When Indian Air Force (IAF) labeled ‘Medium Severity Rating’ on Xiaomi Phones it is indeed considered quite a threat to national security primarily it was meant for Air Force personals and their family members; but not far enough of a threat for indian consumers as well. So why was this threat Issued and on what basis? its because a security article shared by F-Secure wherein it was found that their mobile phones is automatically “forwarding carrier name, phone number, IMEI (the device identifier) plus numbers from address book and text messages back to its headquarters in Beijing CHINA.
Xiaomi is also facing probe in Taiwan for similar allegations. These MIUI platform-based phones keep the data synchronization on by default, so for testing the device, the security company used a boxed handset. After un-boxing, they inserted a SIM card, connected to WiFi, allowed GPS location service and then added a new contact. They then send and received SMS and MMS messages and made and received some phone calls. Finally, they found that the phone had sent telecom provider’s name to the server api.account.xiaomi.com. It had also sent the IMEI and phone number to the same server.
Following the update F-Secure did another extended test on the MIUI app. In the explanation they factory reset the phone and later updated the app and found the MIUI app is kept off by default. Later after turning on they found a base-64 encoded traffic being sent to https://api.account.xiaomi.com. Here is the detailed report – http://www.f-secure.com/weblog/archives/00002734.html
Xiaomi entered the Indian market in July this year with its Mi3 smartphone priced at Rs 13,999 through e-Commerce major Flipkart. Xiaomi currently sells Redmi 1S in India via pre-registration method. The company has already sold 108,000 Mi3 and 6,70,000 Redmi 1S units via flash sales.
Technically, in any smartphone, when you use an app it actually need to archive the data somewhere and that’s the reason behind setting up appropriate data centre for storing them. Using the app and keeping your data over the cloud means you have the consent to take responsibility of your data. All the popular cloud services like iCloud, Google Drive, Dropbox or Amazon Kindle service follows the same process for this.
After connecting to the Mi Cloud, they repeated the same procedure and found that IMSI details as well as the IMEI and phone number were sent to the same server.
After Indian Air Force Issued a warning, Xiaomi’s Hugo Barra has said in a Google+ post that they are moving their data out of China and moving to new servers. Here is the complete unedited post by him.
We’re moving your data!
User experience is hugely important to us. As a global Internet company, we really care about speed and we’re also fully committed to storing our users’ data securely at all times.
In early 2014, we kicked off a massive internal effort to expand our server infrastructure globally in order to better serve Mi fans everywhere.
Our primary goal in moving to a multi-site server architecture was to improve the performance of our services for Mi fans around the world, cut down latency and reduce failure rates. At the same time, it also better equips us to maintain high privacy standards and comply with local data protection regulations. This is a very high priority for Xiaomi as we expand into new markets over the next few years.
This server and data migration process is taking place in three phases.
Phase 1: E-commerce migration
Earlier this year, our e-commerce engineering teams started migrating our global e-commerce platforms and user data for all international users from our Beijing data centers to Amazon AWS data centers in California (USA) and Singapore. We also began using Akamai’s global CDN infrastructure to speed up static page loads.
This migration process will be completed by the end of October and will benefit users in all of our international markets — Hong Kong, India, Indonesia, Malaysia, Philippines, Singapore, and Taiwan. Users are already experiencing website speed boosts of at least 30% in markets such as Singapore, Hong Kong, Taiwan and as much as 200% in India.
Phase 2: MIUI services migration
We have also recently started migrating our MIUI services and corresponding data for all international users from our Beijing data centers to Amazon AWS data centers in Oregon (USA) and Singapore. This migration includes Mi Account, Cloud Messaging and Mi Cloud services. We are expecting to complete this migration by the end of 2014, with some parts being completed even sooner (e.g. Mi Account servers by the end of October).With this migration, we are expecting to cut network request latency for users in India by up to 350ms, and users in Malaysia to experience 2-3x faster Mi Cloud photosync.
Phase 3: Going local
In 2015, we are planning to take on a new challenge to further improve the performance of our services for users in large and fast-growing markets such as India and Brazil.
In these markets, where Amazon AWS services aren’t yet available, we will be working with local data center providers to set up our service infrastructure. Once that has been completed, users in these markets will be much closer to their data and enjoy even faster speeds by connecting to local servers. We will continue to keep everyone posted!
(on behalf of the Xiaomi infrastructure teams)
Overall I think before releasing any foreign made phones or communication devices going forward in India it should be mandatory to setup a panel to review these kind of potential threats to avoid such panic rather then interrogating this post such mega sales.. What is your opinion on this ?