In the wake of recent reports which claimed that the Xiaomi phones send the user’s personal information back to the company’s server in China, a test performed by a security company has proved it to be true.
Finnish Security Company, F-Secure, used a Xiaomi Redmi 1s to prove that the Chinese Smartphone manufacturer collects sensitive user information, and stores it on their server.
Hugo Barra, the Vice President of Xiaomi, recently denied that the company collecting data without the user’s content, and that it was only done when the user opted to use the Mi-Cloud, which is used to backup and sync the information across the user’s devices. The post also said that the information collected included s contacts, notes, text messages and photos.
F-Secure decided to test if this was true, and used a brand new Xiaomi Redmi 1S for the experiment:
They inserted a SIM Card, connected the phone to Wi-Fi, enabled GPS location service. and added a new contact to their phonebook. They used the phone to send and receive an SMS and an MMS. They also made and received a phone call.
The important thing to note here, is that F-Secure did not set up or login to an Mi account or the Mi Cloud.
Here is what happened:
The phone sent the following information to the server api.account.xiaomi.com.
- Telecom Service (Carrier) name
- IMEI
- Phone number
- Phone number of Contact added to phone book, and SMS messages
F-Secure continued to test further, by connecting the phone to the Mi Cloud, and repeated the test process. Following which, the phone sent the following information to the server:
- IMSI (International Mobile Subscriber Identity)
- IMEI
- Phone number
This test clearly proves that, Xiaomi’s privacy policy and the recent announcement on Facebook explaining the way they collect the user data, are false. The user data and the phone’s unique identification were sent to their servers before any Mi service was used.
So, if they collect information before a user logs in to their account, where is this information stored? Isn’t this a breach of the user’s privacy?
Alarmingly, Digit reports that a user discovered that the server which collected the information, was owned by “a company with relations to the Chinese Government”.
Source and image credits: F-Secure
Update:
Xiaomi has announced that the data was sent to the Mi Cloud, when the phone is turned on, for the MIUI Cloud Messaging Service. It allows a user to send SMS messages for free using the internet. Hugo Barra announced on Google+, that the company has released a patch to address this issue. He also explains that the data collected, is not stored permanently on their servers.
The OTA update patches the OS, so that the numbers sent over to the cloud are encrypted. The update will also allow users to disable Cloud Messaging from Settings > Mi Cloud > Cloud Messaging. But it is enabled by default, so the average user may not be aware of it at all.
source: Engadget
Update 2:
F-Secure confirms that Xiaomi have fixed the privacy issues, in their latest OTA update. They have tested the phone again with the latest firmware. Read more about it here.