Full Disclosure mailing list archives
Anhui Huami Mi Fit Android Application - Unencrypted Update Check
From: David Coomber <davidcoomber.infosec () gmail com>
Date: Tue, 26 Nov 2019 09:50:59 -0500
Anhui Huami Mi Fit Android Application - Unencrypted Update Check -- https://www.info-sec.ca/advisories/Huami-Mi-Fit.html Overview "Mi Fit tracks your activity, analyzes sleep, and evaluates your workouts." (https://play.google.com/store/apps/details?id=com.xiaomi.hm.health) Issue The Anhui Huami Mi Fit Android application (version 4.0.10 and below), does not encrypt the connection when it checks for an update. Impact An attacker who can monitor network traffic may be able to tamper with the application's update function. Timeline October 21, 2019 - Attempted to obtain a security contact via an email to support () amazfit com October 22, 2019 - Provided the details to CERT/CC October 23, 2019 - CERT/CC opened a case for tracking November 4, 2019 - Attempted to obtain a security contact via an email to security () xiaomi com Solution Upgrade to version 4.0.11 or later _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Anhui Huami Mi Fit Android Application - Unencrypted Update Check David Coomber (Nov 26)