Xiaomi stealing smartphone data?

Xiaomi has been in the news for snooping on your smartphone data. There is no absolute proof whether the data is really being uploaded to the Xiaomi servers in China or it is just being uploaded to the cloud.

Users have complained and many fans have come in to support Xiaomi stating that the data is being saved online on the cloud since the users have themselves allowed the phone to do so.

Similar to the adding your Gmail account to your smartphone, you allow the operating system to synchronize your contacts to the Google servers. Adding Dropbox and GDrive is similar to logging into the Xiaomi cloud servers. These online cloud servers sync your data for online storage and safekeeping. While some users complained that there is no safety of their data on the Xiaomi servers, supporters ask if storing their data on a Google saver is safe enough. They also said that if the user has sensitive data and cannot afford to share it out, then they should either not store their data on the smartphone or simply refrain from using it.

F-Secure stepped in to make a bit of research and find out if the issue did have any truth in it. The have their research online for everyone to see.

Here is what F-Secure did to check if they could find any data being shared without the knowledge of the user.

“We thought we'd take a quick look into this, so we got our hands on a brand new RedMi 1S:

We started with a 'fresh out of the box' test, so no account setup was done or cloud service connection was allowed. Then we went through the following steps:

• Inserted SIM card
• Connected to Wi-Fi
• Allowed the GPS location service
• Added a new contact into the phonebook
• Send and received an SMS and MMS message
• Made and received a phone call

We saw that on startup, the phone sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server:

The phone number of contacts added to the phone book and from SMS messages received was also forwarded.

Next we connected to and logged into Mi Cloud, the iCloud-like service from Xiaomi. Then we repeated the same test steps as before. This time, the IMSI details were sent to api.account.xiaomi.com, as well as the IMEI and phone number.

At this point, this was just a quick test to see if the behavior being reported can be confirmed. In response to the reports, Xiaomi itself has released a statement addressing potential privacy concerns (In Chinese on the company's Hong Kong Facebook page, with an English translation linked).”

Here is the English translation (according to Google Translate)

So presently there is no final confirmation whether the smartphones are uploading any data on purpose, are having a software bug or are they designed to simply store all information on the cloud as a safety backup.

In reply to the various claims regarding privacy, Vice President of Xiaomi, Hugo Barra wrote on his Google Plus wall, replying to all his MIUI fans.

PTI reported that, following reports of Xiaomi infringing user privacy by sending their details to a remote server, the Chinese handset maker has clarified that it does not store private information or data without permission. According to a report by security solutions provider F-Secure, Xiaomi phones silently sent out user details to a remote server. Responding to the allegations, Xiaomi vice president Hugo Barra said protecting user data and privacy is its top priority and it does not "upload or store private information or data without the permission of users". It has also released a software update to tackle the issue. F-Secure, in its report, demonstrated how a Xiaomi Redmi 1S phone was sending data including the user's IMEI, phone number, and phone numbers of contacts added to the phone book to a remote server.

Xiaomi, on its part, said user data was being transferred to allow users to benefit from Xiaomi's free messaging service, Cloud Messaging. The service, which allows Xiaomi users to send free text messages to each other, is turned on by default for all users and these messages are directed through its own servers. Xiaomi's cloud messaging system tries to send the message via the Internet (if available) or otherwise sends it as a normal SMS message (if Internet is not available). "Users' phonebook contact data or social graph information (ie the mapping between contacts) are never stored on Cloud Messaging servers, and message content (in encrypted form) is not kept for longer than necessary to ensure immediate delivery to the receiver," Barra said in a blogpost.

He added that Xiaomi has now made Cloud Messaging service opt-in and it doesn't activate automatically and has released a software update to implement the change. After the update, new users or users who factory reset their phones will have to enable the cloud messaging service manually from Settings option on their device.

Xiaomi has gained popularity across Asia Pacific offering feature-rich smartphones at affordable prices. In India, it launched its Mi3 handset last month for Rs 13,999, exclusively with e-commerce major, Flipkart. The company has already sold over 20,000 devices, which were put up on sale in tranches. The company claims to have sold 15,000 units within seconds of being put up for sale.

Source: DC