updated 05:07 pm EDT, Sun August 10, 2014
Executive outlines technology tied to server reporting, changes including ability to opt-in
Since last month, Chinese phone and tablet manufacturer Xiaomi has been under suspicion of data practices that could be considered harmful to its user base, including the discovery of spyware installed in the Star N9500. Recent reports, and testing by a security firm, indicates that Xiaomi's smart phones, including the RedMi 1S, are reporting information back to servers in China.
Testing to see if the data reporting information was correct, F-Secure conducted fresh, out-of-the-box tests with a RedMi 1S to see if the phone was indeed reporting back information. As it turns out, F-Secure discovered that even without signing up for the Mi Cloud service, the IMEI number of the device, phone number and carrier name were sent to a Xiaomi server on startup. After sending text messages and making a voice call, the number of the party was also forwarded. After logging into Mi Cloud, the IMSI information was sent as well.
Xiaomi has responded to these charges previously, stating that the company doesn't store or upload any private information from its users without permission, which the company points to in its policy. Xiaomi Global Vice President Hugo Barra took to Google+ to outline the technical details of the MIUI Cloud Messaging, and why it could be tied to the privacy concerns that have popped up.
"We believe it is our top priority to protect user data and privacy," said Barra. "We do not upload or store private information or data without the permission of users."
As part of MIUI, an interface the company created to go over its core Android functionality, the Cloud Messaging service allows users to contact other MIUI users through SMS free of charge. The messages are sent over IP, rather than bounced through a carrier, similar to Apple's "iMessage" system. The system will always try to send over IP before defaulting to standard delivery methods.
IMEI and IMSI numbers are the primary identifiers, as well as being the reference point to determine if a user is online. Adding or opening a number in the phone book also sends information to Xiaomi's servers, but is only used to determine if the user is online, the company claims.
Unfortunately, this feature is activated as soon as a phone is turned on. A phone automatically connects with Xiaomi servers, sending the information that F-Secure found for routing identification. However, that information is never stored on any server, nor is it kept longer than needed to deliver messages.
To combat some of the privacy concerns of the feature, Barra stated that Xiaomi will be making the Cloud Messaging service optional. Instead of being automatically connected, users can now opt-in for use. Xiaomi will push an over the air update today (August 10) to make the change. It does appear that a factory reset will be required if the service is already activated.
For those that want to continue to use the Cloud Messaging feature in the MIUI, the update will also bring extra security. Barra added that phone numbers will now be encrypted when sent to Xiaomi servers.
It seems that the explanation closely ties the modifications to Android to the need to call back to its home servers for Xiaomi devices. Given that Xiaomi doesn't have a large following in North America, this may not be a large issue for many of its consumers that are based in China. However, as the user base and country saturation of the manufacturer grows, Xiaomi could face series issues. Since the Chinese government could be perceived as having access to data from the globe at any time, it could drive people away from their devices. With the news that the company is only now adding encryption to the process, it's possible that some data could have been collected already.