Thijs Broenink audited the AnalyticsCore.apk app that ships pre-installed on all Xiaomi phones (Xiaomi has their own Android fork with a different set of preinstalled apps) and discovered that the app, which seemingly serves no useful purpose, allows the manufacturer to silently install other code on your phone, with unlimited privileges and access.
The app phones home to Xiaomi once a day and transmits the user's "IMEI, MAC address, Model, Nonce, Package name and signature," all in the clear, then gets instructions back about which apps to install -- it can seemingly overwrite your signed, pre-installed apps with modified versions.
It seems like there indeed is no validation on what APK is getting installed. So it looks like Xiaomi can replace any (signed?) package they want silently on your device within 24 hours. And I’m not sure when this AppInstaller gets called, but I wonder if it’s possible to place your own Analytics.apk inside the correct dir, and wait for it to get installed (edit: getExternalCacheDir() is inside the app’s sandbox, so probably not). But this sounds like a vulnerability to me anyhow, since they have your IMEI and Device Model, they can install any apk for your device specifically.
If you own a Xiaomi device yourself, you might want to block all access to Xiaomi related domains, because by far this isn’t the only request to a Xiaomi site. I use AdAway for this. It does require root access, but that should be no problem if you run the International ROM. I don’t know if the official rom supports root access out of the box.
Reverse Engineering Xiaomi’s Analytics app
(Images: Little Marco Rubios Campaign is a Dumpster Fire, TJ Hawk, CC-BY-SA; Xiaomi Malaysia)
In the coronavirus pandemic, one app reigns supreme: Zoom, the video-conferencing app that allows you to easily add individuals or groups for informal chats or business meetings. Many teachers are using it to keep classes going for schools and universities closed by COVID-19.
Dave Maharidge is a journalist and J-school professor who is dear old friends with the muckracking, outstanding political documentarian Laura Poitras. Jessica Bruder (previously) is a a writer and J-school prof who's best friends with Maharidge. When Laura Poitras was contacted by an NSA whistleblower who wanted to send her the leak of the century, she asked Maharidge for help finding a safe address for a postal delivery, and Maharidge gave her Bruder's Brooklyn apartment address. A few weeks later, Bruder came home from a work-trip to discover a box on her doormat with the return address of "B. Manning, 94-1054 Eleu St, Waipau, HI 96797." In it was a thumb-drive. The story of what happened next is documented in a beautifully written, gripping new book: Snowden's Box: Trust in the Age of Surveillance.
Tracking entire populations now with electronic surveillance, facial recognition, and biosecurity sensors to combat the coronavirus pandemic will inevitably mean even more invasive forms of government spying later, privacy advocates warn.
Python is everywhere. Just look under the hood of virtually every major tech player of the 21st century and you’re likely to find a whole lot of Python-based coding language staring back at you. Case in point: Netflix. You may not know it, but from its security protocols to its much-hyped recommendations, it turns out […]
There are definite benefits to the whole work from home thing. The commute is a breeze. The dress code is supremely casual. And your boss has to work a lot harder to actually find you. Despite the joys, there are still some clear downsides to the whole home office thing as well. Job focus can […]
If you’re routinely prone to being stressed out, hurried or generally made out-of-sorts by the hectic pace of the world and life changes, then…yikes. We don’t envy what you must be going through these days. Right about now, even the most zen and centered among us are bound to be feeling some level of anxiety […]