Thijs Broenink audited the AnalyticsCore.apk app that ships pre-installed on all Xiaomi phones (Xiaomi has their own Android fork with a different set of preinstalled apps) and discovered that the app, which seemingly serves no useful purpose, allows the manufacturer to silently install other code on your phone, with unlimited privileges and access.
The app phones home to Xiaomi once a day and transmits the user's "IMEI, MAC address, Model, Nonce, Package name and signature," all in the clear, then gets instructions back about which apps to install -- it can seemingly overwrite your signed, pre-installed apps with modified versions.
It seems like there indeed is no validation on what APK is getting installed. So it looks like Xiaomi can replace any (signed?) package they want silently on your device within 24 hours. And I’m not sure when this AppInstaller gets called, but I wonder if it’s possible to place your own Analytics.apk inside the correct dir, and wait for it to get installed (edit: getExternalCacheDir() is inside the app’s sandbox, so probably not). But this sounds like a vulnerability to me anyhow, since they have your IMEI and Device Model, they can install any apk for your device specifically.
If you own a Xiaomi device yourself, you might want to block all access to Xiaomi related domains, because by far this isn’t the only request to a Xiaomi site. I use AdAway for this. It does require root access, but that should be no problem if you run the International ROM. I don’t know if the official rom supports root access out of the box.
Reverse Engineering Xiaomi’s Analytics app
[Thijs Broenink]
(Images: Little Marco Rubios Campaign is a Dumpster Fire, TJ Hawk, CC-BY-SA; Xiaomi Malaysia)
If you're worried that your Airbnb host has hidden a camera in the place you've rented, because that is a thing that garbage people do, you can use these handy tips to spot it.
Dustin W. Burns, 33, of Springfield, Missouri, on probation after violating a restraining order, was arrested again after he allegedly made an instructional video on how to remove an ankle monitor with a butterknife and posted the clip on Facebook. “This is how you take an ankle bracelet off,” says the voice in the video, […]
A cop working for the Direction Générale de la Sécurité Intérieure (the French national domestic surveillance agency) used the darknet marketplace Black Hand to sell access to France's prodigious national surveillance apparatus to criminals: give him a phone number and he'd track its location; give him a name and he'd tell you whether that person […]
It’s the age of the gig economy for good reason. With an unlimited market out there on the internet, side hustles are as easy as finding your voice and finding an audience. Whether it’s podcasting, writing or design, these training courses are an easy mentor for your transition from hobbyist to hustler. Start a […]
Spreadsheet proficiency isn’t just a box to check off on your resume. It’s the number one time-saver for any data entry job, human resources manager, inventory specialist or countless other crucial office positions. Don’t waste time tinkering with Excel or Google Sheets on your own. Learn both, backward and forwards, with The Excel & Google […]
Drop by just about any health store and you’ll hear raves about charcoal’s curious and newfound properties as a sponge for the body’s toxins. Turns out its beauty benefits are just as miraculous. The NUOVAWHITE Charcoal Teeth Whitening System uses charcoal as the active ingredient for a treatment that will visibly make your pearlies pearlier […]
