To ensure the use of secure software and hardware in Lithuania, the National Cyber Security Centre of the country carried out a cyber-security assessment of smartphones supporting 5G technology that are manufactured by the Chinese companies. This analysis presents the results of the assessment of smartphones manufactured by Huawei, Xiaomi and OnePlus.
The security assessment was carried out for widely available Huawei P40 5G, Xiaomi Mi 10T 5G and OnePlus 8T 5G mobile devices.
Some people consider banning of Chinese Tech Giants, manufacturers and apps like TikTok by the United States as a pure political move, but some are quite concerned about their security and privacy.
In this Tech Debate, we are going to examine this security report more closely to address some of your concerns.
If you are concerned about your security, you can watch another Tech Debates about VPNs. If you are interested in our work, you can subscribe to our channel and support us by buying our merchs. You can visit our site techdmg.com and our merch store. More design will be added soon, so don’t forget to come back.
This cybersecurity assessment concludes that the decomposition analysis performed on mobile devices of these Chinese manufacturers identified 10 instances of increased cybersecurity risk.
This report covers 4 cybersecurity risks that are related to the general security of factory-installed applications in the devices, threats of leakage of personal data, and restrictions on freedom of expression.
They plan to publish the details of the other cybersecurity risks identified in this comprehensive study in a future date.
When the user intents to install an app on a Huawei device, a search for the application is performed in the official preinstalled AppGallery store. If the application is found, it is downloaded and installed on the device. However, if the application is not found in the official app store of Huawei, the user is automatically directed to peripheral application distribution platforms (like APKMonk, APKPure and Aptoide), and the app gets downloaded from them. Once the device completes the process of downloading the apk file, the installation of the application starts.
Most of the application distribution platforms are located in countries that are not covered by the General Data Protection Regulation, which creates a risk of leakage of user metadata. A portion of the apps contained on these 3rd party app stores are imitations of the original applications, aka fakes, with malicious codes or viruses. These apps can jeopardize the security of the device and the data contained in it.
In the Xiaomi device, factory-installed system applications send statistical data on the activity of certain applications installed on the device to servers of the Chinese cloud service provider Tencent. These servers are located in Singapore, the USA, the Netherlands, Germany and India.
The default browser of the device, Mi Browser, uses two data collection modules: Google Analytics and Sensor Data. The Google Analytics module installed on the device allows the browsing and search history to be read, to send this data to analytics servers which Xiaomi accesses and the data of which Xiaomi uses. This functionality is activated by registering the mobile phone into the Xiaomi User Experience marketing program. By default, this is automatically done during the phone’s first activation or when reset to factory settings is initiated.
The Sensor Data module used in the device has been found to collect statistical information on 61 parameters about the activity of applications used, like time of activation of the app, language used, apk name, etc. A list of data collected by Sensors Data is given in Table 7.
The collected data are sent via an encrypted channel to Xiaomi servers in Singapore, which is not covered by the General Data Protection Regulation.
Sensors Data is a platform of Chinese origin, in functionality close to Google Analytics. According to the Sensors Data Company, it has more than 1,500 customers, including some of the largest corporations in the PRC, such as China Telecom, Baidu and Sichuan Airlines.
It is interesting that two analytics systems, Sensors Data and Google Analytics, are used to collect a relatively large amount of information about the processes running on the device and the behavior of installed software packages. Seems like they wanted to make sure they still receive some of the logs in the firebase database, in case the Sensors Data servers are blocked in a region or ISP.
According to international sources, clear cases of unauthorized collection of user data by Xiaomi have been identified, potentially excessive collection and use of analytical data can pose a threat to the privacy of personal data.
When a user chooses to use Xiaomi cloud services, the user’s mobile phone number is registered on servers located in Singapore. This is done by the device sending an encrypted SMS message to a special phone number, as shown in Figure 12. This is done without the user’s knowledge and the sent message is immediately deleted from the sent message log.
The registration of a telephone number is carried out regardless of whether the user chooses to be authenticated by phone number or by e-mail address.
This service is designed to store and synchronize the data stored on the device (like the contacts, call history, SMS messages, photos, notes, Wi-Fi settings and browsing history) on remote servers.
It is important to note that the sent encrypted SMS message and its addresses are not visible to the user. After sending the message, the device contacts the server located in Singapore and sends to the telephony server the encrypted content of the sent message. The server performs content verification against the received encrypted data with the SMS message data received by the telephony server and sends the activation result to the mobile device.
If the SIM card is not installed on the device at the time of registration, the registration process is terminated and the device displays an error message.
The functions of sending and deleting SMS messages are shown in Figure 15. Automated sending of messages and its concealment by means of software makes it possible to collect and transmit device data to remote servers.
Xiaomi system applications (like Security, MiBrowser, Cleaner, MIUI Package Installer and Themes) have been found to regularly download the manufacturer’s updated JSON file “MiAdBlacklistConfig” from a server located in Singapore. This file contains a list composed of the titles, names and other information of various religious and political groups and social movement.
Analysis of the Xiaomi application code showed that the applications have implemented software classes for filtering the target multimedia displayed on the device according to the downloaded MiAdBlacklistConfig list.
This allows a Xiaomi device to perform an analysis of the target multimedia content entering a phone: to search for keywords based on the MiAdBlacklist received from the server. When it is determined that such content contains keywords from the list, the device blocks this content. This can pose potential threats to the free availability of information.
A fragment of the MiAdBlacklistConfig file is shown in Table 14.
Further analysis of the Mi Browser codes shows that this functionality has been deactivated in “the European Union region”. This functionality is activated remotely by the manufacturer.
The conclusion of NCSC
NCSC recommends that users take an interest in the software and hardware used, and responsibly evaluate the proposed functionality of the equipment. In simple words, they want you to acknowledge that you still want to use these phones, after finding out about these security risks.
That’s it for now. Tell us your thoughts about this report and the mentioned smartphone manufacturers in the comment section below.
Don’t forget to subscribe for more tech debates like this one.