A vulnerability exposing users to Man-in-the-Middle (MiTM) attacks was patched by Xiaomi in the pre-installed security app Guard Provider following a disclosure report from Check Point Research.

Ironically, as discovered by Check Point's researchers, the Guard Provider app which should protect Xiaomi users from malware would instead allow malicious actors to carry out MiTM attacks because of "the unsecured nature of the network traffic to and from Guard Provider and the use of multiple SDKs within the same app" after connecting to the wireless network used by the vulnerable devices.

To be more exact, the security flaw was caused by communication issues between the various SDKs used by the Guard Provider app making it possible for potential attackers to "inject any rogue code he chooses such as password stealing, ransomware, tracking or any other kind of malware."

What made this security issue all the more serious was the fact that the Check Point Research team found it in one of the pre-installed applications on Xiaomi smartphones, a company which ranked third in the mobile phone market during 2018 with an 8% market share.

Xiaomi Guard Provider

As explained by Check Point, the vulnerability is due to "SDK Fatigue" which describes the overuse of SDKs within apps making them a lot more exposed to issues like "crashes, viruses, malware, privacy breaches, battery drain, slowdown, and many other problems."

Additionally, when using multiple SDKs in their applications, developers cannot prevent problems impacting one of them from compromising the security of the others and they will also be unable to isolate the private storage data used by each SDK.

Despite this, as detailed by a SafeDK report, the average number of SDKs used by Android applications is of 18.3, with "over 57% of apps still have at least one SDK trying to access user location and 40.1% of apps have SDKs that are looking at the list of other apps installed on their users' devices."

Check Point concludes by saying that using too many SDKs when developing an app comes with the risk of leaving "organizations and users exposed to potential pitfalls that can be exploited by threat actors to interfere with the regular operation of the device."

Mobile apps vulnerable to MiTM attacks

This is not the first time when Xiaomi exposed its users to MiTM attacks seeing that three years ago Bluebox's researchers found that Xiaomi’s Mi Market app store used plain text connections delivering applications to its customers' devices.

This way, would-be attackers could perform a MiTM attack, making possible to potentially replace the apps users want to install with their own malicious variants to steal sensitive info or even take control of their target's device.

In related news, Android apps with hundreds of millions of installs like UC Browser and ES File Explorer have also been exposing their users to MiTM attacks.

UC Browser, for instance, was downloading and installing modules from their own servers via unprotected channels and bypassing Google Play's servers, while ES File Explorer allowed bad actors to intercept the app's HTTP network traffic and switch it with maliciously crafted content.