Reverse Engineering “Quick Apps” from Xiaomi

Abstract:

Xiaomi smartphones have been very popular in South Asian countries mostly India, Srilanka, Indonesia, Thailand, etc. These phones have been known for their budget and new features at a low price.

According to Business Standard “, Xiaomi India revenue rises 175% in FY18, Mi posts net profit of Rs 2.93 bn” in the Q4 of 2018. And also from Counterpoint “Xiaomi sold more smartphones in India than in China in Q4 2018”

Now you know how many mobiles are already been sold and used by consumers. Let's talk about the apps now, if you are using Xiaomi based phone you can start looking at your mobile right now, Go to settings > System Apps > Quick Apps you will find this

Normally any app which is installed on the system can be uninstalled, As it an in-built app, it can only be disabled but there is no option to uninstall in this menu. I will talk about how to uninstall this app in the later section.

Let’s take a look at the permissions this application carry:

App has more than 55+ permissions some of which can install apps without notification, grabbing users IMEI, SIM numbers, IMSI numbers, Tower details like MNC, MCC, exfiltrating user credentials stored on the phone, Use credentials, Record Audio, Video and Calls and dump it in a temp storage which is to be uploaded to certain endpoints like : https://v.id.mi.com

We decided to dig deep into the app, the first step decompile the app and see the source code, we saw some code which is highly vulnerable to certain attacks and can be used to attack other apps in the phone.

Issue #1: App has more than 55 permissions to access, use and backup users data.

App uses too many administer permissions such as install apps without users notice, downloading OTA without users consent, reading, recording & streaming live calls & video chats. It can perform MITM attacks it also has permissions to read users credentials and also authenticate in the background.

Issue #2: App uses ‘SHA1RSA’ algorithm to generate a signed certificate for the application. This is a serious vulnerability as SHA1RSA algorithm is susceptible to collision attacks.

What is this vulnerability? What is a collision? (CWE-327 )

If you know cryptography, algorithms generate a hash value for every file, likewise, every android app needs to be signed using a cryptographic algorithm to prove the identity of the owner, A collision occurs when the two different files or messages produce the same cryptographic hash. When this happens the attacker can craft the same hash value of the original app to impersonate as the owner of the real app.

Issue #3: App can install unregistered applications without the consent of the user.

Application can install the unregistered application without the user consent and store the logs and app clear all the notifications related to application installation and uninstallation.

Issue #4: App sends unsanitized SQL inputs to the backend DB which uses SQLite Database and execute raw SQL query.

improper sanitization of inputs will lead to SQL injection attacks

Untrusted user input in raw SQL queries can cause SQL Injection. Also, sensitive information should be encrypted and written to the database.

Have you wondered what happens when you don't create a Mi account?

Issue #5: App creates a visitor profile for your data and dumps it to the Xiaomi endpoints

The application creates a user in https://v.id.mi.com as a visitor and saves the device’s MAC address, Bluetooth ID and Android ID

What do they do with this data?

Xiaomi uses Druid as their analytical dashboard, as far as I can see they are an Ad based Analytical dashboard, So what you can conclude is that based on your location, based on your carrier, Apps you use, websites you browse, Contacts you call frequently, places you visit often, Quick apps uploads your data to the analytical dashboard and you see ads on your lock screen, News widgets, Browser ads, Suggestion pop-ups etc.

http://druid.io/technology

How to disable/uninstall this application?

As of now the only way to uninstall these system apps is to root your android phone and remove the apps using Apps available on play store like System App Remover, Redmi System manager, System app uninstaller

or

if you know what you are doing then you can root the phone disable this bloatware and unroot your phone back. You can read on how to do this on MIUI blog post:

Thanks to Janardhana S for teaming up in this process.

References:

  1. Druid
  2. Druid Slideshare
  3. https://www.strategyanalytics.com/strategy-analytics/news/strategy-analytics-press-releases/2017/11/02/strategy-analytics-xiaomi-soars-as-global-smartphone-shipments-hit-393-million-in-q3-2017
  4. https://en.miui.com/thread-4230066-1-1.html

Gagan Jain Bommaiah Satish

Written by

CyberSecurity Enthusiast & Forensic Investigator

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade