Earlier this week, Finland’s F-Secure looked into claims that Xiaomi was secretly sending data from its MIUI-powered phones back to its servers, and it turned out to be true. Despite having not added any cloud accounts, F-Secure’s brand new Redmi 1s, Xiaomi’s budget smartphone, still beamed its carrier name, phone number, IMEI (the device identifier) plus numbers from the address book and text messages back to Beijing. Worse yet, the data was unencrypted, thus allowing F-Secure and potentially anyone to, well, get to know your Xiaomi phone very easily.
Fast-growing Chinese smartphone company Xiaomi is making the cloud messaging service that is automatically activated on its devices optional for users, following security concerns raised during the past week. The MIUI Cloud Messaging service works much like Apple’s iMessage. It routes SMS sent between fellow MIUI device owners via the internet, meaning that they can message each other for free. However, a recent report from F-Secure highlighted that the service appears to share a range of information with a server in China — including the device’s IMEI number, customer’s phone number, phone contacts and text messages received. The idea of sharing such data to a server in China, where it could be open to access from the government, naturally raised some concerns, particularly since there was no way to opt out.