Security audit generates dire warnings about Chinese smartphone models


A child uses a smartphone.
Enlarge / Make sure you know what you’re getting into before buying and using unfamiliar brand smartphones, especially international models that weren’t originally designed for your country.

The Lithuanian National Cyber ​​Security Center (NCSC) recently published a security evaluation of three recent smartphone models made in China: Huawei’s P40 5G, Xiaomi’s Mi 10T 5G and OnePlus 8T 5G. Sufficiently determined US buyers can find the P40 5G on Amazon and the Mi 10T 5G on Walmart.com, but we will not provide direct links to those phones, given the results of the NCSC security audit.

The Xiaomi phone includes software modules specifically designed to leak data to the Chinese authorities and censor media related to topics that the Chinese government considers sensitive. The Huawei phone replaces the standard Google Play app store with third-party substitutes that the NCSC found to house an incomplete and potentially malicious repackaging of common apps.

Huawei's P40 is still stuck on Android 10, while Xiaomi ships with 10, but can be upgraded to 11. Only the OnePlus 8T ships out of the box with Android 11 installed.

Huawei’s P40 is still stuck on Android 10, while Xiaomi ships with 10, but can be upgraded to 11. Only the OnePlus 8T ships out of the box with Android 11 installed.

The OnePlus 8T 5G, arguably the best known and most marketed phone of the three, was the only one to escape NCSC scrutiny without red flags being raised.

Xiaomi Mi 10T 5G

The NCSC found that seven default system apps on the Xiaomi phone can monitor media content to block it by the user, using a regularly downloaded JSON file.

The NCSC found that seven default system apps on the Xiaomi phone can monitor media content to block it by the user, using a regularly downloaded JSON file.

Xiaomi’s Mi 10T 5G ships with a non-standard browser called “Mi Browser”. The NCSC found two components in My Browser that it did not like: Google Analytics and a less familiar module called Sensor Data.

The Google Analytics module in Mi Browser can read the search and browsing history of the device and can then send that data to Xiaomi servers for unspecified analysis and use. The Google Analytics module is automatically activated by default during the first activation of the phone or after any factory reset.

The NCSC found that the Sensor Data module collects statistics on 61 parameters related to application activity, including application activation time, language used, and more. These statistics are encrypted and sent to Xiaomi’s servers in Singapore, a country which, according to the NCSC, is not covered by the EU GDPR and to which it has been linked. excessive data collection and abuse of user privacy.

The NCSC also discovered that the user’s mobile phone number is silently registered on the Singapore servers via an encrypted SMS message upon activation of Xiaomi’s default cloud services. The mobile phone number is sent whether the user links it to a new cloud account or not, and the encrypted SMS is not visible to the user.

Several of the Xiaomi system apps on the Mi 10T 5G regularly download a file called MiAdBlackListConfig from servers in Singapore. In this file, the NCSC found 449 records identifying religious, political, and social groups. The software classes in these Xiaomi applications use MiAdBlackListConfig to analyze multimedia that could be displayed on the device and block that content if “undesirable” keywords are associated.

Although the NCSC found that filtering of actual content through MiAdBlackListConfig is disabled on phones registered in the European Union, the phones still regularly download the block list and, according to the agency, can be remotely reactivated at any time.

Huawei P40 5G

The NCSC found that users searching for apps on Huawei's AppGallery are often redirected to potentially untrustworthy third-party repositories.

The NCSC found that users searching for apps on Huawei’s AppGallery are often redirected to potentially untrustworthy third-party repositories.

Although the NCSC did not find the same class of spyware and content filtering modules in Huawei’s P40 5G as in the Mi 10T 5G, it was still not happy with the phone’s software infrastructure, and for good reason.

The P40 5G’s most obvious problems come from its replacement from Google’s Play Store by Huawei’s. App Gallery store, which advertises as “a safer place to get all your favorite apps.” The NCSC found that if a user searches the AppGallery for a particular app, they will be silently redirected to third-party app stores if no match is found in the AppGallery.

Third-party distribution platforms that NCSC found linked to AppGallery include, but are not limited to, Apkmonk, APKPure, and Aptoide. The NCSC used VirusTotal to scan various applications installed through AppGallery and its linked third-party platforms, and discovered potential malware in three: All-in-one social media, CNC Machinist Threading Calculator and “Messenger App, Light All-in-One, Live Free Chat Pro App”.

We’re not sure how much salt to take with the NCSC’s specific “malware” findings, as the agency did not reverse engineer any of the three apps that VirusTotal didn’t like, and the anti-virus false positives in lesser-known apps. they occur with some regularity. . However, AppGallery’s seemingly silent linking to third-party app stores presents a real risk of the device being compromised.

Although Apkmonk, APKPure, and Aptoide are reasonably well-known “alternative stores”, they are less selected than Google’s own Play Store. Aptoide, for example, offers its own main repository, which is curated, scanned, and appears to be as secure as the Play Store. But Aptoide also allows easy self-hosting of APK repositories for anyone who wants to upload their own, be it a user who wants to “back up” APKs that might disappear from the Play Store, or a developer who hosts their own software. original.

The ease of repository creation on Aptoide, and the prevalence of hacked and hacked apps in its user repositories, makes reckless “purchases” by less informed users a serious security risk, especially when those users may not be aware of it. Realize that they have left the safety of the mainstream in the first place.

Even users who do not search for pirated software may inadvertently stumble upon repackaging added by malware or copycat versions of legitimate applications, with apparent “legitimacy” added by re-signing the modified or copycat application with the uploader’s own key.

Conclusions

Based on the NCSC’s findings, there does not appear to be any problem with the OnePlus phone, which is a bit of a surprise as it is the only brand of the three that has not come under repeated negative scrutiny by non-Chinese administrations.

Particularly adventurous and / or Google-hating consumers might be reasonably interested in Huawei’s P40, which appears to be more affected by the lack of barriers to preventing malware than by outright censorship and / or spyware.

Finally, we strongly recommend that you avoid the Xiaomi Mi 10T; its disabled but regularly updated blocklist functionality strikes us as a direct authoritative oversight warning that shouldn’t be lightly ignored.


arstechnica.com

Leave a Reply

Your email address will not be published.