Check Point Research recently discovered a vulnerability in one of the preinstalled apps in one of the world’s biggest mobile vendors, Xiaomi, which, with almost 8% market share in 2018, ranks third in the mobile phone market.
Ironically, it was the pre-installed security app, ‘Guard Provider’, which should protect the phone from malware, which exposes the user to an attack.
Briefly put, due to the unsecured nature of the network traffic to and from Guard Provider and the use of multiple SDKs within the same app, a threat actor could connect to the same Wi-Fi network as the victim and carry out a Man-in-the-Middle (MiTM) attack. Due to gaps in communication between the multiple SDKs, the attacker could then inject any rogue code he chooses such as password stealing, ransomware, tracking or any other kind of malware.
Like all pre-installed applications like Guard Provider, these kinds of apps are present on all mobile devices out-of-the-box and cannot be deleted. Check Point disclosed this vulnerability to Xiaomi, which released a patch shortly after.
A software development kit (SDK) is a set of programming tools to help developers create apps for a specific platform. In the case of mobile devices, mobile SDKs have helped developers by removing the need to spend time writing code and developing back-end stability for functionalities unrelated to the core of their app.
But as more and more third party code is added to the app, the effort around keeping its production environment stable, protecting user data and controlling the performance gets much more complicated.