F-Secure, an antivirus, online security and content cloud solutions company, ran some tests recently and found out that when one of the Xiaomi phones (RedMi 1S for this test) is used, information like the phone number, the telco name and the IMEI (your phone’s unique ID number) is sent to a remote server api.account.xiaomi.com. According to the blog post on the F-Secure blog, even the phone numbers of the contacts that were added (whether added manually or through the received SMS messages) were forwarded to the same server. This information was being broadcast to some remote server in Beijing despite the fact that the testers at F-secure hadn’t yet activated the cloud service that comes with Xiaomi’s budget smartphone. Another alarming aspect was that the data was being sent unencrypted and hence it was available to everybody who might have wanted it.
According to Xiaomi VP (who is also an ex-Googler) Hugo Barra the Chinese smartphone company was trying to imitate Apple’s iMessage to check whether the messaging service can route the owner’s text messages over the Internet for free or not. The only problem is, in the case of iMessage you need to manually turn on these features and with Xiaomi, this was turned on by default. The company has released a patch to sort out the problem. The new handsets will be shipped with this feature turned off.
This is what Hugo Barra recently wrote on his Google Plus page:
A recent article in Taiwan and a related report by F-Secure raised privacy concerns by stating that Xiaomi devices are sending phone numbers to Xiaomi’s servers. These concerns refer to the MIUI Cloud Messaging service described above. As we believe it is our top priority to protect user data and privacy, we have decided to make MIUI Cloud Messaging an opt-in service and no longer automatically activate users. We have scheduled an OTA system update for today (Aug 10th) to implement this change. After the upgrade, new users or users who factory reset their devices can enable the service by visiting “Settings > Mi Cloud > Cloud Messaging” from their home screen or “Settings > Cloud Messaging” inside the Messaging app — these are also the places where users can turn off Cloud Messaging.
We apologize for any concern caused to our users and Mi fans. We would also like to thank the media and users who have been sending us feedback and suggestions, allowing us to improve and provide better Internet services.
Whatever was the intention and whatever corrective measures they are taking, it was a big screwup for the company’s international efforts at launching a global product that aspires to compete with Samsung and Apple. The mere fact that the data was not encrypted can be a big PR disaster for the company.
Another concern is, what if many smartphone companies are uploading user data like this and then selling them to other companies? They are selling cheaper phones and perhaps they are making up by selling information gathered from these cheap phones. Such revelations can also have a negative impact on mobile e-commerce. Fortunately for these companies and unfortunately for the users, people are not as careful as they should be while sharing critical information via their mobile phones.