What's the issue here exactly? An attacker can just prevent an the in app update check from realizing it needs to nag the user?
The actual update logic and update-ability is controlled through the Play Store, no? -Tim Strazzere On Tue, Nov 26, 2019 at 10:27 AM David Coomber < davidcoomber.info...@gmail.com> wrote: > Anhui Huami Mi Fit Android Application - Unencrypted Update Check > -- > https://www.info-sec.ca/advisories/Huami-Mi-Fit.html > > Overview > > "Mi Fit tracks your activity, analyzes sleep, and evaluates your workouts." > > (https://play.google.com/store/apps/details?id=com.xiaomi.hm.health) > > Issue > > The Anhui Huami Mi Fit Android application (version 4.0.10 and below), > does not encrypt the connection when it checks for an update. > > Impact > > An attacker who can monitor network traffic may be able to tamper with > the application's update function. > > Timeline > > October 21, 2019 - Attempted to obtain a security contact via an email > to supp...@amazfit.com > October 22, 2019 - Provided the details to CERT/CC > October 23, 2019 - CERT/CC opened a case for tracking > November 4, 2019 - Attempted to obtain a security contact via an email > to secur...@xiaomi.com > > Solution > > Upgrade to version 4.0.11 or later > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
