hide message

Welcome to the Resource Centre

We make it our mission to work with advocates in civil society, business and government to address inequalities of power, seek remedy for abuse, and ensure protection of people and planet.

Both companies and impacted communities thank us for the resources and support we provide.

This is only possible because of your support. Please make a donation today.

Thank you,
Phil Bloomer, Executive Director

Donate now hide message

China: Report claims Xiaomi installing backdoor on its phone devices; company denies allegations

Get RSS feed of these results

All components of this story

Article
+ 简体中文 - Hide

Author: 孙毛毛, Freebuf

…小米是全球最大的手机运营商之一,但这已经不是国外媒体首次针对小米手机扩散恶意程序做出指控了:包括在未经用户许可的情况下窃取用户数据,MIUI系统中许多应用包含大量广告等。 小米可以在用户不知情的情况下安装任意APP…

Broenink…发现该应用每24小时就会向小米官方服务器发送检查请求,查看服务器上是否有AnalyticsCore.apk的更新版本…如果小米服务器上有名为Analytics.apk的软件更新包,小米就会在神不知鬼不觉的情况下自动下载安装更新,用户完全不会察觉到…这种更新方式是否存在安全隐患也很值得探究。Broenink就发现,在应用的整个自动安装过程中,似乎不会对APK进行验证。这也就意味着,黑客也是可以利用这一过程的。 …

小米的发言…提道:“AnalyticsCore是内建在MIUI系统中的组件,主要用来分析数据以增强用户体验,比如说MIUI Error Analytics——小米的系统错误分析功能。” 另外,小米还澄清道说这个功能绝不会被黑客利用。“为了安全起见,MIUI会在软件的安装和升级期间检查Analytics.apk应用签名,以确保载入的是拥有正确签名的官方安卓软件包。”小米发言人补充道…

Read the full post here

Article
+ 繁體中文 - Hide

Author: 孫毛毛, Freebuf

…小米是全球最大的手機運營商之一,但這已經不是國外媒體首次針對小米手機擴散惡意程序做出指控了:包括在未經用戶許可的情況下竊取用戶數據,MIUI系統中許多應用包含大量廣告等。小米可以在用戶不知情的情況下安裝任意APP…

Broenink…發現該應用每24小時就會向小米官方服務器發送檢查請求,查看服務器上是否有AnalyticsCore.apk的更新版本…如果小米服務器上有名為Analytics.apk的軟件更新包,小米就會在神不知鬼不覺的情況下自動下載安裝更新,用戶完全不會察覺到…這種更新方式是否存在安全隱患也很值得探究。 Broenink就發現,在應用的整個自動安裝過程中,似乎不會對APK進行驗證。這也就意味著,黑客也是可以利用這一過程的。 …

小米的發言…提道:“AnalyticsCore是內建在MIUI系統中的組件,主要用來分析數據以增強用戶體驗,比如說MIUI Error Analytics——小米的系統錯誤分析功能。” 另外,小米還澄清道說這個功能絕不會被黑客利用。 “為了安全起見,MIUI會在軟件的安裝和升級期間檢查Analytics.apk應用簽名,以確保載入的是擁有正確簽名的官方安卓軟件包。”小米發言人補充道…

Read the full post here

Article
15 September 2016

Xiaomi Officially Responds To Recent Backdoor Accusations

Author: Kristijan Lucic, Android Headlines

Xiaomi is one of the largest smartphone manufacturers in the world…Xiaomi releases quite a few devices a year, and various reports in the past accused the company of pre-installing adware, spyware and all sorts of other malicious software on their devices…

…[A] report [claims] that Xiaomi can install any app on their devices without you knowing it. This information came from Thijs Broenink, a Computer Science student from Netherlands. He basically figured out that Xiaomi’s AnalyticsCore.apk constantly runs in the background, and reappears even if you decide to delete it. This app, according to Broenink, checks for updates from Xiaomi every 24 hours, and sends all kinds of information to Xiaomi’s servers …

…[A]ccording to Xiaomi’s statement, this app functions more or less as Mr. Broenink described, but in addition to sending usage reports…the app also pulls updates from the server if they’re available. Now, Xiaomi also said that MIUI (Xiaomi’s user interface pre-installed on every single one of their devices) check the signature of the AnalyticsCore app before installation in order to make sure that the update is official, otherwise it won’t install it. So, all in all, the AnalyticsCore app does support the auto-update feature, though Xiaomi claims that this only improves user experience, nothing else, and it seems like this ‘issue’ was blown way out of proportion.

Read the full post here