Update pushed to make Cloud Messaging service an opt-in feature

Aug 11, 2014 21:33 GMT  ·  By

On August 10, an apology was issued to Xiaomi phone users, as a result of independent researchers finding that the devices collect personal information entered by the user and send it to a remote server.

Hugo Barra, Xiaomi global vice president, took it to Google+ to deliver the apologies to the users, informing them that the data leak was due to the Cloud Messaging service, which is automatically enabled when the device is turned on.

“MIUI Cloud Messaging uses SIM and device identifiers (phone number, IMSI and IMEI) for routing messages between two users, in the same way as some of the most popular messaging services,” said Barra in the post.

All similar services send this data, but users are generally made aware of the matter from the get-go; this information is actually necessary for establishing communication with the other peers.

Barra said that the phonebook contacts are never stored on Cloud Messaging servers and that messages are saved only for as long as to ensure quick delivery to the recipient.

In order to fix the problem, the company announced that they released an over-the-sir (OTA) system update that would make the cloud messaging service an opt-in feature, meaning that user have to explicitly choose to rely on it to communicate with other Xiaomi phone users.

Last week, F-Secure ran some quick tests on the Xiaomi RedMi 1S device and found that as soon as the network was turned one, the phone would automatically seek to connect to a remote server and send over personal user information.

The security researchers had already added a few contact numbers to the address book and exchanged some messages for the sake of the tests.

They noticed that the IMEI code and the phone number of the device was sent to a server (api.account.xiaomi.com) and after some time the phone numbers in the address book were also delivered, along with the short text messages.

F-Secure observed that the exact same information would be sent after creating an account for the cloud service provided by Xiaomi, to the same location.

Once the latest update is applied, Xiaomi RedMi 1S should no longer record this type of behavior.

More than this, Barra informs that the security level of the information pulled from the user is taken to a new level through encrypting the phone numbers when in transit to Cloud Messaging servers.

The representative also said that the company is dedicated to making all the effort necessary for improving the architecture and mitigating future risks.