A security flaw has been found in Guard Provider which is the default security app in all the latest Xiaomi smartphones and was later patched by the company.
The vulnerability would let a hacker to inject traffic heading towards the Guard Provider app, and insert malicious commands which would permit an attacker to run malicious code to take over the phone, install malware, or steal users’ data.
This security flaw was found by security researchers from Israel based cyber-security firm Check Point.
The vulnerability occurred due to the Guard Provider app’s design. The app includes three different antivirus brands built into it which can be selected by the users to make the default antivirus of their choice. The three antiviruses are Avast, AVL, and Tencent.
The app and the three antivirus products come with different coding libraries (SDKs – software development kits) which are used to power various functions.
According to Check Point, the interactions between two of these SDKs –the Avast SDK and the AVL SDK– exposed a way to execute code on Xiaomi devices.
This vulnerability would not have made a large impact but as the incoming and outgoing traffic from the Xiaomi Guard Provider was unencrypted, it is possible for any attacker to take control of a victim’s device by injecting their web traffic.
This also includes Man-in-the-Middle attack scenarios, such as malware found on a router, rogue ISPs, any “evil access point” scenario, and others.
A security researcher at Check Point, Slava Makkaveev stated that the attack scenario also illustrates the dangers of using multiple SDKs in one app. Occurrence of minor bugs in each SDK can be a standalone issue, but when numerous SDKs are implemented within the same app it becomes critical vulnerabilities.
This issue must be taken into consideration seriously as according to a study of the Android app ecosystem, it is found that around an average of 18 mobile SDKs are embedded in an app.
When there are multiple SDKs interacting with each other inside an app’s codebase, it becomes difficult for an app developer to know how these libraries will combine to become large bugs which they never expect.