According to experts from the International Institute of Cyber Security (IICS), the best ethical hacking institute, the Chinese company Xiaomi has corrected a security vulnerability in Guard Provider, the security app preinstalled in its latest smartphone models.
According to reports, this vulnerability would have allowed threat actors to inject traffic to Guard Provider, executing arbitrary code to take control of the device, install malware, or steal victims’ sensitive information.
The experts from the best ethical hacking institute mentioned that the vulnerability exists due to a flaw in the design of the Xiaomi application. Guard Provider includes three different antiviruses for its operation: Avast, AVL and Tencent. The three antiviruses, as well as the application itself, come with different coding libraries (SDK) that each one uses to drive different functions.
According to the best ethical hacking institute, the interactions between Avast SDK and AVL SDK have exposed a way to run code on a Xiaomi smartphone. The vulnerability could have had a reduced impact, but because traffic entering and leaving Xiaomi Guard Provider is not encrypted, a threat actor capable of compromising the victim’s web traffic could have taken control of a device.
Cybersecurity specialists believe that these kinds of vulnerabilities expose how dangerous the practice of using more than one SDK for a single application. “Minor flaws in each SDK can be treated independently, however, when multiple SDK deployments are used in the same application, critical vulnerabilities are likely to be generated,” experts noted.
This vulnerability should cause concern among users of smart devices. A recent study found that, on average, an Android app has 18 different SDK’s. Such a high number of SDKs interacting with each other in the code of an application could generate serious security vulnerabilities without the developers being able to even detect them.
In addition, this study has shown the lack of security and privacy that abound in preinstalled applications of smart devices because, in most cases, these contain security failures, malware or have permissions too invasive to access user activity.