China Smartphone Maker Xiaomi Apologizes For Unauthorized Data Access

← Back to Stories (view on slashdot.org)

China Smartphone Maker Xiaomi Apologizes For Unauthorized Data Access

Posted by samzenpus on Monday August 11, 2014 @05:37AM from the our-bad dept.

SpzToid writes Following up an earlier story here on Slashdot, now Xiaomi has apologized for collecting private data from its customers. From the article: "Xiaomi Inc said it had upgraded its operating system to ensure users knew it was collecting data from their address books after a report by a computer security firm said the Chinese budget smartphone maker was taking personal data without permission. The privately held company said it had fixed a loophole in its cloud messaging system that had triggered the unauthorized data transfer and that the operating system upgrade had been rolled out on Sunday. The issue was highlighted last week in a blog post by security firm F-Secure Oyg. In a lengthy blogpost on Google Plus, Xiaomi Vice President Hugo Barra apologized for the unauthorized data collection and said the company only collects phone numbers in users' address books to see if the users are online."

43 of 64 comments (clear)

Min score:

Reason:

Sort:

Apologies not accepted by Virtucon · 2014-08-11 05:39 · Score: 4, Insightful

Why is it considered okay to do this until you get caught? Then you apologize? How about not stealing the information in the first place for starters. Fuckwads!

--
Harrison's Postulate - "For every action there is an equal and opposite criticism"
1. Re:Apologies not accepted by electrosoccertux · 2014-08-11 05:49 · Score: 1
  
  Why is it considered okay to do this until you get caught? Then you apologize? How about not stealing the information in the first place for starters. Fuckwads!
  media spinning this. It wasn't an apology, it was an explanation of what's being used. I think it was just lazy programming honestly, read the blog post yourself. Seems reasonable.
2. Re:Apologies not accepted by Anonymous Coward · 2014-08-11 05:52 · Score: 3, Insightful
  
  Why is it considered okay to do this until you get caught? Then you apologize? How about not stealing the information in the first place for starters. Fuckwads!
  Seems the only "Fuckwads" around here are us dumbass consumers who actually think that all those free apps we download wouldn't dare do the exact same fucking thing.
  The only real difference is you blindly agreed to the spying in the EULA you didn't bother to read.
3. Re:Apologies not accepted by 0123456 · 2014-08-11 05:57 · Score: 4, Insightful
  
  Of course, if the operating system actually had real user-level security controls, the apps wouldn't be able to do that.
  I can't see myself buying another Android device so long as they expect me to allow pretty much every possible permission for every piece of crap app that doesn't even need half of them.
4. Re:Apologies not accepted by LordLimecat · 2014-08-11 06:07 · Score: 3, Interesting
  
  Cyanogenmod allows you to "accept" apps that ask for all sorts of non-core access, and then revoke it afterwards. The app can attempt to access your addressbook, but it will get blocked.
  Of course I havent had to use it, because I generally dont run into issues with apps asking for insane levels of access. Maybe its the apps you're using?
5. Re:Apologies not accepted by mlts · 2014-08-11 06:14 · Score: 2
  
  The one nice thing about Android (assuming a rooted device) is the ability to turn on and use Linux's iptables to prevent apps from phoning home. After that, Xposed and XPrivacy are good (although the interface is nowhere as nice as Protect My Privacy from Cydia on iOS) to enforce restrictions on apps that ask for more than they should.
  It would be nice if XPrivacy would fake data like PMP does, so if an app asks for GPS info, it will get GPS info, but not anything useful, or if an app asks for contacts on the phone, it gets random sets of garbage.
6. Re:Apologies not accepted by 0123456 · 2014-08-11 06:25 · Score: 1, Interesting
  
  Pretty much any 'social media' app now wants access to pretty much everything. I know several people who've stuck with an old version of the Facebook app before it started demanding almost complete control over the device. Other mobile operating systems let you deny Facebook access to your camera or microphone, whereas Android included that feature in a recen OS release... and then removed it.
  And, no, I'm not going to install some random other OS on the tablet when I can just buy a different device which includes that functionality in the first place.
7. Re:Apologies not accepted by Anonymous Coward · 2014-08-11 06:43 · Score: 4, Insightful
  
  No, it wasn't lazy programming. It was broken by design.
  From the blog post:
  "A: For those interested in specific details about the MIUI Cloud Messaging implementation:
  - The primary identifiers used to route messages are the sender and receiver’s phone numbers. IMEI and IMSI information is also used to keep track of a device's online status."
  That's not a programming mistake.
8. Re:Apologies not accepted by LifesABeach · 2014-08-11 06:43 · Score: 1
  
  I didn't RTFA, but they also mention that Round Eyes have "very large penises?"
9. Re:Apologies not accepted by Shoten · 2014-08-11 08:15 · Score: 1
  
  The one nice thing about Android (assuming a rooted device) is the ability to turn on and use Linux's iptables to prevent apps from phoning home. After that, Xposed and XPrivacy are good (although the interface is nowhere as nice as Protect My Privacy from Cydia on iOS) to enforce restrictions on apps that ask for more than they should.
  It would be nice if XPrivacy would fake data like PMP does, so if an app asks for GPS info, it will get GPS info, but not anything useful, or if an app asks for contacts on the phone, it gets random sets of garbage.
  This is all fine and good, until one app that you want to phone home uses AWS or Cloudfront, and so does another app that you don't want phoning home. Firewalls have never been a good approach to application security...evidenced by the fact that "application security" became a concept long after firewalls were commonplace.
  
  --
  
  For your security, this post has been encrypted with ROT-13, twice.
10. Re:Apologies not accepted by mlts · 2014-08-11 09:13 · Score: 2
  
  Android can firewall by app, so my AWS program can access what it needs, while another app with more nefarious intentions can be blocked.
  No, this isn't a cure for anything. In fact, it is a last resort. XPrivacy is the best solution for starters, as it will prompt when an app tries to use a permission, and you can allow or deny it. It would be nice to have a "fake" option, so the app -thinks- it has full permissions to do something... but in reality, it is being fed bogus data.
11. Re:Apologies not accepted by electrosoccertux · 2014-08-11 10:15 · Score: 1
  
  Not that, the part where it wasn't encrypted.
  I don't see what the issue is with using a phone number and IMEI.
  Why is this a big deal?
12. Re:Apologies not accepted by sysrammer · 2014-08-11 12:01 · Score: 1
  
  My SO likes to play online games. The app-driven ones tend to ask for a lot of access. If this Cyanogenmod works, I'll be forever in your debt. You may have my first-born.
  thx, sr
  PS: Don't tell my SO about the first-born thing.
  
  --
  His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
13. Re:Apologies not accepted by slaingod · 2014-08-11 15:39 · Score: 1
  
  "Of course, I need to sound like a douche, and I have to blame the victim."
  Try to install any PushToTalk app from the play store, like Voxer, etc...
  Try to install Yahoo Mail.
  Try to install FB.
  Try to install anything supported by ads and watch it ask for 'fine location', contacts, phone number, etc.
  Not sure what you are using your phone for that you aren't running across apps ask for things that they probably shouldn't, and honestly I don't care, because I am sure it is a perfectly valid use case.
  
  --
  http://blog.slaingod.com
14. Re:Apologies not accepted by LordLimecat · 2014-08-11 17:21 · Score: 1
  
  Sometimes I feel like the world has gone mad.
  Let me get this straight. You're using a social media app-- which generally combines functionality across basically all of your phone-- but you dont like the permissions it demands. Android gives you the ability to reject updates when they request more permissions, but thats no good; you could also choose any of a million alternative apps for any given social media site ("FAST for Facebook" for example), or use the Android Open Source Project derivitives on your existing hardware-- but you find that unacceptable, preferring instead to buy a new device rather than fixing your existing one?
  Like the more I read the last sentence of your post, the harder my mind boggles. You object to making a very minor change to your phone (99% of the time you cant tell youre on CyanogenMod), preferring to spend more money AND switch entire ecosystems? What?!
15. Re:Apologies not accepted by LordLimecat · 2014-08-11 17:30 · Score: 1
  
  Try using apps that dont suck. For instance:
  * Facebook-- try "Fast for Facebook" which is simultaneously faster AND less permissions-grabby.
  * Yahoo Mail-- try the inbuilt support for IMAP / POP, or any of a million other clients (TouchDown, for instance)
  * Push To Talk-- 5 minutes of googling found This app which appears to only request the bare minimum that a PTT app would need (contacts, etc)
  
  Not sure what you are using your phone for that you aren't running across apps ask for things that they probably shouldn't,
  TeamViewer, Google Authenticator, Fing, Opera, Car DashDroid, Fast for Facebook, PushBullet, OpenVPN, Reddit is Fun... none are generally problematic permissions wise. At some point you're going to have to face the fact that theres a lot of grabby apps out there, and you apparently like some of them. Either use alternatives (they DO exist), or stop complaining.
16. Re:Apologies not accepted by slaingod · 2014-08-11 18:10 · Score: 1
  
  Like I said, I don't care, just the attitude that somehow the victim is in the wrong, and the faux scolding of 'I am better than you' your attitude implied. If you reread your sentence
  "Of course I havent had to use it, because I generally dont run into issues with apps asking for insane levels of access. Maybe its the apps you're using?"
  and can honestly say it doesn't sound remotely douchey, then I apologize.
  "Of course I haven't ever had an STD, but I generally don't use the low end hookers you obviously use..." :)
  TIKL:
  read your contacts
  approximate location (network-based)
  read call log
  It is definitely better than most, but that doesn't make it good.
  I don't like any of them being grabby, which is why I use Privacy Guard, which is actually just the Google hidden App Ops.
  
  --
  http://blog.slaingod.com
17. Re:Apologies not accepted by LordLimecat · 2014-08-11 19:09 · Score: 1
  
  TIKL is a walkie talkie app; it has to read your contacts to do the thing you downloaded it to do. Ditto call log. Location might be unnecessary, but thats "approximate", not even GPS.
  This isnt "blaming the victim", because I dont buy that there is a victim. These are free apps which announce what they want to do, and theres a bazillion alternatives that do the exact same thing with better permissions.
  If you want to use Privacy Ops, thats great; I just havent found an app where I would need it yet.
18. Re:Apologies not accepted by perryizgr8 · 2014-08-11 22:26 · Score: 1
  
  I really want to install XPrivacy but it requires Xposed. And I have had a really bad experience with Xposed. It literally burns through my battery sometimes. Specially on boot, like 90% to 70% in a couple of minutes, plus burning my hand. The tragedy is that so many Xposed modules are so incredibly useful.
  
  --
  Wealth is the gift that keeps on giving.
19. Re:Apologies not accepted by preflex · 2014-08-12 01:42 · Score: 1
  
  If you want to use Privacy Ops, thats great; I just havent found an app where I would need it yet.
  How about the built-in web browser?
  According to PDroid Monitor (using CyanogenMod with P-droid patches), it can access:
  Network Location
  GPS Location
  Account Credentials
  Accounts (Listing of accounts registered with other apps on device: Dropbox, Twitter, etc. Includes name of the service, and the user ID)
  Contacts (For what?)
  Call Log (Why the hell would it ever need this?)
  Bookmarks and History (Duh)
  Wifi Info
  Network Info (
  Force Online State
  Well, of course the built-in browser is gross. What about Firefox? That should be less invasive, right?
  Network Location
  GPS Location
  Account Credentials
  Accounts
  Record Audio
  Camera
  Start at Boot (That goes really well with the previous two)
  Network Info
  Force Online State
  What could possibly go wrong?
20. Re:Apologies not accepted by LordLimecat · 2014-08-12 06:42 · Score: 1
  
  Pretty much the only problematic one with firefox is start at boot. The others are all part of common features:
  * GPS / Network location-- some sites request location data, which firefox prompts you for. It needs that permission to be able to grant the request if you approve.
  * Account creds-- obvious
  * Audio / camera-- voice search. Its a manually activated function. Also, HTML5 can do chats through webrtc, which needs camera / audio.
  * Network info-- detect whether your online or not
  * Call logs / contacts-- sharing webpages, making calls from phone links (ie, your browser sees 888-123-4567, it lets you click it and initiate a call)
  If you are concerned about those, use an alternate browser that doesnt have those features.
As the quote says... by x0ra · 2014-08-11 05:39 · Score: 4, Insightful

"It's easier to ask forgiveness than it is to get permission." ...
Please excuse us by phorm · 2014-08-11 05:41 · Score: 5, Insightful

We'll try to hide it better next time...
Thank you very much by stevez67 · 2014-08-11 05:50 · Score: 1

I prefer capitalist stooges stealing my personal information, rather than commie stooges. (stolen from Dr. Strangelove)
There Ain't No Such Thing As... by rodrigoandrade · 2014-08-11 05:57 · Score: 4, Insightful

A cheap high end smartphone. Apple couldn't do it, Nokia couldn't do it, Blackberry couldn't do it, Samsung couldn't do it, etc.

If you're not paying with dollars, you're paying with something else...
1. Re:There Ain't No Such Thing As... by riis138 · 2014-08-11 06:15 · Score: 1
  
  ^ This. They are going to take it from you somewhere. One way or another, they will get their money back.
  
  --
  Somewhere, something incredible is waiting to be known. -Carl Sagan
Do you know what their sin is? by Libertarian_Geek · 2014-08-11 06:13 · Score: 1

...pride.

https://www.youtube.com/watch?...

--

www.facebook.com/DareDefendOurRights

www.fairtax.org
This does not make sense by 93+Escort+Wagon · 2014-08-11 06:23 · Score: 4, Insightful

In a lengthy blogpost on Google Plus, Xiaomi Vice President Hugo Barra apologized for the unauthorized data collection and said the company only collects phone numbers in users' address books to see if the users are online.
I realize there is some translation going on here, and that can sometimes lead to misinterpretation - but in what context can this possibly make any sense? Collecting phone numbers from your address book to see if you're online? Seriously?

--
#DeleteChrome
1. Re:This does not make sense by maroberts · 2014-08-11 06:31 · Score: 3, Insightful
  
  Well in a roundabout way of thinking, its one of the simplest tests you can do to see if the phone can be accessed over the intertubes. All phones will have a contacts list/address book, so this will be supported by all Android phones.
  Of course, when you think about it however, you realize that its more than a little absurd and creepy.
  
  --
  Donte Alistair Anderson Roberts - hi son!
  Karma: Chameleon
2. Re:This does not make sense by Anonymous Coward · 2014-08-11 09:02 · Score: 1
  
  This is pathetic, and you're pathetic for saying that.
  There is absolutely no evidence that they collect phone numbers from your address book.
  The original f-secure blog says nothing about collecting phone numbers from your address book -- http://www.f-secure.com/weblog/archives/00002731.html. It's basically an SMS over HTTP service that they've turned on by default. All it's doing is sending a request to the server to say that you're online, so it can route SMS over HTTP to save you $ (well, sms is free with your plan in the US, but that's not true in other countries).
  David Gilbert is a fucking idiot who blatantly lied in his article:
  http://www.ibtimes.co.uk/security-firm-shows-xiaomi-smartphones-do-secretly-steal-your-data-1460382
  "However today Finnish security firm F-Secure has published a blog detailing how a brand new RedMi 1S smartphone silently uploaded a users' phone number, the network being used, the phone's IMEI number (used to identify a specific phone), as well as the phone numbers of contacts added to the address book and phone numbers of SMS messages received."
  This is clearly not true and grossly exaggerated. All you have to do is go direct to the original f-secure blog to see what's going on.
  When you send an SMS and the phone routes the SMS over via IP (HTTP specifically), of course it has to collect your phone # and the target phone #. How else would it know who sends the message and to whom?
  If I were Xaomi, I would sue David Gilbert for libel.
  As this is Slashdot, I would expect smarter readers, but apparently that's not true. Where are all the IT/programmer people?
More flies with honey... by Etherwalk · 2014-08-11 06:29 · Score: 4, Interesting

Why is it considered okay to do this until you get caught? Then you apologize? How about not stealing the information in the first place for starters. Fuckwads!
When an institution or a person does something right, I find it useful to commend them for it.
There may be many other things they can do right in the future, that they are doing wrong now. And there may be things done in the past that were profoundly wrong.
But they've still done a good thing.
In the United States, communications professionals (and the people they coach, like our politicians) avoid admitting when they are wrong, avoid even *engaging* in serious discussion, precisely because people so easily latch onto any words acknowledging another position and turn it into a sound byte. Attacking people who do the right thing for not doing more encourages them *not* to do the right thing in the first place.
Here, a company admitted it was wrong and apologized. It may or may not be disinformation to distract us from spying on behalf of the Chinese Government; and the company may or may not still be doing things we consider wrong. But the company's message was the right one, and they deserve praise for taking responsibility for a foul-up and acting to correct it.
1. Re:More flies with honey... by Anonymous Coward · 2014-08-11 07:43 · Score: 2, Insightful
  
  This is the stupidest logic I've read in a long time. It's like saying that if I apologize after raping you, then you shouldn't be angry at me for raping you. I mean, I apologized right! No harm, no foul.
2. Re:More flies with honey... by penguinoid · 2014-08-11 08:14 · Score: 1
  
  You think it's commendable to apologize "Sorry we only copy your address book to 'see if you're online' "? No, they copy your address book to see who your contacts are. There's much less invasive ways to "see if you're online".
  
  --
  Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
3. Re:More flies with honey... by perryizgr8 · 2014-08-11 22:29 · Score: 1
  
  They probably use the phone numbers in the address book and see if the users of phones with those numbers are online. This is probably the most non-invasive ways to do this.
  
  --
  Wealth is the gift that keeps on giving.
Cubot as well? by Anonymous Coward · 2014-08-11 06:31 · Score: 1

I bought one of these a few months ago, and running a netstat one day I discovered some odd IPs, most of which turned out to be Google this or that, but one struck me as very odd, to a Chinese address. Can anyone tell me, why does my phone "phone home?"
Fixed a "loophole"? by Viol8 · 2014-08-11 06:33 · Score: 1

Thats not a fucking loophole - a program doesn't accidentaly download and store phone numbers , it has to be programmed to do it - thats deliberate data stealing. Now we get the usual meaningless corporate humble apology routine which they hope will placate everyone until next time they get caught. Pathetic.
They handled it quite nicely by jones_supa · 2014-08-11 06:48 · Score: 1

Well goddammit, you whiners. At least this company apologized and fixed the problem properly. How often these days we just get "[company name] declined to comment on the issue" and then we never hear from them again. Xiaomi's reaction in this case was much better.
1. Re:They handled it quite nicely by houindcon · 2014-08-11 09:02 · Score: 1
  
  I also think it was handles rather well.
  Regardless of the reason or the method that they used, they LISTENED to their customer base and made appropriate adjustments. I may not like the fact that they're still collecting data but I think they did the right thing given their position. Jesus people, you just can't be happy can you?
"F-Secure Oyg"? by marsu_k · 2014-08-11 07:39 · Score: 1

I'm thinking that should probably be "Oyj", although that typo is not so easy to make (was it in the original article - how am I supposed to know? 'tis /.). But what that means (in Finnish, F-Secure is from .fi) is a public company. And whether the company is public or private is quite irrelevant in this context. Just call them F-Secure like everyone else.
1. Re:"F-Secure Oyg"? by ShaunC · 2014-08-11 09:24 · Score: 1
  
  The one that always got me was "AOL Deutschland GmbH."
  
  --
  Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
Re:Google Plus is blocked in China by dk20 · 2014-08-11 13:33 · Score: 1

If it is blocked, how did he use it to apologize?

Food for thought: What makes you think they want to sell them to the west, or that they even can? Anything you have ever purchased from China was most likely via a "middle man" (made in China, sold to you by a non-Chinese company under their label). Go ahead, list off a few Chinese manufacturing firms you purchased products from.

In china, there are two markets. Made in China for sale in China, and Made in China but for export. If this is some "made in china for sale in china" why do they care what the west says? Why does the west care to "catch them"?

Lastly, perhaps "the west" should focus on catching the data theft and other crimes occurring locally and focus on others less?
Confirmed by billyswong · 2014-08-11 15:28 · Score: 1

It's already found that the official "update" only fixes a tiny part of concern. They are still sending things to China
" ... only collect users' phone numbers ... " by fygment · 2014-08-12 00:18 · Score: 1

So they only know who you speak with.
One wonders what that information would be worth and to whom.
Was phone number collection a condition in exchange for guarantees of the company's success, or did the company, after the fact, realise it had an additional profit line as its customer base increased?

--
"Consensus" in science is _always_ a political construct.