Of the twenty vulnerabilities identified in Xiaomi’s applications, all were reported to the company between April 25 and 30 of the previous year. A Xiaomi spokesperson claimed that all the flaws had been fixed: “ Data security and the privacy of our users are our top priority. Xiaomi has addressed all vulnerabilities reported by the Overcured team and ensured that no users are exposed to the risk posed by these vulnerabilities “. The manufacturer adds that “ Users are always advised to update their devices to the latest software version that offers security updates ».
Xiaomi quickly settles its accounts
These vulnerabilities included access with system privileges, theft of files also with system privileges, and disclosure of phone data, settings and Xiaomi accounts. Several of the issues identified stemmed from poorly handled changes to AOSP code by Xiaomi, affecting apps like location, settings, and cellular services.
On Google’s side, six vulnerabilities were spotted by Oversecured, including two specific to Pixel devices. These issues have also been addressed by Google. Among them, we find unauthorized access to the user’s geolocation via the camera and flaws in the management of Bluetooth permissions. These vulnerabilities show that even Google is modifying AOSP’s code for the development of its devices, which will lead to additional security risks.
« This is very typical for Android », explique Sergey Toshin, le CEO d’Oversecured. « It is a big illusion to believe that Android is an open source operating system. Yes, some of the code is open source, but even Google doesn’t use it in its original form ».
In response to concerns raised by these findings, a Google spokesperson said: “ User security is a top priority and we are committed to promptly addressing vulnerabilities and releasing patches as quickly as possible “. A statement that will surprise no one. “ We greatly appreciate the work of the security research community that helps identify vulnerabilities and protect the Android ecosystem ».
Google assures that its patch development process is “ as fast as possible “. But in some cases, the company needs time to plug a vulnerability. It must be said that the search engine sometimes takes its time: a flaw revealed in February 2022 by Oversecured took more than a year to be corrected, and only because the flaw was publicly known. “ We respect Google’s engineers, but it’s clear that their approach to security needs an update », indique Sergey Toshin.
🟣 To not miss any news on the WorldOfSoftware, subscribe on Google News. And if you love us, .