Xiaomi phones send user data to remote servers: F-Secure


Chinese smartphone brand, Xiaomi is creating a lot of buzz with its economically priced, premium smartphones that are known to sell out in minutes or even seconds. The company has become one of the leading handset sellers in the world displacing Samsung in its home market for the numero uno position.
However, of late there have been reports that Xiaomi phones silently send users data to remote servers. The latest charges come from security software and solutions company F-Secure, which tested Xiaomi’s Redmi 1S phone.
At first, F-Secure did not configure an Mi Cloud (Xiaomi’s equivalent of Apple’s iCloud that stores user data) account and simply inserted a sim card, connected the phone to Wi-Fi, turned on GPS, added a contact and made and received a call and exchanged messages. The company found that the phone number of contacts added to the phone book and from SMS messages received were also forwarded. The phone follows a similar pattern even when one configures an Mi Cloud account.
“Next we connected to and logged into Mi Cloud, the iCloud-like service from Xiaomi. Then we repeated the same test steps as before. This time, the IMSI details were sent to api.account.xiaomi.com, as well as the IMEI and phone number,” writes F-Secure in its blog.

Earlier, responding to privacy concerns, Xiaomi VP Hugo Barra had posted an FAQ on his Google+ page, clarifying that MIUI, the software interface used by Xiaomi phones, does not secretly upload photos and text messages. He wrote that MIUI requests public data from Xiaomi servers from time to time but it is all non-personal data that does not infringe on users privacy. The post claimed that Xiaomi does not upload users’ personal data without consent and only backs it up if Mi Cloud is turned on.
However, there’s a slight conflict in the company’s privacy policy and Barra’s post. Xiaomi clearly mentions in its Privacy Policy document, “When you use and activate Xiaomi mobile devices for the first time, the mobile user identification information, mobile device unique identification and the location information of your device will be sent to Xiaomi. The collection of such information may apply to the updates of your system or software, recovery of factory settings or situations like before.”
It also clearly states, “When you use Xiaomi products to share information with your family and friends, to send messages and products or invite other person through Xiaomi BBS, we(Xiaomi) will collect the information which you provide and is relevant with such people, for example name, mail address and telephone number and so on.”
This implies that Xiaomi is collecting data from users without their consent, even if they don’t sign-up for Mi Cloud.
According to Xiaomi, this information helps the company to improve products, for customization, updates, and for statistical purposes ‘to analyze the efficiency of its business.’ It mentions that the information is not used for tracking the location of the user.

Popular Posts