Recently security consultancy Bluebox Labs reported on some major security flaws found in the latest Xiaomi Mi 4 phone. Xiaomi didn’t take this criticism lying down, and has prepared a lengthy rebuttal to Bluebox’s claims.

While Xiaomi had already called the report “inaccurate” in a statement to VR World, Hugo Barra, Xiaomi’s VP International responded to Bluebox Labs by saying the phone purchased by the company in China had been tampered with. It’s important to note that Bluebox had already tested the device to make sure that it was authentic and not a knockoff.

“We are certain the device that Bluebox tested is not using a standard MIUI ROM, as our factory ROM and OTA ROM builds are never rooted and we don’t pre-install services such as YT Service, PhoneGuardService, AppStats etc,” Barra said in his statement. “Bluebox could have purchased a phone that has been tampered with, as they bought it via a physical retailer in China. Xiaomi does not sell phones via third-party retailers in China, only via our official online channels and selected carrier stores.”

If Barra’s claim holds true, this brings up the very worrying issue of supply chain security, as Bluebox points out. If these — authentic — phones are modified by the retailer, or someone else in the supply chain, that’s incredibly concerning for device security and brand reputation.

Barra says that customers should only purchase Xiaomi phones from the official online store to ensure authenticity and “reputable retailers”. But what makes a “reputable retailer”? If the one Bluebox purchased its phone from — and it went to great lengths to ensure authenticity — isn’t reputable than which ones are? After all, China is home to fake Xiaomi stores (and fake Apple as well as Samsung stores too).

If indeed what Barra says is true, this is largely a lesson in supply chain security. All vendors need to ensure that the China side of their supply chain isn’t compromised by a man-in-the-middle attack. Because clearly even local companies aren’t immune.

UPDATE: March 9 2015 11:00 AM China Standard Time

Xiaomi emailed VR World further statements to expand upon what it told Bluebox Labs. Here’s the statement in full.

There are glaring inaccuracies in the Bluebox blog post. Official Xiaomi devices do not come rooted and do not have malware pre-installed. Our investigation based on information received so far indicates that the phone Bluebox obtained is a counterfeit product purchased through an unofficial channel on the streets in China. We’re gathering more information to fully confirm this and should have a final answer in the next 24 hours.

With the large parallel street market for mobile phones in China, not only is it somewhat common for third parties to tamper with the software sold on smartphones, but there are counterfeit products which are almost indistinguishable from the original products on the outside. This happens across all brands, affecting both Chinese and foreign smartphone companies selling in China. 

Furthermore, “entrepreneurial” retailers may add malware and adware to these devices, and even go to the extent of pre-installing modified copies of popular benchmarking software such as CPU-Z and Antutu, which will run “tests” showing the hardware is legitimate — fooling even very discerning buyers.

Xiaomi takes all necessary measures to crack down on the manufacturers of fake devices or anyone who tampers with our software, supported by all levels of law enforcement agencies in China. However, for the safety of our users, Xiaomi and all smartphone brands always recommend buying phones through authorised channels. Xiaomi only sells via Mi.com, and a small number of Xiaomi trusted partners including mobile operators and select authorised retailers, such as Flipkart in India. 

In addition, contrary to what Bluebox has claimed, MIUI is true Android, which means MIUI follows exactly Android CDD, Google’s definition for compatible Android devices, and it passes all Android CTS tests, the process used by the industry to make sure a given device is fully Android compatible. All Xiaomi devices sold in China and international markets are fully Android compatible.

The post Updated: Xiaomi Hits Back Hard at Bluebox Labs’ Claims appeared first on VR World.

Xiaomi devices have taken Asia by storm, providing fierce competition to established players such as Samsung (KRX: 005930). Recently Xiaomi has been under the microscope for security issues, as it has been alleged that these devices serve as a conduit that allows Chinese intelligence services to siphon user’s data. However a new report by security consultancy Bluebox Labs shows that the real threat might come from sloppy coding.

The device tested by Bluebox researchers was the Xiaomi Mi 4. Like many smartphones from Chinese vendors, it ships with a forked (non official) version of Android branded as MIUI. Forked versions of Android do not undergo the same security vetting procedures from Google (NASDAQ: GOOGL) as official versions do.

Being a forked version of Android means that Google services are not available on the device. For example, the phone ships with a Google Play alternative called Mi Market. However the researchers found that this version of Android appeared to be a combination of 4.4.4 and older versions. Doing a deep dive into the OS the researchers found some conflicts at the API level. The devices contains a mixture of API keys from Android 4.4 and Android 4.2 that are both test-keys (not for public use) and release-keys. As test-keys are not finalized they ship with more security bugs than their final counterparts. However the combination of both test and release keys could be incredibly problematic as bugs will no doubt arise just by combining the two.

Bluebox researchers did on the device was a scan for suspicious apps — malware, spyware or adware. They found three apps considered to be risky. The most problematic of which was an app called Yt Service as it disguises its developer package to make it look like it came from Google — which is not the case. Next up were apps called PhoneGuardService which was identified as a Trojan and AppStats which is classified as riskware.

Bluebox gives the device a low trustable score of 2.6. By virtue of the fact that it runs a forked version of Android, Xiaomi devices ship with security flaws that have been long ago patched by Google.

For its part Xiaomi has not responded to Bluebox’s attempts for responsible disclosure — approaching the vendor first before going public.

Bluebox told VR World that it did not accept outside funding for this study.

Update 4:50 China Standard Time:

Xiaomi sent in this response:

“We are investigating this matter now. There are glaring inaccuracies in the Bluebox blog post, as official Xiaomi devices do not come rooted and do not have any malware pre-installed. It is likely that the Mi 4 that Bluebox obtained has been tampered with.”

The post Bluebox Labs: Xiaomi Phones a Major Security Risk appeared first on VR World.