Chinese smartphone upstart Xiaomi has released a software update to allay concerns over its devices sending contact lists to the company’s headquarters in Beijing.
The smartphone maker, which recently topped Samsung by sales in China, issued an update on Sunday for its custom Android firmware to make its MIUI cloud messaging service opt-in for users. Similar to Apple’s iMessage, it offers a way for Xiaomi device owners to bypass SMS charges when they are online, which in Apple's case is restricted to messages between iPhone users.
The update followed a July report in a Taiwanese mobile forum, which raised concerns about contact data on Xiaomi devices being sent to a server in China. Finnish security vendor F-Secure tested the claims last week and confirmed that a RedMi 1S Xiaomi phone was sending details to a server api.account.xiaomi.com, including the unique device identifier (called IMEI), a SIM identifier (IMSI), the device’s phone number, and the numbers of contacts in the device’s phone book.
Xiaomi responded to the claims in the Taiwanese forum this July on its Facebook profile, claiming that its cloud services were off by default and that even after joining, users could always disable it. The company said it had no interest in doing anything illegal that could harm its expansion beyond its current markets, China, Hong Kong, Taiwan, Singapore and more recently India.
Collecting device contacts and messages might not be illegal per se, however F-Secure’s report seemed to show that Xiaomi’s cloud features in fact were not off by default and collected more than identifiers. It found Xiaomi also collected SMS received by a device. With the increased attention, Xiaomi issued an update that made its cloud messaging service opt-in.
“As we believe it is our top priority to protect user data and privacy, we have decided to make MIUI Cloud Messaging an opt-in service and no longer automatically activate users. We have scheduled an OTA system update for today (Aug 10th) to implement this change,” Huga Barra, a former Google exec who left for Xiaomi a year ago, said on Sunday.
Barra said it collected phone numbers to route messages and that IMSI and IEMI data was used to tell whether senders and receivers were online so that it could determine whether or not to use the internet or fall back to a mobile network to send the message.
“When a MIUI user opens a text message or a phonebook contact, or creates a new contact, the device connects to the Cloud Messaging servers, forwards the phone number of that contact and requests the online status of the corresponding user, which is indicated by a blue icon when that user is online or gray icon if that user is offline (or is not a Cloud Messaging user). This allows the sender to immediately know whether they can text that user without incurring SMS costs,” explained Barra.
According to Barra, these details are only collected to see the online status of participants and to route messages.
“No phonebook contact details or social graph information (i.e. the mapping between contacts) is stored on Cloud Messaging servers, and message content (in encrypted form) is not kept for longer than necessary to ensure immediate delivery to the receiver.”
The update will also mean that for those that opt-in to the service, phone numbers sent to Xiaomi’s cloud messaging servers will no longer be sent in clear text. In other words, if Xiaomi users opt-in to its service, the company will still be able view them, while making it difficult for others to do so.
This article is brought to you by Enex TestLab, content directors for CSO Australia.
Have you registered yet to hear from Richard Thieme, Fran Trentley, CERT Australia, NBN Co, telstra, Women in IT security, Craig Davies and many more... No then Register your seat today not many left
Earn CPE credits and recieve the book "Mind Games"signed by the author as well on the day.