Xiaomi issues fix addressing concerns over contact slurping

Chinese smartphone upstart Xiaomi has released a software update to allay concerns over its devices sending contact lists to the company’s headquarters in Beijing. 

The smartphone maker, which recently topped Samsung by sales in China, issued an update on Sunday for its custom Android firmware to make its MIUI cloud messaging service opt-in for users. Similar to Apple’s iMessage, it offers a way for Xiaomi device owners to bypass SMS charges when they are online, which in Apple's case is restricted to messages between iPhone users. 

The update followed a July report in a Taiwanese mobile forum, which raised concerns about contact data on Xiaomi devices being sent to a server in China. Finnish security vendor F-Secure tested the claims last week and confirmed that a RedMi 1S Xiaomi phone was sending details to a server api.account.xiaomi.com, including the unique device identifier (called IMEI), a SIM identifier (IMSI), the device’s phone number, and the numbers of contacts in the device’s phone book.

Xiaomi responded to the claims in the Taiwanese forum this July on its Facebook profile, claiming that its cloud services were off by default and that even after joining, users could always disable it. The company said it had no interest in doing anything illegal that could harm its expansion beyond its current markets, China, Hong Kong, Taiwan, Singapore and more recently India.

Collecting device contacts and messages might not be illegal per se, however F-Secure’s report seemed to show that Xiaomi’s cloud features in fact were not off by default and collected more than identifiers. It found Xiaomi also collected SMS received by a device. With the increased attention, Xiaomi issued an update that made its cloud messaging service opt-in. 

“As we believe it is our top priority to protect user data and privacy, we have decided to make MIUI Cloud Messaging an opt-in service and no longer automatically activate users. We have scheduled an OTA system update for today (Aug 10th) to implement this change,” Huga Barra, a former Google exec who left for Xiaomi a year ago, said on Sunday.

Barra said it collected phone numbers to route messages and that IMSI and IEMI data was used to tell whether senders and receivers were online so that it could determine whether or not to use the internet or fall back to a mobile network to send the message.

“When a MIUI user opens a text message or a phonebook contact, or creates a new contact, the device connects to the Cloud Messaging servers, forwards the phone number of that contact and requests the online status of the corresponding user, which is indicated by a blue icon when that user is online or gray icon if that user is offline (or is not a Cloud Messaging user).  This allows the sender to immediately know whether they can text that user without incurring SMS costs,” explained Barra.

According to Barra, these details are only collected to see the online status of participants and to route messages.

“No phonebook contact details or social graph information (i.e. the mapping between contacts) is stored on Cloud Messaging servers, and message content (in encrypted form) is not kept for longer than necessary to ensure immediate delivery to the receiver.”

The update will also mean that for those that opt-in to the service, phone numbers sent to Xiaomi’s cloud messaging servers will no longer be sent in clear text. In other words, if Xiaomi users opt-in to its service, the company will still be able view them, while making it difficult for others to do so. 


This article is brought to you by Enex TestLab, content directors for CSO Australia.

Have you registered yet to hear from Richard Thieme, Fran Trentley, CERT Australia, NBN Co, telstra, Women in IT security, Craig Davies and many more... No then Register your seat today not many left

Earn CPE credits and recieve the book "Mind Games"signed by the author as well on the day.

Join the CSO newsletter!

Error: Please check your email address.

Tags XiaomiCloud Messaging systemssamsungAndroid firmwaremobilitysmartphonesMobile forum

More about CERT AustraliaCSOEnex TestLabFacebookF-SecureIMSINBN CoSamsungXiaomi

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts