MEDION is a leading manufacturer of consumer electronics products in Germany and a provider of digital services for everyone. The product range includes, among other things, a number of smart products. MEDION combines the control of two categories from this innovative product line in the mobile applications MEDION Air and MEDION Robots. Therein, MEDION offers several products each (air purifiers, air conditioners, and vacuum robots) that can be set up, managed, and controlled via the aforementioned mobile apps. These applications, MEDION Air and MEDION Robots, along with one representative of their respective product category, have now been subjected to AV-TEST’s extensive certification tests and have performed convincingly in all relevant test areas.

The mobile applications MEDION Air (com.medion.air; Android / iOS v1.0.13 / v1.0.14) and MEDION Robots (com.medion.robots; Android / iOS v1.0.22) were put to the test together with a respective representative of their product category, the MD10378 as an air purifier (firmware v3.1.4) and the S30 SW as a vacuum cleaner robot (firmware v1.1.1). However, since the security-relevant areas of the apps and other compatible devices are completely identical, especially with regard to Internet communication, the results also apply to all other devices controllable via the two apps.

Experience shows that there are always at least minor problems in the area of mobile apps, which are in the vast majority of cases in the area of theoretical vulnerability, but should nevertheless be mentioned. The two MEDION apps are not completely spared from this (like almost 100% of all apps we have ever tested). For example, a larger number of the libraries used are not completely secured against certain memory access attacks (due to missing ASLR activation, for example). We see this problem quite a lot, but the app developer often has no real possibility to influence this matter, since libraries are usually of third-party origin and are only included and not compiled by the developer. However, this vulnerability is difficult to exploit in practice and only if the attacker already has far-reaching access capabilities on the user phone anyway.  The remaining detected points are some possibly not completely secured services and broadcast receivers of the Android applications and some possibly insecure function calls of the iOS apps. All in all, however, everything is similarly difficult to exploit and we rather listed them in the area of purely theoretical vulnerability.

The communication of the applications, however, was rated by us as secure throughout. Direct local communication between devices and applications could not be observed and all communication via the Internet was secured at all times and adequately protected against standard attacks, such as man-in-the-middle attacks.

We also scanned and analyzed the server side and web API of the MEDION Cloud and could not find any indications of serious problems here either: Account access is adequately secured and the possibility of manipulation or even the takeover of entire accounts can be practically ruled out. We were able to report a few minor issues regarding the server configuration to the manufacturer, but we were also assured that the corresponding issues would be resolved in a timely manner.

Air purifier MD10378

The two devices, the MD10378 air purifier and 2in1 S30 SW vacuum robot, were also extensively examined by us for potential weaknesses, especially with regard to their communication via the Internet and possible manipulation possibilities. But there were no more bad surprises here either: the devices communication is well protected and all attacks on the device connections that we carried out were unsuccessful.

Robot Vacuum Cleaner S30 SW

In the last, but by now almost most important test aspect, privacy and data protection, we also only had a few comments to make. The privacy policy informs in detail about the data collection, processing and storage of personal data and provides most of the required information.  But in regards to trackers, there were still discrepancies between the privacy policy and our analysis results. We were able to detect tracking modules from Google (Firebase Analytics) and also parts of the Facebook SDK that were not mentioned in the privacy policy so far. MEDION immediately performed an analysis of the code after receiving our results and informed us that the potential tracking tools are not actively used and are only part of other used 3rd party libraries and therefore not mentioned in the privacy policy.

Overall, the MEDION Air and MEDION Robots applications, together with the representatives of the corresponding product category, passed all test areas at the first attempt without any notable problems and left our test team with a consistently very positive overall impression. Accordingly, we are pleased to award our “Approved Smart Home Product” certificate.