F-Secure: Xiaomi Smartphones Do Secretly Steal Your Data

They may be well reviewed and China's new top selling phone, but reader DavidGilbert99 writes with reason to be cautious about Xiaomi's phones: Finnish security firm F-Secure has seemingly proven that Xiaomi smartphones do in fact upload user data without their permission/knowledge despite the company strongly denying these allegations as late as 30 July. Between commercial malware and government agencies, how do you keep your phone's data relatively private?

Normal now

[Mitreya]

Xiaomi smartphones do in fact upload user data without their permission/knowledge

Considering that half the apps out there (and I mean benign/legitimate apps!) seem to upload user data without user's knowledge, that is not so shocking. Once you start using your phone, several apps will start siphoning your data.

Recent "simplification" of Android Google-store permissions means that I don't even know how much of a permission I am giving to a new app.

So a non-denial denial

The allegations are specific, proven and Hugo Barra denies different allegations. A simple PR trick.

"We saw that on startup, the phone sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server," F-Secure said.

So Barra denies it sends PHOTOS and TEXT MESSAGES to China without permission. He does not deny it sends to PHONE NUMBERS and IMEI details without permission.

This is a classic PR misdirection strategy. Mi Cloud was not turned on when it sent this information, the phone was straight out of the box. So turning off Mi Cloud does not fix this spyware.

Re:So a non-denial denial

[benjymouse]

Has the F-Secure tried to, as article mentions, disable the Mi Cloud account? Probably not. Because it wouldn't have been in the news then.

I know this is slashdot, but if you start making claims about what is *not* in the article, could we at least expect you to look for it yourself?

F-Secure saw the communication even before they created a Mi cloud account.

The security company said that it took a brand new smartphone from the box with no prior set-up or cloud connect allowed. It then followed the following steps:

- Inserted SIM card
- Connected to WiFi
- Allowed the GPS location service
- Added a new contact into the phonebook
- Send and received an SMS and MMS message
- Made and received a phone call

"We saw that on startup, the phone sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server," F-Secure said.

I do not often say this on ./ but you're an idiot!

Re:So a non-denial denial

Mi Cloud is turned off, you never read their claim, they never turned it on, it was a new handset tested.

The phone sends your phone number to Xiaomi, it sends your IMEI and your network provider. F-Secure tested it by sending an SMS, and the handset sent the number of that SMS too. They added a contact and that phone number of the added contact was sent too.

All of this with Mi Cloud turned off on a freshly bought Xiaomi handset.

Your Android handset certainly does not do this, and not without permission and it is *not* acceptable.

Re:Why "relatively" private?

[worf_mo]

[...]

By the way, the best way to keep your data private is to keep it out of your untrusted phone/computer/whatnot, and use bogus data when you need to enter something.

Exemples: use "Acme inc." as your home phone number's name in your addressbook, and nicknames for your contacts. Don't enter your full address as your home in your satnav's app but someone's address in a street close-by, etc.

Unfortunately, that won't help. Your phone number(s) and your home address are already on many of your friend's devices under your real name. Apple, Google & Co already have your details, whether you use their service or not. It should be easy for them to filter out bogus data and associate your number with your real name.