Confirmed – Xiaomi Phones Send your Data to Servers in China

Xiaomi phones have been in controversy for a while now. Quite a few websites accused Xiaomi phones to be sending sensitive data from your phone to an unknown servers located in China. This could be a huge threat and mass privacy invasion. It was initially reported in a few News paper articles and wasn’t confirmed at the time since they didn’t have reliable source or expertise to test it. Here is are some links to the articles in the news papers – Link 1 , link 2, link 3.

Recently the folks at F-Secure decided to test it out (sad I can’t get my hands on the phone due to huge demand in India). According to test reports, Xiaomi phones send quite a lot of personal and sensitive data to the anonymous servers and we have no idea what is done with them.

Proof of Xiaomi forwarding sensitive data - F-Secure Weblog
Proof of Xiaomi forwarding sensitive data – F-Secure Weblog

List of data *forwarded* by Xiaomi Phones

  • IMEI Number of your phone
  • IMSI Number (through MI Cloud)
  • Your contacts and their details
  • Text Messages

Note that these data is not stored for your safety, these information is *forwarded* without your prior consent or permission. There are a few pre-installed apps that helps pull this off.  These tests were done on Xiaomi RedMI 1S. However, all of their phones seem to behaving in the same manner.  All the data is sent to api.account.xiaomi.com.

China has been known for its Digital Spying and privacy invasion. Ofcourse we are the small pawns in the race and we would most likely never know what actually happened behind the curtains, but this is a serious issue.

I personally know a lot of people who’ve been trying to buy this phone from Flipkart and always end up complaining that thousands of phone units are sold in matter of seconds. I would advise you to stay away and don’t fall for the cheap stuff. Always understand that if you’re getting something for dirt cheap, you are compromising on other aspects.

Since we’re still new to Xiaomi phones, I would love to have your input to see if we can gather some more information on it.

24 thoughts on “Confirmed – Xiaomi Phones Send your Data to Servers in China

  1. thanks for this info i could not place my order last time on flipkart and looks like i would not even want to anymore :-)

      1. Do you even know google is spying you from decades, whatsapp has been started spying your personal messages. Gmail knew everything that you send or receive. Even Paypal share records of credit cards and other bank details. But the problem is you never open your mouth for these companies. While one company is giving tough competition to other smartphone companies and yeah this will how they make loss of other rising companies Great

  2. The datas are sent to China for safety keeping purposes. There is not a problem with doing this because it is looking after the customer properly.

    1. Hello Weng,
      I understand what you mean. However, the data that is being stored sent to the servers in China has no prior approval or permission to be backed up. When we refer to the countries such as the US (not NSA), its the users that “agree” to let Google, Foursquare etc websites / organizations collect their data.

  3. Why the contact and text messages ??? Seems it is used to see whether any sensitive data is shared through SMS, maybe by govt employees

    1. Hello,
      The information is being sent to China and not to any Indian location. So if you were right and the data was intercepted by Chinese government, that’s even a bigger problem.

  4. Actual Text messages content isn’t being forwarded , its the phone numbers from which the sms’s come from.

    Read the F-secure article properly.

    Plus this is only a pseudo concern for people who don’t have any sort of online backup solutions/settings setup on this current smartphones.

  5. You can always get the ROM from en.miui.com and flash on your phone if you’re into rooting & if it’s available. It’s the same ROM and you can remove any software you want to if you flash it with rooted version of the ROM ( if its MI3, rom for other phones are pre rooted anyways).

  6. SMART Phones are built for Smart peoples, Android is built for total control, i.e. you will have to learn being an engineer or use a phone like Apple and Windows and your data is secure in Their servers, so to speak.

  7. the F-Secure tests showed that:
    when not logged into mi-cloud
    the phone number of contacts added to the phone book and from SMS messages received are sent

    when logged in to mi-cloud the IMSI details, IMEI and phone number were sent to api.account.xiaomi.com

    no where does F-Scure claim text messages were forwarded without consent

    https://i.mi.com/privacy_en.htm
    Xiaomi’s privacy policy tells you they collect those information and whys

    you may not believe the reasons they give but it is incorrect to say we have no idea what that info is used for.

  8. Its bullshit!
    You have been giving out your photos, mail, contacts, files, saved passwords in chrome, wifi passwords every thing to google. why people should panic with Xiaomi?
    Seems competitor are freaked out due to popularity of xiaomi devices and doing this stunts.

  9. OH damn…
    I bought xiaomi Mi 3 on the first slot and this is what I never expected.
    The device is great but if I lose my privacy then I don’t need this thing… :(

    However do you think it is same for xiaomi Mi 3 too as the device f secure tested is Xiaomi 1s

    And what about the response from xiaomi… Do you think Mr. Barra’s statement has any gravity?

  10. Firstly, they’re not “anonymous servers” – it’s clearly marked as account.xiaomi.com – a subdomain of the company that makes the damn phone.
    Secondly, the information is backed up (or more specifically – synced) in a way much like Apple does with iCloud. So if you’re using more than one Xiaomi device, your messages and contacts etc are synced across all of them. Or if you format your phone, all that information will be transferred back to your phone.

    Yes, China is a “big, scary unknown country”, and though I don’t agree with the silly controls the gov’t has on information and the internet, not everything made here is out to steal your life and secrets. But you’re right, they don’t ask permission. The phone and company are chinese – they don’t need to, if you’re eager to use a chinese phone then you need to deal with that.

    So take a chill lozenge.

  11. Guys,
    China is a REAL threat to India than USA or for that any other country.
    Already they have claims on Indian territories like Arunachal Pradhesh.
    They have annnexed Tibet, lies claims on Japanese Islands.
    They have real expansionist plans. Anyone recollecting the programme aired in a channel(I think, it was TimesNow) showing” Operation Diamond Necklace”?
    So , guys, before accusing Whatsapp,Facebook or Google defending China,THINK TWICE.
    Tomorrow, you may have to regret.

  12. Please read the following for your information this was posted by HUGO in his facebook account

    https://www.facebook.com/hbarra76/posts/10152175849466612

    MIUI Cloud Messaging & Privacy
    Xiaomi is a mobile Internet company committed to providing high-quality products and easy-to-use Internet services. We believe it is our top priority to protect user data and privacy. We do not upload or store private information or data without the permission of users. This Q&A aims to address privacy concerns raised over the past 48 hours.
    Q: What is MIUI Cloud Messaging?
    A: Xiaomi offers a free service called Cloud Messaging as part of its MIUI operating system. This service allows MIUI users to exchange text messages with each other free of SMS charges, by routing messages via IP instead of using the carrier’s SMS gateway.
    Q: How does Cloud Messaging work? Does it store any private user information?
    A: When a Mi phone is turned on, the Cloud Messaging service is automatically activated through IP communication protocol with Xiaomi servers, in order to provide the user with the free text messaging capability. MIUI Cloud Messaging uses SIM and device identifiers (phone number, IMSI and IMEI) for routing messages between two users, in the same way as some of the most popular messaging services. Some technical implementation details are provided below. Users’ phonebook contact data or social graph information (i.e. the mapping between contacts) are never stored on Cloud Messaging servers, and message content (in encrypted form) is not kept for longer than necessary to ensure immediate delivery to the receiver.
    Q: How does this relate to the privacy concerns raised about Xiaomi over the last 48 hours? What’s your response?
    A: A recent article in Taiwan and a related report by F-Secure raised privacy concerns by stating that Xiaomi devices are sending phone numbers to Xiaomi’s servers. These concerns refer to the MIUI Cloud Messaging service described above. As we believe it is our top priority to protect user data and privacy, we have decided to make MIUI Cloud Messaging an opt-in service and no longer automatically activate users. We have scheduled an OTA system update for today (Aug 10th) to implement this change. After the upgrade, new users or users who factory reset their devices can enable the service by visiting “Settings > Mi Cloud > Cloud Messaging” from their home screen or “Settings > Cloud Messaging” inside the Messaging app — these are also the places where users can turn off Cloud Messaging.
    We apologize for any concern caused to our users and Mi fans. We would also like to thank the media and users who have been sending us feedback and suggestions, allowing us to improve and provide better Internet services.
    Q: How exactly does the MIUI Cloud Messaging system handle phone numbers?
    A: For those interested in specific details about the MIUI Cloud Messaging implementation:
    – The primary identifiers used to route messages are the sender and receiver’s phone numbers. IMEI and IMSI information is also used to keep track of a device’s online status.
    – When a user sends a text message, if there is an Internet connection available, the Cloud Messaging system will attempt to route the message via IP. If the receiver is offline (i.e. not immediately reachable via IP), the system falls back to sending a normal SMS message from the sender’s device.
    – When a MIUI user opens a text message or a phonebook contact, or creates a new contact, the device connects to the Cloud Messaging servers, forwards the phone number of that contact and requests the online status of the corresponding user, which is indicated by a blue icon when that user is online or gray icon if that user is offline (or is not a Cloud Messaging user). This allows the sender to immediately know whether they can text that user without incurring SMS costs.
    – In any of these flows, the receiver’s phone number is only used to look up online status and to route messages. No phonebook contact details or social graph information (i.e. the mapping between contacts) is stored on Cloud Messaging servers, and message content (in encrypted form) is not kept for longer than necessary to ensure immediate delivery to the receiver.
    – The OTA system update made available today (Aug 10th) adds an extra layer of security by encrypting phone numbers whenever they are sent to Cloud Messaging servers.
    – We will continue to make changes and improvements to this architecture as needed over time.

  13. more on this; (AFAIK)
    All manufacturers do.. But contrary to denial or taking months to fix the issue. Xiaomi has already issued a fix

    http://www.engadget.com/2014/08/10/xiaomi-privacy-issue-cloud-messaging/

    If you don’t like it don’t use it.

    Apple’s was recently in a similar issue (not forgetting old issues).
    Google tracks with its Google Now very prominent. You’ve to say only yes.
    Microsoft WinPhones will definitely ping pack.
    WhatsApp actually uses phone number & ID to track users..

    IF YOU DON’T LIKE IT DON’T BUY THE PHONE
    But with android phones you have an option.. Download the source code and compile your own OS. Keep Google PlayStore out of this

Leave a Reply

Your email address will not be published. Required fields are marked *