Vulnerability found in Guard Provider, Xiaomi’s pre-installed security app

Check Point Research discovered a vulnerability in one of the preinstalled apps on devices manufactured by one of the world’s biggest mobile vendors, Xiaomi.

The vulnerability would have allowed an attacker to carry out a Man-in-the-Middle (MiTM) attack and inject any rogue code he chooses such as password stealing, ransomware, tracking or any other kind of malware onto the device.

The vulnerability is in the pre-installed security app, Guard Provider, which should protect the phone from malware. Guard Provider uses several third-party Software Development Kits (SDKs), including various types of device protection, clearing and boosting. It includes three different antivirus brands built that the user can choose from to protect their phone: Avast, AVL and Tencent.

However, due to the unsecured nature of the network traffic to and from the Guard Provider app, and the use of multiple SDKs within the same app, a threat actor could connect to the same Wi-Fi network as the victim and carry out a Man-in-the-Middle (MiTM) attack against the device. Due to gaps in communication and functional loopholes between the multiple SDKs, the attacker could then inject malicious code onto the phone.

Like all pre-installed applications, these kinds of apps are present on all mobile devices out-of-the-box and cannot be deleted. Check Point responsibly disclosed this vulnerability to Xiaomi, which released a patch shortly after.

The pros and cons of SDKs

A software development kit (SDK) is a set of programming tools to help developers create apps for a specific platform. On mobile devices, mobile SDKs have helped developers by removing the need to spend time writing code and developing back-end stability for functionalities unrelated to the core of their app.

But as more and more third party code is added to the app, protecting user data and controlling performance gets much more complicated. Known as ‘SDK Fatigue’, increased use of multiple SDKs in the same app makes it more susceptible to problems such as crashes, malware, privacy breaches, battery drain, slowdown, and many other problems.

The hidden disadvantages in using several SDKs within the same app lie in the fact that they all share the app context and permissions, these main disadvantages are:

1. A problem in one SDK would compromise the protection of all the others.

2. The private storage data of one SDK cannot be isolated and can therefore be accessed by another SDK.

On average a single app now has over 18 SDKs implemented within the same app. But by doing so, developers leave organizations and users exposed to potential pitfalls that can be exploited by threat actors to interfere with the regular operation of the device.

While it is assumed that elements used even within a security app would all be secure, as seen in the above vulnerability in Xiaomi’s pre-installed apps, this is far from the case. Developers and corporations alike need to be aware that having a secure element combined with another secure element within an app on their phone does not necessarily mean that when these two elements are implemented together, the device as a whole will remain secure.

The only defense against these types of hidden and obscure threats is to ensure your organization’s fleet of mobile devices use mobile security software that protects against potential Man-in-the-Middle attacks.