Late last week, security firm F-Secure decided to take matters into its own hands following widespread reports which claimed that Chinese smartphone company Xiaomi was selling devices which secretly ping a server in Beijing, while also discreetly uploading user data – including SMS messages and images captured from the device – to the server.
These claims proved to be untrue, but the noted mobile security firm decided to test it out for themselves. The firm purchased a Redmi 1S and conducted a “fresh out of the box” test, which involved inserting a SIM card, connecting to Wi-Fi…basically everything a user does when setting up a new device. Throughout the process, the firm was also monitoring network activity coming in and out of the device.
What the team found was odd: on device startup, the phone sent the telco name, IMEI number and phone number to the Xiaomi server (api.account.xiaomi.com). The team also found that when a new number is added to the contacts list, the phone again forwards the number and contact details to the server.
In addition, upon signing in to Mi Cloud, Xiaomi’s cloud service, the device then forwarded the user’s IMSI (international mobile subscriber identity) details to the same server, accompanied by the device IMEI and phone number.
Obviously, this can be a concerning affair. Why is it that Xiaomi is requesting so much information from its devices? The truth, according to Xiaomi Global VP Hugo Barra, is down to another of Xiaomi’s cloud service, called MIUI Cloud Messaging.
The MIUI ROM offers a service called MIUI Cloud Messaging, an intelligent messaging service that aims to reduce SMS costs borne by users. Essentially, MIUI Cloud Messaging re-routes outgoing text messages using IP instead of the user’s telco network, allowing users to save on SMS charges. To do this, the service attempts to identify if both the sender and receiver is connected to the Internet; if both are online, the SMS is sent via IP. If either one of the parties are offline, MIUI sends the text via traditional telco network.
This feature was actually highlighted by Barra on his first meeting with Malaysian members of the media, noting that this is one of MIUI’s intelligent, behind-the-scenes features that enhance the MIUI user experience. Unfortunately, as the company’s popularity grows, so too have these services begun hitting the spotlight, where the stigma of being a Chinese company is prevalent, especially to those in the West.
To address this latest round of allegations, Xiaomi has decided to make MIUI Cloud Messaging an opt-in service. An over-the-air (OTA) update has been made available to all Xiaomi devices, requiring users to manually enable the service for new devices. Current users will still have the option enabled, and would need to disable it via “Settings > Mi Cloud > Cloud Messaging” should they wish to opt out of the service.
More technical details on MIUI Cloud Messaging can be found on Barra’s latest Google+ post, which can be read here.