Xiaomi Inc. has released a patch for a security vulnerability that could have allowed hackers to intercept data and insert malicious code on devices made by the company.

Discovered by security researchers at Check Point Software Technologies Ltd. and revealed Thursday, the vulnerability, found somewhat ironically in “Guard Provider,” the standard security application Xiaomi installs on its devices, related to how the security app communicated for updates.

The app allows users to select from three antivirus services, Avast, AVL and Tencent, via a software developer kit. In the case of the Avast and AVL SDKs, updates were requested using a standard unsecured Hypertext Transfer Protocol requests, not a HTTP Secure request.

“Due to the unsecured nature of the network traffic to and from Guard Provider, a threat actor could connect to the same Wi-Fi network as the victim and carry out a Man-in-the-Middle attack,” the researchers explained. “Then, as part of a third-party SDK update, he could disable malware protections and inject any rogue code he chooses such to steal data, implant ransomware or tracking or install any other kind of malware.”

Check Point did advise Xiaomi of the vulnerability before going public with it, allowing the Chinese device maker to issue an urgent patch. But it’s not a good look to begin with, particularly given that the concept of only transferring data via HTTPs is hardly a new one.

“This vulnerability discovered in Xiaomi’s ‘Guard Provider,’ however, raises the worrying question of who is guarding the guardian,” the researchers added. “And although the guardian should not necessarily need guarding, clearly when it comes to how apps are developed, even those built in by the smartphone vendor, one cannot be too careful.”

Andrew van der Stock, senior principal consultant at Synopsys Inc., told SiliconANGLE that phone manufacturers and software providers have a special responsibility to employ security reviews and supply chain security management to make sure such applications are safe.

“The reality is that for most consumers, Android One phones, which have a stock Android experience, are likely to be an excellent choice, as there is no additional software, and Google provides timely security updates for the support period of the phone,” van der Stock added.

Photo: BoyuZhang1998/Wikimedia Commons