The Indian Air Force (IAF) has reportedly issued an advisory asking its personnel and their families not to use Xiaomi smartphones on account of 'spying'. It warns that the Chinese manufacturer transmits user data and information back to its headquarters in Beijing.
Based on a test by security application manufacturer F-Secure, the IAF issued the alert saying Xiaomi phones port the phone number, carrier name, IMEI number (the device identifier), plus numbers in the address book and text messages to some suspicious IP address in Beijing.
According to a report published in The New Indian Express, this is being considered as a serious threat. Reportedly, Xiaomi is also facing probe in Taiwan for similar allegations.
However, the company has denied all allegations and issued a software patch, which will enable or disable Xiaomi's iMessage and MIUI Cloud messaging service.
According to the test done by F-Secure on the newly launched Redmi 1S, the handset was sending data back to the Chinese server without issuing an alert. These MIUI platform-based phones keep the data synchronisation on by default.
The F-Secure blog said, "Xiaomi phones have made news off and on in the past few months for their cheap, value for money phones and corporate moves. More recently, there were also reports that these popular devices also silently send out user details to a remote server. That came on the heels of another report of the smartphone being pre-installed with suspicious apps."
For testing the device, the security company used a boxed handset. After unboxing, they inserted a SIM card, connected to WiFi, allowed GPS location service and then added a new contact. They then send and received SMS and MMS messages and made and received some phone calls. Finally, they found that the phone had sent telecom provider's name to the server api.account.xiaomi.com. It had also sent the IMEI and phone number to the same server.
After connecting to the Mi Cloud, they repeated the same procedure and found that IMSI details as well as the IMEI and phone number were sent to the same server.
After this report published on 7 August 2014, Hugo Barra, vice-president of Xiaomi, posted on Google Plus: "Xiaomi is a mobile Internet company committed to providing high-quality products and easy-to-use Internet services. We believe it is our top priority to protect user data and privacy. We do not upload or store private information or data without the permission of the users. This Q&A aims to address privacy concerns raised over the past 48 hours."
"A recent article in Taiwan and a related report by F-Secure raised privacy concerns by stating that Xiaomi devices are sending phone numbers to Xiaomi's servers. These concerns refer to the MIUI Cloud Messaging service described above."
Barra further explained, "As we believe it is our top priority to protect user data and privacy, we have decided to make MIUI Cloud Messaging an opt-in service and no longer automatically activate users. We have scheduled an OTA system update for today (Aug 10th) to implement this change."
"After the upgrade, new users or users who factory reset their devices can enable the service by visiting "Settings > Mi Cloud > Cloud Messaging" from their home screen or "Settings > Cloud Messaging" inside the Messaging app — these are also the places where users can turn off Cloud Messaging," he added.
Following the update F-Secure did another extended test on the MIUI app. In the explanation they factory reset the phone and later updated the app and found the MIUI app is kept off by default. Later after turning on they found a base-64 encoded traffic being sent to https://api.account.xiaomi.com. Here is the detailed report .
Technically, in any smartphone, when you use an app it actually need to archive the data somewhere and that's the reason behind setting up appropriate data centre for storing them. Using the app and keeping your data over the cloud means you have the consent to take responsibility of your data. All the popular cloud services like iCloud, Google Drive, Dropbox or Amazon Kindle service follows the same process for this.
Doctorate General of Military Operations of the Indian Army had also issued a similar security warning on Chinese mobile application a few months ago. The Army claimed that every company related to internet and telecom operators from China are legally liable to share entire content of their platform.
In an e-mail conversation, Xiaomi India Head Manu Jain expressed, "We do not have full information about the circular issued by IAF, however we believe that this advisory circular is based on events about three months back. We believe, it refers to the F-Secure test done on the Redmi 1S in July 2014 about the activation of our Cloud Messaging service by default."
" As you already know, we immediately addressed the concerns raised by F-Secure: We scheduled an OTA system update on 10th Aug 2014 to implement a change, which ensured that all the users had to manually activate the Cloud services, instead of being activated by default," Jain added.
Coincidentally, a few days ago, Barra had claimed that Xiomi would migrate all international user data from Beijing data center to Amazon data centres in California and Singapore. He also mentioned that this process would be completed by the end of this month, though he did not mention anything on the entire security episode.
Xiaomi currently sells Redmi 1S in India via pre-registration method through Flipkart. The company has already sold 95,000 Mi3 and 5,80,000 Redmi 1S units via flash sales.
The Redmi 1S booking is still open as the company plans to launch Redmi Note and Mi4 in India.