Month: March 2015

Hugo Barra Debunks Microsoft Partnership with Xiaomi

Posted on by benardquek

mi-4-wp-640x1055

In a G+ post, Hugo Barra has come up to clear the air regarding Xiaomi’s apparent defection to Microsoft Mobile that has been aired all over the Internet.

In a strongly worded post, Hugo had this to say.

– This is an experimental program led by Microsoft, working directly with the Mi fan community in China.

– Microsoft is working on a build of Windows 10 specifically for Mi 4 devices. This Windows 10 build will not be running on top of Android nor be available as a dual-boot option. A small number of Mi 4 power users from the Xiaomi Forum in China who choose to take part in this experimental program will have to manually re-flash their Mi 4 devices with this Windows 10 ROM, in the same way they would re-flash other Android ROMs.

– At Xiaomi, we are very supportive of users trying new things and we encourage them to do so all the time! That’s why all of our devices ship with unlocked bootloader, for example. That’s also why Xiaomi welcomes Microsoft team members to interact directly with members of the Xiaomi Forum in China. More details will be announced by Microsoft in the coming months. This program will only be available in China.

This shows that Xiaomi has no official relationship with Microsoft as portrayed by the Tech Press and isn’t planning on releasing any Xioami phones running Microsoft for the global market. As is, Microsoft has teamed up with the Chinese user group to test their Windows Mobile 10 on Mi phones. It’s not going global even if it can run Windows Mobile as there are patent issues that has to be resolved in specific countries.

Xiaomi has introduced its brand into the US and has not officially open a channel to sell their smartphones because of patent issues. In India, Xiaomi is faced a nasty lawsuit from Ericsson AB. So far it has not encountered similar problems during its release in Singapore and Malaysia but it remains to be seen if Xiaomi has the clout to withstand challenges from the likes of Apple, Google or Microsoft should it ever attempt to go global.

Xiaomi phones can run stock android from Google should it be released in the global market. However it still has to pay a minor licensing fee should it adopt Google services and apps running within its Mi launcher. Xiaomi runs a forked version of Android as Google’s services do not work in China. This forked Android operation system however does not include the patent protection it needs to sell hardware outside of the Chinese market.

– Xiaomi continues to fully embrace the Android ecosystem through our MIUI software platform and we’re moving ahead full steam building many exciting new Android-based features and services.

Bluebox Finds Malware on Xiaomi Mi 4 (China Version)

Posted on by benardquek

xiaomimi4review01

Before we jump the gun, let’s be clear on one thing. Bluebox runs a security check mobile app for Android that measures the security level of your phone. It can be downloaded here.

What the folks at Bluebox found was that their test device was, let’s say obtained, from third party sellers which may have compromised. They ran the security check app and found loads of malware.

The Xiaomi Mi4 phone itself was a Chinese version, this means it’s not the international version sold in Singapore, India or Malaysia that is at fault.

What they found on the phone is scary. The third party Chinese retailers have been busy installing stuff into the phone without you knowing about it.

One particularly nefarious app was Yt Service. Yt Service embeds an adware service called DarthPusher that delivers ads to the device among other things[2]. This was an interesting find because, though the app was named Yt Service, the developer package was named com.google.hfapservice (note this app is NOT from Google). Yt Service is highly suspicious because it disguised its package to look as if it came from Google; something an Android user would expect to find on their device. In other words, it tricks users into believing it’s a “safe” app vetted by Google.

Other risky apps of note included PhoneGuardService (com.egame.tonyCore.feicheng) classified as a Trojan, AppStats classified (org.zxl.appstats) as riskware and SMSreg classified as malware[3]

So how do you know if your device is safe? You can take the Bluebox challenge and find out yourself. All you need is to download the free software from Bluebox on the Google Playstore

BlueBox Android App

2015-03-08-11-01-30

What this app does is explain some of problems found on your OS. Most of these are not fixable on your own and require updates on the OS. For example the “Settings PendingIntent” vulnerability and ‘GraphicsBuffer Overflow’ are system based. You can’t change them on your own.

Apps with System Level Privilege

Another problem here is Bluebox will flag your device if  you have too many System Level Privilege mobile apps installed. This is something out of your control as the apps are on Google Playstore with these requirements. Developers will make use of these APIs in order to create a functioning app and in the process, needs to read your phone state. This makes it difficult for people to approve or deny the system privileges as should you deny them, the app won’t install.

What you can do is write to the developer to ask them for clarification on why they would require these privileges in the first place before installing. If they ignore you, you can flag them up as suspicious.

Beyond this, there is nothing much you can do. Even by having security software installed, you can only detect suspicious apps during installation and avoid them. Security problems inherent in KitKat can only be solved when the system is updated. In the past, at least for my Samsung device, security updates have been rolled out to address some of the problems but Android security problems are much deeper and can only be rectified by Google themselves.