Top

Is Xiaomi really spying on the your privacy?

Xiaomi, a Chinese company, has its servers in China, and hence uploads data accordingly

Xiaomi is presently in the middle of a huge privacy debate. The Chinese company is accused helping China in spying on the Indian user’s personal information.

A recent new article broke out that the Indian Air Force has issued a medium warning based on privacy concerns while using Xiaomi smartphones. It also requested its squadrons and their families to refrain from using the Chinese handsets since they were transmitting user information and data outside the country. This alert came in after F-Secure, and the Indian CERT department ran their tests on the newly launched Xiaomi Redmi 1S smartphones in India. However, Xiaomi claims that their smartphones are safe and the Indian Air Force had issued a notice based on a two-month-old report by F-Secure.

Also Read: Indian Air Force to ban Xiaomi smartphones

F-Secure had tested the Redmi 1S smartphones way back on August 7, 2014, when the handsets were newly launched in the Indian territory. As a security firm, they were concerned on how the new tweaked operating system, MIUI, ran on the smartphone and would send out data without permission.

Here are excerpts from their tests:

-----------------------------------------------------------------------------------------------------------------------------------------

We thought we'd take a quick look into this, so we got our hands on a brand-new RedMi 1S: We started with a "fresh out of the box" test, so no account setup was done or cloud service connection was allowed. Then we went through the following steps:

  • Inserted SIM card
  • Connected to WiFi
  • Allowed the GPS location service
  • Added a new contact into the phonebook
  • Send and received an SMS and MMS message
  • Made and received a phone call

We saw that on startup, the phone sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server.

The phone number of the contacts added to the phone book and also from SMS messages received was also forwarded.

Next we connected to and logged into Mi Cloud, the iCloud-like service from Xiaomi. Then we repeated the same test steps as before. This time, the IMSI details were sent to api.account.xiaomi.com, as well as the IMEI and phone number.

Also Read: How to know if your smartphone is leaking data, and where

At this point, this was just a quick test to see if the behavior being reported can be confirmed. In response to the reports, Xiaomi itself has released a statement addressing potential privacy concerns (In Chinese on the company's Hong Kong Facebook page, with an English translation linked).

---------------------------------------------------------------------------------------------------------------------------------------

To their surprise, the tests on the first smartphones were positive and the handsets were sending data back to the Chinese servers without the information of the user. However, this was a default setting on the MIUI platform, that when the user starts using the smartphone, the data is sent out to the servers. This data is transferred for Xiaomi to improve their user experience, and the user has the option to opt out if he/she did not want to be part of their program.

The sad part was that Xiaomi’s MIUI had the settings kept ‘ON’ by default and not left ‘OFF’. The user had to switch it off during the initial setup to ensure that he or she does not want to be a part of the data-sharing program.

The information spread around like wild fire and Xiaomi was quick to respond with a new update for the Redmi 1S, where the MIUI OS had this default setting switched to ‘OFF’ and one could turn it on only if needed.

The test was carried out after the update was released, and F-Secure updated their results on their blog post.

Excerpts from their tests on August 14, 2014.

---------------------------------------------------------------------------------------------------------------------------------------

On August 10 Xiaomi addressed privacy concerns related to the MIUI Cloud Messaging function of its smartphones by releasing an OTA update intended to make this an opt-in feature, rather then a default one.

Since we already had the phone set up, we downloaded and applied the update to the same Redmi 1S phone we used in the previous testing.

Then we factory reset it. Once the phone restarted, we noted that cloud messaging is now by default set to Off under Settings:

We then went through the following steps.

  • Add a new contact
  • Send and receive an SMS message
  • Make and receive a phone call

During these activities, we did not see any data being sent out from the phone.

Next, we activated the cloud messaging function and logged into the Mi Cloud. At this point, we saw base-64 encoded traffic being sent to https://api.account.xiaomi.com.

Note that this is now over HTTPS rather than HTTP, as seen in our previous testing. We had to use a HTTPS proxy in order to view what was being passed.

---------------------------------------------------------------------------------------------------------------------------------------

Hugo Barra, Vice President Global, Xiaomi, posted additional details on his Google Plus post, which addresses the Cloud Messaging security issues.

Below is the excerpt from his post, dated August 10, 2014:

Coming down to the security issues related to data being sent out of the country for spying purposes, there is no concrete proof as of what is being intercepted, what is being read or what is being used against us.

In that manner, iPhone uses iCloud and Android phones use the Google servers to store most of our information. An Android smartphone, when linked to a Google server, syncs all our contacts to their servers in the US, and that too by default. You need to head to the settings to opt out of it if you don’t want your data being synchronised. So is the case with an iPhone that all your data is being saved outside the country.

To ensure that you are not being spied upon, we recommend you don’t save any sensitive information on you handset if you are using an internet plan, or don’t use a smartphone at all. What you are saving on your smartphone can be synchronised to online cloud services for your own convenience. If you damage your smartphone or lose it, your information is lost. You can sync your new smartphone and get all your data back within a few hours. That is what cloud services are for. Xiaomi is creating their own eco system, just like Apple or Google, to sync your data across devices.

If security is a concern, we recommend not storing any sensitive data on your smartphones in the first place. Everyone uses social platforms for communication and fun. We share a lot of secrets, pictures and opinions on servers that are not from the India. Take, for example, Facebook, Google Plus or WhatsApp and Twitter, these platforms are serving information across the globe and definitely, there are some personnel out there who are handling the servers through which your data is passing. Do they not have complete access to your information?

Another example is the recent leaks of nude pictures from Snapchat and the iCloud. Who is responsible for it after all? Isn’t the user himself to blame? He or she is not supposed to send out sensitive information in the first place.

Also read: Xiaomi to shift user data out of China due to privacy concerns

Smartphones can track you anyways—every smartphone sends out information in some way or the other. As a very basic example, if you are using Google maps, the Google servers can pin-point your exact location down to a few meters. So does that mean Google is spying on you?

We are not stating that cloud-based services are spying or not spying on your information. However, it left up to you whether you want to share it or not. If you keep your filth lying under the carpet, it can be spotted some day or the other.

In recent news, the Indian Government asked all government personnel to restrain from using any third-party email services for official use. Similarly, all security concerned firms should opt for secure services for their sensitive communication. This should include businesses, government offices, the defence organization and many others.

In short, using a smartphone is as good as using any electronic gadget. And if you are enabling an internet connection with the device, you must be careful on what you are enabling on the phone and sharing with others.

Also read: Privacy policy of Xiaomi

There are many users who use third-party apps on their smartphones. We all tend to accept the terms and conditions without even reading them and continue to install them on the smartphones. Do we really know what these apps are doing in the background? While some could be adware, many would be Trojans, malware or even spyware. These apps are designed to work hidden and send out information without the user knowing it.

A lay man, who is not technologically sound enough, would not know about these issues and security concerns. He will tend to ignore these high-tech settings and possibly fall prey. We suggest and appeal to all smartphone manufacturers to implement complete detailed information (in lay-man terms) about the services on the device at every stage of the setup while setting up a new smartphone. This would ensure the user has a peace of mind while operating the instrument thereafter.

Using an iOS smartphone or a Google, Windows or Blackberry smartphone, one can say that these are trusted smartphone operating systems. Xiaomi is a third-party tweaked operating system, and can be accused of stealing data, but not for sure. Similar could be the case with OPPO smartphones which uses ColorOS operating system or even the upcoming OnePlus One smartphone which will be using CyanogenMod operating system. Also recent news about Micromax to start shipping with CyanogenMod operating system could end up in a similar accusation.

So what is your call on the accusation of Xiaomi spying on the user’s data? We would like to hear from you. Do you think Xiaomi is really spying on your data?

Next Story