Full Disclosure mailing list archives
Re: Anhui Huami Mi Fit Android Application - Unencrypted Update Check
From: Tim <strazz () gmail com>
Date: Tue, 26 Nov 2019 10:32:04 -0800
What's the issue here exactly? An attacker can just prevent an the in app update check from realizing it needs to nag the user? The actual update logic and update-ability is controlled through the Play Store, no? -Tim Strazzere On Tue, Nov 26, 2019 at 10:27 AM David Coomber < davidcoomber.infosec () gmail com> wrote:
Anhui Huami Mi Fit Android Application - Unencrypted Update Check -- https://www.info-sec.ca/advisories/Huami-Mi-Fit.html Overview "Mi Fit tracks your activity, analyzes sleep, and evaluates your workouts." (https://play.google.com/store/apps/details?id=com.xiaomi.hm.health) Issue The Anhui Huami Mi Fit Android application (version 4.0.10 and below), does not encrypt the connection when it checks for an update. Impact An attacker who can monitor network traffic may be able to tamper with the application's update function. Timeline October 21, 2019 - Attempted to obtain a security contact via an email to support () amazfit com October 22, 2019 - Provided the details to CERT/CC October 23, 2019 - CERT/CC opened a case for tracking November 4, 2019 - Attempted to obtain a security contact via an email to security () xiaomi com Solution Upgrade to version 4.0.11 or later _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Anhui Huami Mi Fit Android Application - Unencrypted Update Check David Coomber (Nov 26)
- Re: Anhui Huami Mi Fit Android Application - Unencrypted Update Check Tim (Nov 29)