What's the issue here exactly? An attacker can just prevent an the in app
update check from realizing it needs to nag the user?
The actual update logic and update-ability is controlled through the Play
Store, no?
-Tim Strazzere
On Tue, Nov 26, 2019 at 10:27 AM David Coomber <
Anhui Huami Mi Fit Android Application - Unencrypted Update Check
--
https://www.info-sec.ca/advisories/Huami-Mi-Fit.html
Overview
"Mi Fit tracks your activity, analyzes sleep, and evaluates your workouts."
(https://play.google.com/store/apps/details?id=com.xiaomi.hm.health)
Issue
The Anhui
