Oversecured, a business that scans mobile apps for security issues, says it has identified more than two dozen vulnerabilities over the past few years affecting Android apps from smartphone maker Xiaomi and Google's Android Open Source Project (AOSP).
Twenty of the vulnerabilities, we're told, were reported a year ago to Xiaomi. A Xiaomi spokesperson told The Register it had closed the bugs: "Protecting the data security and privacy of our users is the top priority. Xiaomi has remediated all vulnerabilities reported by the Oversecured team and has ensured that no user is exposed to risk posed by these vulnerabilities. Users are always advised to update their devices to the latest version of software which offers security updates."
Six vulnerabilities associated with Google's AOSP code – including two affecting its Pixel devices – are said to have been already addressed by the Chocolate Factory.
"Our team discovered 20 dangerous vulnerabilities across various applications and system components that pose a threat to all Xiaomi users," Oversecured explained in a report provided to The Register.
"The vulnerabilities in Xiaomi led to access to arbitrary activities, receivers and services with system privileges, theft of arbitrary files with system privileges, disclosure of phone, settings and Xiaomi account data, and other vulnerabilities."
Oversecured claims to have reported its findings to Xiaomi between April 25 to April 30 last year. Evidently the bugs were fixed in the months that followed.
Several of the problems identified arose from mishandled modification of AOSP code. For example, Xiaomi's System Tracing app (com.android.traceur) was found to have a shell command injection vulnerability.
It's actually a massive delusion that Android is an open source operating system. Yes, some code is open sourced, but even Google doesn't use AOSP in its original form but modifies it to release its devices
The System Tracing app comes from AOSP but was modified by Xiaomi. "They added custom code to extend the dump functionality to the exported com.android.traceur.AppReceiver receiver, which does not check the received values and passes them directly to sh," the Oversecured report explains.
Similarly, Xiaomi allegedly modified the Settings app (com.android.settings) in a way that leaked information about Wi-Fi and Bluetooth devices through Android Intents – a way to communicate between apps.
"Xiaomi added its own functionality for additional settings that were not present in AOSP," the report explains. "As a result, these intents began to leak information about Bluetooth devices, connected Wi-Fi networks, and emergency contacts."
Modifications to the AOSP Phone Services app (com.android.phone) created a similar problem that exposed telephony data via the Intent system. Xiaomi, the report claims, "added custom functionality, but it was vulnerable to implicit intent hijacking that exposed system values such as ICCID or IMSI of virtual SIMs."
The flagged apps include Security (com.miui.securitycenter), System Tracing, Settings, GetApps, Security Core Component, MIUI Bluetooth, Phone Services, ShareMe, Gallery, Xiaomi Cloud, Print Spooler, and Mi Video.
- Open Source world's Bruce Perens emits draft Post-Open Zero Cost License
- Google pulls RISC-V support from generic Android kernel
- Google blocked 2.3M apps from Play Store last year for breaking the G law
- Python, Flutter teams latest on the Google chopping block
With regard to Google, Oversecure spotted six vulnerabilities – two of which are specific to Pixel devices, while the other four affect any Android device.
Ironically, Google also got tripped up by modifying AOSP code. Its Settings app in Pixel phones used undeclared permissions when declaring components in its AndroidManifest.xml file. This "allows an attacker to modify the lists of carrier apps and VPN bypass apps," according to Oversecured, which says that only system apps can thus be exempted from VPNs.
"This is very typical for Android," remarked Sergey Toshin, CEO of Oversecured, in an email to The Register. "It's actually a massive delusion that Android is an open source operating system. Yes, some code is open sourced, but even Google doesn't use AOSP in its original form but modifies it to release its devices. I'd say Pixel devices are 50 percent using AOSP and the rest is closed source. For the rest of the Android vendors, that percentage is less."
The Google/Pixel bugs identified include:
- A way to access the user's geolocation through the camera (CVE-2024-0017, fixed December 20, 2023);
- A way to access arbitrary files via the WebView components file picker functionality (reported November 4, 2023);
- A Settings app flaw for adding system apps to the VPN bypass list (fixed in Pixel in December 2023);
- An incorrect Bluetooth permissions check (reported Aug 18, 2022);
- A vulnerability that allowed access to arbitrary components of arbitrary applications installed on the device (CVE-2023-20963, reported Feb 17, 2022, and fixed March 1, 2023);
- An HTML injection vulnerability in the Settings app on the Device Admin request screen (CVE-2021-0600, reported Jan 29, 2021, and fixed Jun 24, 2021).
Pointing to CVE-2023-20963, which was actively exploited starting on March 4, 2022 – two weeks after it was reported to Google – Oversecure argues the web giant should not have taken so long to implement a fix. We're told Google was made aware of the flaw in 2022, and didn't do anything about it for about a year, during which time the hole was exploited.
"If they had fixed the parcel/unparcel mismatch vulnerability immediately after our alert on Feb 17 2022, then Pinduoduo would not have [...] attacked," the report notes, referring to the Pinduoduo Android app that was pulled in 2023 for containing an exploit for CVE-2023-20963.
"But [Google] started fixing it more than a year later, only after it was publicly known about the attacks and finally fixed it on March 1, 2023. We respect Google's engineers, but it's clear that their approach to security needs an upgrade."
Asked to respond, a Google spokesperson replied:
"User security is a top priority and we are committed to promptly addressing vulnerabilities and releasing fixes as quickly as possible. We greatly appreciate the work of the security research community that helps identify vulnerabilities and protect the Android ecosystem.
"We are working with this reporting security researcher on addressing their findings. When releasing patches, we account for development, testing and security measures in order to ship patches as quickly as possible to the Android ecosystem without compromising device usability across different manufacturers or creating additional bugs or security issues.
"While we strive to make the patching process as quick as possible, in some cases it can take more time to ensure a patch is ready for release to the ecosystem. Android's multi-layered security protections … can help protect users from malicious apps that exploit vulnerabilities. We are always looking to improve our patching process to help keep users safe." ®
Editor's note: You can find Oversecure's report here though it has removed all references to Google because, we're told, one of its bugs has not been fixed yet.
