If you have read one of our several reviews of Xiaomi phones, such as the Mi Note 2 and Mi 6, you'll know that the software experience just isn't good. MIUI is Xiaomi's heavily modified version of Android, complete with less-than-stellar RAM and Bluetooth management (among other issues). But the ROM has several major security problems, as found by research firm eScan.
The first problem relates to the Mi-Mover app, which allows you to transfer apps and some settings from any Android device (running 4.2 or higher) to a Xiaomi phone. This is a pretty common feature, even on Nexus and Pixel phones. However, if both devices are running MIUI, Mi-Mover will copy all system data to the new phone. This includes confidential information, like saved payment information, overriding Android's built-in sandbox protection in the process. Some applications are unaffected, like the ones check the device or require a PIN at launch, but many popular apps like Twitter and Airbnb don't check the device. So if someone had access to a Xiaomi phone, they could copy all of a user's information without much effort.
Another flaw was found in how MIUI handles device-administrator apps. As you may know, many security/anti-theft apps (like Android Device Manager) can use Android's administrator permission to wipe the device. Uninstalling these apps usually requires the user's password, but eScan discovered that no prompt was given when deleting an administrator app. Theoretically, someone could steal a Xiaomi phone and quickly delete any anti-theft apps before the owner had the chance to use them.
There are a handful of other problems as well, such as the Work-Profile Admin app only being hidden when the user deletes it, and work-space profiles not being differentiated from personal ones. To be fair to Xiaomi, all of these flaws require an unlocked device to take advantage of. The company released a statement after the study was published, recommending that users lock their devices:
Any perpetrator who gains physical access to an unlocked phone is capable of malicious activity and an unlocked phone is greatly at risk of user data being stolen.
This is why, we at Xiaomi encourage our users to be more aware of guarding their private data using PIN, Pattern locks, or the onboard fingerprint sensor available on most of our smartphones. In fact, prompting users to enable fingerprint lock is a standard step when setting up a Xiaomi smartphone for first use.
Mi Mover is designed to be a convenient tool for our users to move their data from an old smartphone to a new phone. In order for Mi Mover to initiate this process, a password is required.
More importantly, in order to use Mi Mover, the smartphone has to be unlocked.
Thus, there are two layers of protection for the user – phone lock and a Mi Mover password that are necessary.
Still, the fact that Xiaomi didn't state that they would address the problems (such as re-enabling password protection for removing administrator apps) doesn't help matters. Hopefully the upcoming MIUI 9 will address these security flaws, but I wouldn't hold my breath.
- eScan (PDF)
- Guiding Tech