Xiaomi Galaxy FDS Android SDK TLS Hostname Verification Disabled Vulnerability

A vulnerability exists in the Galaxy FDS Android SDK by Xiaomi, specifically in versions through 3.0.8, due to the SDK disabling TLS hostname verification when HTTPS is enabled, which is the default setting. This flaw is located in the 'GalaxyFDSClientImpl.createHttpClient()' method, where the SDK improperly configures Apache HttpClient to allow all hostname verifications. As a result, any valid TLS certificate is accepted, regardless of hostname accuracy. This vulnerability creates an opportunity for a man-in-the-middle attacker to intercept and alter communications between the SDK and Xiaomi FDS cloud storage endpoints. Such interception could expose sensitive information, including authentication credentials, file contents, and API responses.

Impact

Exploitation of this vulnerability allows for man-in-the-middle attacks, where an attacker can intercept and modify communications between the SDK and Xiaomi FDS cloud storage, potentially exposing authentication credentials, file contents, and API responses.