Xiaomi phones are pre-backdoored; your apps can be silently overwritten


#1

Originally published at: http://boingboing.net/2016/09/16/xiaomi-phones-are-pre-backdoor.html


#2

Mobile platforms suck. The user is locked out and defenseless. Developers hands are tied and they are locked out by other means. Companies dictate the terms. Government agencies and private crackers gain access with impunity. What’s required is an open hardware and software platform. While I would prefer that it be open source and free software it doesn’t have to be. It just has to do what I need it do with my interests in mind.


#3

We’ve been seeing a lot of this from Lenovo, HTC and now Xiaomi. Somehow I get the feeling this was “requested” by the Chinese government…most likely for their own domestic surveillance, but who knows?


#4

While this is Not Good News At All; it’s very important to remember that this can’t just be dismissed as a ‘sinister Chinese and their spying hardware…’ story. Xiaomi’s implementation is shockingly incompetent(no protection against package tampering or HTTP MiTM? Are you bloody kidding?); but ‘permanent, omnipotent, can silently do more or less whatever it wants’ is standard for smartphone vendors.

Something like ‘Google Play Services’ is probably better implemented; but it has at least as many scary capabilities, probably more. The good old “Carrier IQ” ‘customer support’ software that various major telcos pushed onto handsets is in a similar boat.

Don’t get me wrong; I do not condone this when Chinese outfits do it; but I urge everyone to be very careful that stories like this remain focused on the ‘modern computing, what an Orwellian clusterfuck’ issue; rather than freaking out about it when the Chinese do it and calling it a ‘cloud enabled’ feature when the Americans do it.

I’m honestly a bit surprised that Xiaomi half-assed it to such a degree; but aside from the low quality of their implementation they really aren’t doing anything unusual in the handset market.


#5

Well that’s no way to get a leg up in the competitive smartphone market.

Although it does make me wonder if these audits are done on all smart phones. If not then how do we know this isn’t more common?

Edit: I don’t know. After reading his blog post it seems like it may be too early to get alarmed by this. He couches his report in a lot of “what ifs” and doesn’t really solidly conclude that it could be harmful (even unintentionally).


#6

Short of putting a fire extinguisher in the phone, it’s a way to ship things that just plain need shipping to users of your phone. It could be courtesy, it is(?) a remote execution vulnerability you want your version of AdAway to be keen in dealing with, it is a little plainfaced (calling ‘home’ every day, over http and not https…and what if you set the clock to the same day every day for it on the application processor side then…)

Never thought I’d see the day a 25 year old language would have a disassembler called {language} disassembler. ARMbankWrestler Oneecchan S build202489, FTW. What’s ResEdit for macos 8.2 called now, DeRes?

Mm, nice Androidology links in an iPhone release week. It Just Works (if you draw among 6 (so far) Apple/Beats Bluetooth cans.) TY, TB.


#7

I do so adore your commentary; please don’t ever change.


#8

I’m a little disturbed that you can get a phone with a nonce installed on it… :astonished:


#9

This topic was automatically closed after 5 days. New replies are no longer allowed.