Two days ago, F-Secure released a test lab report that the Xiaomi phone is sending private data to the backend servers in China. This is inline what we have translated earlier from a HK mobile forum and a screenshot of TCP Dump about the potential privacy issues.
It is now claimed that Cloud Messaging is automatically activated and they are now issuing a firmware update to correct this problem. If you are an iPhone user, it also has a feature known as iMessaging which is turned off by default.
So are there any features which are automatically turned on by default ? Questions on why the Xiaomi phones keeps connecting to third party servers remain unanswered.
The FAQ is reproduced below:
MIUI Cloud Messaging & Privacy
Xiaomi is a mobile Internet company committed to providing high-quality products and easy-to-use Internet services. We believe it is our top priority to protect user data and privacy. We do not upload or store private information or data without the permission of users. This Q&A aims to address privacy concerns raised over the past 48 hours.
Q: What is MIUI Cloud Messaging?
A: Xiaomi offers a free service called Cloud Messaging as part of its MIUI operating system. This service allows MIUI users to exchange text messages with each other free of SMS charges, by routing messages via IP instead of using the carrier’s SMS gateway.
Q: How does Cloud Messaging work? Does it store any private user information?
A: When a Mi phone is turned on, the Cloud Messaging service is automatically activated through IP communication protocol with Xiaomi servers, in order to provide the user with the free text messaging capability. MIUI Cloud Messaging uses SIM and device identifiers (phone number, IMSI and IMEI) for routing messages between two users, in the same way as some of the most popular messaging services. Some technical implementation details are provided below. Users’ phonebook contact data or social graph information (i.e. the mapping between contacts) are never stored on Cloud Messaging servers, and message content (in encrypted form) is not kept for longer than necessary to ensure immediate delivery to the receiver.
Q: How does this relate to the privacy concerns raised about Xiaomi over the last 48 hours? What’s your response?
A: A recent article in Taiwan and a related report by F-Secure raised privacy concerns by stating that Xiaomi devices are sending phone numbers to Xiaomi’s servers. These concerns refer to the MIUI Cloud Messaging service described above. As we believe it is our top priority to protect user data and privacy, we have decided to make MIUI Cloud Messaging an opt-in service and no longer automatically activate users. We have scheduled an OTA system update for today (Aug 10th) to implement this change. After the upgrade, new users or users who factory reset their devices can enable the service by visiting “Settings > Mi Cloud > Cloud Messaging” from their home screen or “Settings > Cloud Messaging” inside the Messaging app — these are also the places where users can turn off Cloud Messaging.
We apologize for any concern caused to our users and Mi fans. We would also like to thank the media and users who have been sending us feedback and suggestions, allowing us to improve and provide better Internet services.
Q: How exactly does the MIUI Cloud Messaging system handle phone numbers?
A: For those interested in specific details about the MIUI Cloud Messaging implementation:
– The primary identifiers used to route messages are the sender and receiver’s phone numbers. IMEI and IMSI information is also used to keep track of a device’s online status.
– When a user sends a text message, if there is an Internet connection available, the Cloud Messaging system will attempt to route the message via IP. If the receiver is offline (i.e. not immediately reachable via IP), the system falls back to sending a normal SMS message from the sender’s device.
– When a MIUI user opens a text message or a phonebook contact, or creates a new contact, the device connects to the Cloud Messaging servers, forwards the phone number of that contact and requests the online status of the corresponding user, which is indicated by a blue icon when that user is online or gray icon if that user is offline (or is not a Cloud Messaging user). This allows the sender to immediately know whether they can text that user without incurring SMS costs.
– In any of these flows, the receiver’s phone number is only used to look up online status and to route messages. No phonebook contact details or social graph information (i.e. the mapping between contacts) is stored on Cloud Messaging servers, and message content (in encrypted form) is not kept for longer than necessary to ensure immediate delivery to the receiver.
– The OTA system update made available today (Aug 10th) adds an extra layer of security by encrypting phone numbers whenever they are sent to Cloud Messaging servers.
– We will continue to make changes and improvements to this architecture as needed over time.