Chinese smartphone manufacturer Xiaomi made its entry in the Indian smartphone market with its Mi 3 smartphone in July. The company made headlines after the Mi 3 handset sold like hot cakes on Flipkart. After just six weeks of massive sales in the country, Xiaomi discontinued the Mi 3 temporarily to give mileage to the much cheaper RedMi 1S smartphone, which arrived in September.
What is the data snooping concern regarding Xiaomi phones?
Before the launch of Redmi 1S, software security company F-Secure published a report in August stating that the Xiaomi RedMi 1S “sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server. The phone number of the contacts added to the phone book and also from SMS messages received was also forwarded.”
Commenting on the Mi Cloud service, the report stated, “the IMSI details were sent to api.account.xiaomi.com, as well as the IMEI and phone number.”
F-Secure published another report in a week, saying that Xiaomi had addressed the privacy concerns related to “MIUI Cloud Messaging Platform” by releasing an OTA update which made the messaging service “an opt-in feature, rather than a default one.”
The report confirmed that after the OTA update, the security experts “did not see any data being sent out from the phone.” Also, it stated that on logging into Mi Cloud, “base-64 encoded traffic is now sent.”
The updated report concluded by stating that Mi Cloud data was “now sent over HTTPS rather than HTTP, as seen in our previous testing.”
Is there still an issue?
Su Gim Goh, Security Advisor, APAC, F-Secure during his visit to New Delhi on September 1, the same day when Xiaomi RedMi 1S went for sale for the first time for Flipkart First subscribers, confirmed in an exclusive interaction with IndianExpress.com that Xiaomi has rectified the privacy issues raised by it. “The entire privacy issue was related to Xiaomi’s cloud messaging service. Previously, the cloud service got activated by default without asking for the user’s permission. So, related personal data were sent from the phone to Xiaomi’s servers in China. After we alerted about this privacy concern, Xiaomi has made the cloud service as an opt-in feature and not by default, said Goh.
As with every cloud service, data is obviously sent to servers located outside the country with the user’s permission. Goh further confirmed that the even if users opt for the Xiaomi’s cloud service, the data is now being sent over secured HTTPS than HTTP. “The privacy concerns were addressed by Xiaomi quickly and now it’s all good,” added Goh.
So, why did Indian Air Force issue a notification against using Xiaomi phones?
The Sunday Standard recently reported that the Indian Air Force (IAF) has notified its 1,75,000 personnel and their family members not to use Xiaomi smartphones on account of ‘spying’. The report said the IAF alert was based on the inputs from CERT-In.
What’s surprising is that the IAF notification seems to be hinting on the same report released by F-Secure in August to which the software security company had already confirmed that Xiaomi has rectified the issue and the company no longer breaches privacy.
Now, there can be two situations- either, the privacy problem with Xiaomi has returned or the IAF notification is based on older reports. We believe it to be the latter, as no new reports have surfaced since the F-Secure clarification in September.
Is this snooping or is this normal?
In every cloud service, be it Gmail, Facebook, WhatsApp or in this case, MIUI Cloud Messaging Platform, data is sent and stored in servers outside the country. Xiaomi stores the data in servers based in Beijing. There is no rule or regulation from the government stating that cloud service providers will have to store data within the country only. So, if any user opts for any sort of cloud service, then its totally up to the service provider as to where they will store the data.
How has Xiaomi responded to the latest issue?
According to Reuters, Xiaomi has announced that it is moving some data of non-Chinese customers away from its servers in Beijing in several phases to Amazon Inc servers in the US and data centres in Singapore due to the recent privacy considerations. This may be a pure coincidence, or Xiaomi may have actually reacted to the IAF notification. Anyway, for a company hoping to make a strong presence across the globe it is highly unlikely that Xiaomi will do something that will put off its customers or affect its business in the slightest way. Xiaomi has sold just over half a million handsets (Mi 3 and RedMi 1S combined) in India.