Latest in Android

Image credit:

Xiaomi issues fix amid privacy scare over its cloud messaging service

Richard Lai, @richardlai
August 10, 2014
Share
Tweet
Share

Sponsored Links

Earlier this week, Finland's F-Secure looked into claims that Xiaomi was secretly sending data from its MIUI-powered phones back to its servers, and it turned out to be true. Despite having not added any cloud accounts, F-Secure's brand new Redmi 1s -- Xiaomi's budget smartphone -- still beamed its carrier name, phone number, IMEI (the device identifier) plus numbers from the address book and text messages back to Beijing. Worse yet, the data was unencrypted, thus allowing F-Secure and potentially anyone to, well, get to know your Xiaomi phone very easily. Fortunately, today the Chinese company is issuing a patch to address this booboo.

According to Xiaomi VP and ex-Googler Hugo Barra, the aforementioned data link is part of MIUI's cloud messaging service, which helps determine whether it can route your text messages over the Internet for free. Think Apple's iMessage. Alas, Xiaomi had this is turned on by default and there's no prompt about this for the user, which explains it all. With today's ROM update, users of fresh or factory-restored Xiaomi devices will have to manually enable the cloud messaging function, meaning there should be no more stealthy connections back to Beijing. More importantly, the same update will also add encryption to the phone numbers sent to the servers, should users wish to keep using MIUI's cloud messaging to avoid texting charges.

Kudos to Barra, his Google+ post goes to great lengths to explain what happened. It's just as well since the latest findings have made his earlier post regarding privacy somewhat obsolete. Anyhow, the exec emphasized that his company doesn't permanently store the data sent to its cloud messaging servers:

No phonebook contact details or social graph information (i.e. the mapping between contacts) is stored on Cloud Messaging servers, and message content (in encrypted form) is not kept for longer than necessary to ensure immediate delivery to the receiver.

Still, this raises the question: Shouldn't the communication be encrypted in the first place, anyway? Sounds like someone deserves a big spanking at Xiaomi HQ this weekend, for both overlooking this issue and hindering the company's global efforts. The last thing an expanding Chinese technology company needs is a privacy scare like this one, as the likes of Huawei and ZTE can attest to; though that's not to say Western companies are entirely innocent, either.

[Image credit: Xiaomi]

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

Put Bernie Sanders almost anywhere with this Google Street View app

Put Bernie Sanders almost anywhere with this Google Street View app

View
Raspberry Pi Pico is a $4 Arduino alternative

Raspberry Pi Pico is a $4 Arduino alternative

View
'Call of Duty: Warzone' is about to get a big esports push

'Call of Duty: Warzone' is about to get a big esports push

View
Instacart lays off 1,900 workers, including the 10 who formed a union

Instacart lays off 1,900 workers, including the 10 who formed a union

View
President Biden names Jessica Rosenworcel acting FCC chair

President Biden names Jessica Rosenworcel acting FCC chair

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr