Data protection has become a real concern on mobile phones. Not because Google uses the data to build some marketing tools to target communication campaigns better. Not only because Facebook seems to have made serious mistakes in development and management in the way personal data access authorizations are granted.
It is also a concern because our sensitive data are more and more numerous in smartphones: privacy, credit cards, various invoices, passwords for online services, etc. Creating encrypted zones and digital safes is good. But this does not necessarily prevent hacking. Especially since smartphone operating systems are increasingly complex, with bridges between the OS (Android or iOS) and third-party applications.
An ever-increasing need for security
OSes are more complex. Vulnerabilities are more frequent. And one of them, which concerns MIUI (the ROM that equips all Xiaomi smartphones) was unveiled by Check Point Software (Zone Alarm editor) a few days ago. As a reminder, this is a vulnerability that affects the preinstalled application called “Security” (but its real name is Guard Provider). It is an application that, according to Check Point, has several different modules, including several antivirus engines such as the one from Avast (a publisher well known in France for its free antivirus). A hacker would be able, according to Check Point, to take advantage of this complexity injecting malicious code and taking control of the phone’s data.
We have relayed this information in our columns. Check Point Software then claimed that the flaw had been closed following communication with Xiaomi and Avast, which appears to be the supplier of Guard Provider. Following the many articles that were unveiled on the Internet, including through our columns, Avast and Xiaomi stated the information itself, but also the study.
Extremely complex and unlikely
Avast first confirms that the leak existed. It also claims to be working continuously with its manufacturing partners, including Xiaomi, to strengthen the security of its applications (and the terminals they protect), particularly about the various modules they contain.
It also considers that the context of the attack, as defined by Check Point, is “extremely complex” and that feasibility is “unlikely.” According to Avast, this is “proof of feasibility.” It does not mean that the risk is zero either. A reflection that can be applied to many situations in hacking.
Escalation between competitors?
What can we learn from this story? Three points. First, Xiaomi has partnered with an important security name for its smartphones. But even these big names are not immune to a development defect. Then a flaw was found and fixed. There may be others. And they may be detected before they are filled. It’s a cat and mouse game in computer security.
Finally, and this is especially important to note, Avast and Check Point are competitors. For one to work to find the flaws in one product of the other and communicate publicly on the subject when they find them, it’s part of the strategies to sign with partners like Xiaomi who sell millions of phones. Too bad the builder got caught in the crossfire.