks,” the spokesperson said, but did not address the issue of the company being effectively capable of loading any app on the devices through this feature, without the user being none the wiser.
A discussion on a Xiaomi forum reveals that users have managed to delete the AnalyticsCore app from the device, but that it reappears on the device after a while.
Broenink advised users to block the device from accessing Xiaomi related servers if they don’t want be at the mercy of the company. The blocking, he advised, can be achieved via an ad blocking app with root access, which will allow the blacklisting of the webservers in question.
Xiaomi is a privately owned Chinese electronics company and the fourth largest smartphone maker in the world.