F-Secure: Xiaomi Smartphones Do Secretly Steal Your Data

They may be well reviewed and China's new top selling phone, but reader DavidGilbert99 writes with reason to be cautious about Xiaomi's phones: Finnish security firm F-Secure has seemingly proven that Xiaomi smartphones do in fact upload user data without their permission/knowledge despite the company strongly denying these allegations as late as 30 July. Between commercial malware and government agencies, how do you keep your phone's data relatively private?

Normal now

[Mitreya]

Xiaomi smartphones do in fact upload user data without their permission/knowledge

Considering that half the apps out there (and I mean benign/legitimate apps!) seem to upload user data without user's knowledge, that is not so shocking. Once you start using your phone, several apps will start siphoning your data.

Recent "simplification" of Android Google-store permissions means that I don't even know how much of a permission I am giving to a new app.

Re:Normal now

[Zumbs]

Considering that half the apps out there (and I mean benign/legitimate apps!) seem to upload user data without user's knowledge

Half? Try 99% of the top 400 apps on both Android and iPhone. I also seem to remember that Apple got into problems because they were uploading user data without permission.

Re:Normal now

[sribe]

I also seem to remember that Apple got into problems because they were uploading user data without permission.

Nope. They got into trouble because somebody found location data in logs on the phone, and assumed it was being uploaded without actually testing that theory.

Why "relatively" private?

[Rosco+P.+Coltrane]

I want it totally private. Has the concept of privacy gotten so totally lost that people seem okay to settle for relative privacy?

By the way, the best way to keep your data private is to keep it out of your untrusted phone/computer/whatnot, and use bogus data when you need to enter something.

Exemples: use "Acme inc." as your home phone number's name in your addressbook, and nicknames for your contacts. Don't enter your full address as your home in your satnav's app but someone's address in a street close-by, etc.

Re:Why "relatively" private?

[worf_mo]

[...]

By the way, the best way to keep your data private is to keep it out of your untrusted phone/computer/whatnot, and use bogus data when you need to enter something.

Exemples: use "Acme inc." as your home phone number's name in your addressbook, and nicknames for your contacts. Don't enter your full address as your home in your satnav's app but someone's address in a street close-by, etc.

Unfortunately, that won't help. Your phone number(s) and your home address are already on many of your friend's devices under your real name. Apple, Google & Co already have your details, whether you use their service or not. It should be easy for them to filter out bogus data and associate your number with your real name.

Re:Why is /. spreading false rumor ?

[Rosco+P.+Coltrane]

Oh, someone swears it's all a-okay. I'm totally reassured now...

Not actually sending much info, just the IMEI

[Animats]

So far, all they've found it doing is reporting the IMEI by sending an HTTP GET http://api.account.xiaomi.com/pass/v3/user@id?type=MXPH&externalId=01, The data is transmitted as a cookie of the form deviceId=IMEI . (The API returns a brief reply in JSON.) That tells them the phone has connected to the phone network, and its IP address. That's not particularly interesting information. The carrier knows the IMEI number, too, of course. Perhaps this is to check up on whether carrier-reported sales data matches actual phones coming on the air.

Carriers, app vendors, Microsoft, Google, and Apple collect far more data than that. There are way too many things phoning home with the user's contact list and other personal info.

So a non-denial denial

The allegations are specific, proven and Hugo Barra denies different allegations. A simple PR trick.

"We saw that on startup, the phone sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server," F-Secure said.

So Barra denies it sends PHOTOS and TEXT MESSAGES to China without permission. He does not deny it sends to PHONE NUMBERS and IMEI details without permission.

This is a classic PR misdirection strategy. Mi Cloud was not turned on when it sent this information, the phone was straight out of the box. So turning off Mi Cloud does not fix this spyware.

Re:So a non-denial denial

[benjymouse]

Has the F-Secure tried to, as article mentions, disable the Mi Cloud account? Probably not. Because it wouldn't have been in the news then.

I know this is slashdot, but if you start making claims about what is *not* in the article, could we at least expect you to look for it yourself?

F-Secure saw the communication even before they created a Mi cloud account.

The security company said that it took a brand new smartphone from the box with no prior set-up or cloud connect allowed. It then followed the following steps:

- Inserted SIM card
- Connected to WiFi
- Allowed the GPS location service
- Added a new contact into the phonebook
- Send and received an SMS and MMS message
- Made and received a phone call

"We saw that on startup, the phone sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server," F-Secure said.

I do not often say this on ./ but you're an idiot!

Re:So a non-denial denial

Mi Cloud is turned off, you never read their claim, they never turned it on, it was a new handset tested.

The phone sends your phone number to Xiaomi, it sends your IMEI and your network provider. F-Secure tested it by sending an SMS, and the handset sent the number of that SMS too. They added a contact and that phone number of the added contact was sent too.

All of this with Mi Cloud turned off on a freshly bought Xiaomi handset.

Your Android handset certainly does not do this, and not without permission and it is *not* acceptable.

Your phone is not a trusted device

[bolt_the_dhampir]

It's as simple as that. It doesn't matter if you turn on mobile data as long as that is under the control of the phone's operating system, and it doesn't matter if you pay attention to your cell phone bill, as traffic to and from specific government servers is likely exempt from the monthly traffic calculations just as the provider's own servers are likely to be. It doesn't matter if you monitor your wireless network, since questionable transmissions are likely to only go through mobile data, as that's harder to monitor.

While you may be able to test this with your own base station, the phone might also detect that it's not on an official network and therefore not do anything, but that's probably taking it a bit far.

While you could switch to a "dumb" phone, those are of course also trackable, and your conversations and messages can still be monitored, so I don't see any real gain there.

Myself, I carry a phone with me all the time, but I simply do not treat it as a secure device. If you want to take private pictures with your girlfriend, for instance, your phone is not the camera you want to use. End of story.

Blackberry, Microsoft, Apple and Google

[jbolden]

Between commercial malware and government agencies, how do you keep your phone's data relatively private?

There are 4 main smartphone brands:

Apple is in the hardware business. Their goal is to sell you hardware with a basket of software that enhances the experiences and showcases the hardware.
Blackberry is in the enterprise software business. Their goal is to sell you hardware that ties you to a management system from which they make their margin.
Microsoft is in the productivity software business. Their goal is to sell you an endpoint that showcases the features of their productivity suites including their server / cloud based collaboration tools.
Google is in the advertising business. Their goal is to sell you an endpoint that showcases their web services. Those web services are designed to collect information about you to sell to advertisers.

Of those 4 companies which do you think you are going to have the toughest time with privacy? If you care about privacy and don't have a strong reason to pick Android, don't use Android, it is quite obviously going to have to be the worst of the 4. You are going to have to cut against the grain to be secure and be on a platform designed advertisers. The other 3 while they may have problems are all much much better on privacy. Blackberry's balance feature allows you to create a container which divides your data a secure side and an insecure side. They offer things like secure browsing by default. You want security choose an operating system designed to enhance not reduce security. Apple and Microsoft are sort of midpoints. Apple is very good about now allowing applications to upload data you don't know about sharing between apps is off by default. Microsoft emulated the Apple sandboxing, certification and limited interaction approach we'll see if overtime they maintain it. If you want to use these devices and have secure data something like Good's containers (which do work on Android) provide a pretty excellent way to keep specific data associated with specific applications secure.