What a week it has been for Xiaomi. Last Tuesday, the company announced its highly-anticipated flagship smartphone, the Mi 4. Around the same time, a Hong Kong-based forum had a moderator who published what appears to be damning evidence that one of Xiaomi’s devices was discreetly pinging a server located in China. There were also apparent evidence that suggests the device was even uploading user data such as messages and pictures onto the server, even when Mi Cloud was disabled.
Could it be that Xiaomi installs spyware on its smartphones? Could it be that the MIUI software also contain spyware?
We received a tip yesterday morning about an article in GSMarena that the popular Redmi Note smartphone has a spyware embedded deep within the system that even manages to ping a server in China when the user flashes the software to replace MIUI. The source of this article was a ten-day-old article from a site called OCWorkbench, which took the information found in a Hong Kong-based forum called IMA Mobile, and made no further investigation on the matter before publishing it.
At this point, it should be easy to take the news with a pinch of salt: while the screenshots does not appear to be tampered, the fact that no other major publication had covered it should also mean something.
Regardless, GSMarena ran the story, sourcing OCWorkbench. Finally, there were some doubts. There’s a fascinating debate between two of GSMarena’s comment moderators in that post, with both having polar opposite views on the matter. We sought clarification from Xiaomi on the matter, and the company has finally responded. So, does Xiaomi really install spyware on its phones?
In one word: No.
One of the glaring omissions from the GSMarena article was the fact that Xiaomi Hong Kong’s official Facebook page published a statement less than two days after the original OCWorkbench post, addressing the privacy concerns. The OCWorkbench article, we were told, “severely misinterpreted” the forum discussion thread, and contained plenty of factual errors that may have been caused by poor translation.
In fact, the forum member in question made no mention that he had flashed MIUI with another ROM. Secondly, the screenshots taken as “evidence” of data uploads were merely pings to Xiaomi servers to initiate a download. The article also shows that the IP addresses the Redmi Note were pinging to belonged to a company called Forest Eternal Communication Tech. Co. Ltd, which is the Internet Data Center where Xiaomi hosts its servers – something both articles failed to mention.
Finally, one of the main reasons why this issue caused quite a furore was because the Messaging app was pinging the servers instead of a core system app. One crucial bit of information that would explain this is the fact that MIUI’s Messaging app also serves as an over-the-air update tool for Xiaomi to push SMS messages to its users containing anything from greeting messages, jokes to location-based ads. It is a common feature in China, and in Malaysia, we also see these sort of
spam messages ads pushed to our SMS inboxes from our local telcos. To generate these personalised messages, MIUI pings the Xiaomi servers in China before pushing the messages out to users – and not to secretly initiate user data uploads.
Almost every app pings a server to initiate an action, like Gmail to refresh your inbox, hence the act of pinging a server should not be construed as a suspicious act in itself.
In any case, Xiaomi’s international Facebook pages will all run a Q&A post to address the privacy concerns later today. Xiaomi’s Hugo Barra has already shared the post (as has Mi India’s Facebook page), and is essentially a translated version of the one posted in the company’s Hong Kong Facebook page, and goes as below:
Q: Online articles recently referred to some privacy issues with the Redmi Note, claiming that photos and text messages are sent to China secretly. Are they true?
A: An article severely misinterpreted a discussion thread asking about the Redmi Note’s communication with a server in China. The article also neglected to refer to a Chinese version of this Q&A already posted on the Xiaomi Hong Kong Facebook page (https://www.facebook.com/Xiaomihongkong/posts/799059896795602). MIUI does not secretly upload photos and text messages.
MIUI requests public data from Xiaomi servers from time to time. These include data such as preset greeting messages (thousands of jokes, holiday greetings and poems) in the Messaging app and MIUI OTA update notifications, i.e. all non-personal data that does not infringe on user privacy.
Q: Does Xiaomi upload any personal data without my knowledge?
A: Xiaomi offers a service called Mi Cloud that enables users to back up and manage personal information in the cloud, as well as sync to other devices. This includes contacts, notes, text messages and photos. Mi Cloud is turned off by default. Users must log in with their Mi accounts and manually turn on Mi Cloud. They also have the option to only turn on backup for certain types of data. The use and storage of data in Mi Cloud fully respects the local laws of each country and region. Strict encryption algorithms are implemented to protect user privacy.
Q: Can I turn Mi Cloud off?
A: Yes. Just go to Settings > Mi Cloud to turn it off. If you would like to use a cloud back up service from another provider, there are options from Google, Dropbox and many others.
Q: Why should I believe you?
So, spyware vendor, or just a victim of sensationalised clickbait? You decide.