F-Secure in Finland have been looking into allegations that XiaoMi was secretly sending data from its MIUI-powered phones back to its servers. It turns out this claim against the Chinese company was true. F-Secure did not add any cloud accounts and yet it’s brand new RedMi 1s transferred its carrier name, phone number, IMEI (the device identifier) as well as contact numbers and text messages back to Beijing. The data sent was found to be unencrypted. Hence, being vulnerable to anyone who wanted the data.
XiaoMi has taken to Google Plus to respond and patch up this mistake. Hugo Barra, the company’s vice president explained that the data link is actually part of MIUI’s cloud messaging service, which helps determine whether it can route your text messages over the Internet for free. The company had this feature turned on by default for convenience. Hence, the user is not prompted by the device for permission. However, with a new ROM update underway, the data will be encrypted and users will now have to manually enable the cloud messaging function.
The post on Barra’s Google Plus account explains the incident and explanation in great detail. Somewhere in his lengthy post, he ensures all that XiaoMi does not permanently store any of the data sent to its cloud messaging servers. We’ve linked his page in the source below just in case you’re interested in having a read!