Xiaomi, the red-hot Chinese smartphone and mobile device maker, may have hit a wall in China.
Problems arose when a software security firm, Finland-based F-Secure, acted on stories that alleged Xiaomi was sending personal user data from its devices to cloud servers in China.
F-Secure tested a brand new Xiaomi RedMi 1S phone to find out if Xiaomi is truly collecting personal data surreptitiously.
After setting up the previously unused phone, F-Secure's testing revealed Xiaomi was indeed culling personal data.
"We saw that on startup, the phone sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server, and the phone number of contacts added to the phone book and from SMS messages received was also forwarded," according to an F-Secure blog post. IMEI is a unique 15-digit number that identifies every mobile phone, GSM modem or device with a built-in phone or modem.
F-Secure then connected to and logged into Mi Cloud, a cloud storage service offered by Xiaomi, and found the same behavior occurring.
A Xiaomi user who is a member of a Hong Kong forum, IMA Mobile, noticed his RedMi Note smartphone kept trying to connect with an IP address in Beijing. The phone persisted in trying to contact the server despite the user turning off the phone. Even after the user erased and re-installed the Xiaomi-flavored Android OS, this behavior still occurred.
This makes it likely the phone's programming for transmitting personal info is not in the system software, but rather in the device's firmware. In other words, it's hard-wired into the phone.
After initial denials, Xiaomi has chosen to upgrade its operating system in a manner that will now tip off users that it is collecting data from their address books. The company claimed the problem was traced to a "bug in its cloud messaging system" that caused the unauthorized data transfer. Xiaomi allows users to send SMS messages over the Internet rather than a carrier's network, helping users duck data charges.
Xiaomi claimed it was only checking phone numbers in the address book to confirm those users are actually online and capable of receiving messages. The company also declared that henceforth, users would have to "opt in" to activate the smartphone's messaging system. Given the Chinese government's growing interest in Internet and social media security, it may not be just Xiaomi that is an agent of this practice.
In a Q & A on Xiaomi CEO Hugo Barra's Google + post, Barra responded to a reader who questioned why people should trust Xiaomi at this point. Barra wrote, "In a globalized economy, Chinese manufacturers' handsets are selling well internationally, and many international brands are similarly successful in China -- any unlawful activity would be greatly detrimental to a company's global expansion efforts."