Latest in Android

Image credit:

Xiaomi issues fix amid privacy scare over its cloud messaging service

73 Shares
Share
Tweet
Share
Save

Sponsored Links

Earlier this week, Finland's F-Secure looked into claims that Xiaomi was secretly sending data from its MIUI-powered phones back to its servers, and it turned out to be true. Despite having not added any cloud accounts, F-Secure's brand new Redmi 1s -- Xiaomi's budget smartphone -- still beamed its carrier name, phone number, IMEI (the device identifier) plus numbers from the address book and text messages back to Beijing. Worse yet, the data was unencrypted, thus allowing F-Secure and potentially anyone to, well, get to know your Xiaomi phone very easily. Fortunately, today the Chinese company is issuing a patch to address this booboo.

According to Xiaomi VP and ex-Googler Hugo Barra, the aforementioned data link is part of MIUI's cloud messaging service, which helps determine whether it can route your text messages over the Internet for free. Think Apple's iMessage. Alas, Xiaomi had this is turned on by default and there's no prompt about this for the user, which explains it all. With today's ROM update, users of fresh or factory-restored Xiaomi devices will have to manually enable the cloud messaging function, meaning there should be no more stealthy connections back to Beijing. More importantly, the same update will also add encryption to the phone numbers sent to the servers, should users wish to keep using MIUI's cloud messaging to avoid texting charges.

Kudos to Barra, his Google+ post goes to great lengths to explain what happened. It's just as well since the latest findings have made his earlier post regarding privacy somewhat obsolete. Anyhow, the exec emphasized that his company doesn't permanently store the data sent to its cloud messaging servers:

No phonebook contact details or social graph information (i.e. the mapping between contacts) is stored on Cloud Messaging servers, and message content (in encrypted form) is not kept for longer than necessary to ensure immediate delivery to the receiver.

Still, this raises the question: Shouldn't the communication be encrypted in the first place, anyway? Sounds like someone deserves a big spanking at Xiaomi HQ this weekend, for both overlooking this issue and hindering the company's global efforts. The last thing an expanding Chinese technology company needs is a privacy scare like this one, as the likes of Huawei and ZTE can attest to; though that's not to say Western companies are entirely innocent, either.

[Image credit: Xiaomi]

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
73 Shares
Share
Tweet
Share
Save

Popular on Engadget

The best mobile devices for students

The best mobile devices for students

View
'Fortnite' finally nerfs the hated B.R.U.T.E. mechs

'Fortnite' finally nerfs the hated B.R.U.T.E. mechs

View
Porsche streamlines the Taycan EV’s infotainment system

Porsche streamlines the Taycan EV’s infotainment system

View
Lenovo’s Smart Clock becomes a more capable home hub

Lenovo’s Smart Clock becomes a more capable home hub

View
Wirecutter's best deals: Save $60 on an Acer Chromebook 11

Wirecutter's best deals: Save $60 on an Acer Chromebook 11

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr