Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Anhui Huami Mi Fit Android Application - Unencrypted Update Check

From: Tim <strazz () gmail com>
Date: Tue, 26 Nov 2019 10:32:04 -0800
What's the issue here exactly? An attacker can just prevent an the in app
update check from realizing it needs to nag the user?

The actual update logic and update-ability is controlled through the Play
Store, no?

-Tim Strazzere


On Tue, Nov 26, 2019 at 10:27 AM David Coomber <
davidcoomber.infosec () gmail com> wrote:


Anhui Huami Mi Fit Android Application - Unencrypted Update Check
--
https://www.info-sec.ca/advisories/Huami-Mi-Fit.html

Overview

"Mi Fit tracks your activity, analyzes sleep, and evaluates your workouts."

(https://play.google.com/store/apps/details?id=com.xiaomi.hm.health)

Issue

The Anhui Huami Mi Fit Android application (version 4.0.10 and below),
does not encrypt the connection when it checks for an update.

Impact

An attacker who can monitor network traffic may be able to tamper with
the application's update function.

Timeline

October 21, 2019 - Attempted to obtain a security contact via an email
to support () amazfit com
October 22, 2019 - Provided the details to CERT/CC
October 23, 2019 - CERT/CC opened a case for tracking
November 4, 2019 - Attempted to obtain a security contact via an email
to security () xiaomi com

Solution

Upgrade to version 4.0.11 or later

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: