Thijs Broenink audited the AnalyticsCore.apk app that ships pre-installed on all Xiaomi phones (Xiaomi has their own Android fork with a different set of preinstalled apps) and discovered that the app, which seemingly serves no useful purpose, allows the manufacturer to silently install other code on your phone, with unlimited privileges and access.
The app phones home to Xiaomi once a day and transmits the user's "IMEI, MAC address, Model, Nonce, Package name and signature," all in the clear, then gets instructions back about which apps to install -- it can seemingly overwrite your signed, pre-installed apps with modified versions.
It seems like there indeed is no validation on what APK is getting installed. So it looks like Xiaomi can replace any (signed?) package they want silently on your device within 24 hours. And I’m not sure when this AppInstaller gets called, but I wonder if it’s possible to place your own Analytics.apk inside the correct dir, and wait for it to get installed (edit: getExternalCacheDir() is inside the app’s sandbox, so probably not). But this sounds like a vulnerability to me anyhow, since they have your IMEI and Device Model, they can install any apk for your device specifically.
If you own a Xiaomi device yourself, you might want to block all access to Xiaomi related domains, because by far this isn’t the only request to a Xiaomi site. I use AdAway for this. It does require root access, but that should be no problem if you run the International ROM. I don’t know if the official rom supports root access out of the box.
Reverse Engineering Xiaomi’s Analytics app
(Images: Little Marco Rubios Campaign is a Dumpster Fire, TJ Hawk, CC-BY-SA; Xiaomi Malaysia)
Leaked images, many of them graphic nude photos, were from imaging firm NextMotion in France
• The Equifax breach was disclosed in 2017, exposed financial records of 150M Americans • FBI Deputy Director David Bowdich: “This is the largest theft of sensitive PII by state-sponsored hackers ever recorded.”
The so-called Wuhan Coronavirus has killed more than 700 people, mostly in Mainland China, and the outbreak continues to spread with new cases on new continents. In China, Novel coronavirus 2019-nCoV is also exposing the surveillance state — apps show locations of the infected, heat-sensing cameras spot feverish disease suspects, and identify them even with […]
While we all love our iPhones and iPads, celebrating the releases of their latest and greatest versions, it’s amusing to consider how much we at the same time HATE the main item that keeps these little tech marvels powered up and working. No, Lightning cables don’t exactly inspire feelings of awe and wonder. It’s more […]
Every family is chock full of stories. Stories of history, stories of memory, stories of accomplishment and stories of love. From a grandparent’s tales of life decades ago to a couple’s first meeting to amazing life experiences and moments that you wish could be preserved for future generations. Unfortunately, we all don’t have the literary […]
Minimalism isn’t just trendy, it’s also wise. Clearing clutter and keeping things simple in your home is great for both your mind and for the earth. Bring that movement to your bedside when you replace just about everything on and around your nightstand with the Tree of Light: Wireless Charger + Bluetooth Speaker + LED […]