With a little over six percent market share, Xiaomi re-established itself as one of the top 5 Android smartphone manufacturers in the world. As such, millions of people use the company’s devices, so when Xiaomi’s MIUI Android skin is reported to have several security vulnerabilities, it would be wise for both users and the company to take notice.

Discovered by India-based security firm eScan Antivirus, one of the vulnerabilities centers around the Mi Mover app, which lets you transfer settings and other data from an Android device to a Xiaomi phone. The app overrides Android’s sandbox protection, however, when that transfer takes place between two Xiaomi devices, since system data like and confidential information like payment information get moved over.

To protect that information from being transferred willy-nilly, you must provide a password before using the Mi Mover app. What the research found was that the app did not ask for any sort of password, be it a fingerprint or a pattern lock, when transferring between the Mi Max 2 and Redmi 4A, both of which are Xiaomi devices.

This becomes a serious issue if someone gains access to your unlocked Xiaomi device, since they can clone your system and app data without too much hassle. Also, without Android’s built-in sandbox protection, there is no fallback protection from the system itself.

The other notable security vulnerability is with device-administrator apps. Generally, security apps use Android’s administrator permission to wipe your device if it ever falls in the wrong hands. To do so usually requires a password, a requirement that did not pop up when the Cerberus anti-theft app was uninstalled from the Mi Max 2.

Xiaomi strongly disagreed with the report, saying the company “takes all the possible steps to ensure our devices and services adhere to our privacy policy.” Xiaomi also urged folks to use a PIN, pattern lock, or fingerprint sensor to minimize the risk of someone getting into your device.