Xiaomi smartphones sending user data to remote servers; company issues patch after privacy concerns
Chinese Smartphone makers, Xiaomi may have dethroned Samsung but there are reports that Xiaomi phones silently send users data to remote servers. The news came on the heels of other reports of smartphones being pre-installed with suspect apps.
Security software and solutions company F-Secure, which tested Xiaomi’s Redmi 1S phone started with a ‘fresh out of the box’ test, so no account setup was done or cloud service connection was allowed.
A SIM card was inserted, connected to Wi-Fi, allowed the GPS location service, then added a new contact into the phonebook, send and received an SMS and MMS message and finally made and received a phone call.
On startup, the phone sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server. The phone number of contacts added to the phone book and from SMS messages received was also forwarded.
Next the phone was connected to and logged into Mi Cloud – the iCloud-like service from Xiaomi. Then the same test was repeated as before. This time, the IMSI details were sent to api.account.xiaomi.com, as well as the IMEI and phone number.
This implies that Xiaomi is collecting data from users without their consent, even if they don’t sign-up for Mi Cloud.
According to Xiaomi, this information helps the company to improve products, for customization, updates, and for statistical purposes ‘to analyze the efficiency of its business.’ It mentions that the information is not used for tracking the location of the user.
Hours after F-Secure published its report, Xiaomi revealed that it has readied an update that will be pushed out to all Xiaomi devices whereby all users will be informed about the information being sent to its servers with an option to make that as an opt-in – meaning that users can decide whether they want to send out any information to Xiaomi or not.