F-Secure: Xiaomi Smartphones Do Secretly Steal Your Data 164
They may be well reviewed and China's new top selling phone, but reader DavidGilbert99 writes with reason to be cautious about Xiaomi's phones: Finnish security firm F-Secure has seemingly proven that Xiaomi smartphones do in fact upload user data without their permission/knowledge despite the company strongly denying these allegations as late as 30 July. Between commercial malware and government agencies, how do you keep your phone's data relatively private?
Normal now (Score:5, Insightful)
Xiaomi smartphones do in fact upload user data without their permission/knowledge
Considering that half the apps out there (and I mean benign/legitimate apps!) seem to upload user data without user's knowledge, that is not so shocking. Once you start using your phone, several apps will start siphoning your data.
Recent "simplification" of Android Google-store permissions means that I don't even know how much of a permission I am giving to a new app.
Not actually sending much info, just the IMEI (Score:5, Insightful)
So far, all they've found it doing is reporting the IMEI by sending an HTTP GET http://api.account.xiaomi.com/pass/v3/user@id?type=MXPH&externalId=01 [xiaomi.com], The data is transmitted as a cookie of the form deviceId=IMEI . (The API returns a brief reply in JSON.) That tells them the phone has connected to the phone network, and its IP address. That's not particularly interesting information. The carrier knows the IMEI number, too, of course. Perhaps this is to check up on whether carrier-reported sales data matches actual phones coming on the air.
Carriers, app vendors, Microsoft, Google, and Apple collect far more data than that. There are way too many things phoning home with the user's contact list and other personal info.
You want to be safe? (Score:4, Insightful)
Look, these days if you want to be safe, do not use a smartphone. Get a dumb phone, then you don't have to worry about any apps leaking your data.
Either an app will leak your data, someone will hack your phone, you leave it somewhere or someone steals it. Either way, you are screwed if you use your phone for all sorts of personal/business stuff.
I guess it's about convenience over personal/financial/business safety.
Your phone is not a trusted device (Score:4, Insightful)
While you may be able to test this with your own base station, the phone might also detect that it's not on an official network and therefore not do anything, but that's probably taking it a bit far.
While you could switch to a "dumb" phone, those are of course also trackable, and your conversations and messages can still be monitored, so I don't see any real gain there.
Myself, I carry a phone with me all the time, but I simply do not treat it as a secure device. If you want to take private pictures with your girlfriend, for instance, your phone is not the camera you want to use. End of story.
Re:Blackphone (Score:4, Insightful)
Get a Blackphone
...because its manufacturer assures you it's secure!
Comment removed (Score:5, Insightful)
Re:Normal now (Score:4, Insightful)
The only way around it is to avoid storing sensitive data on the phone.
This must also be an important issue for those that uses phones as security tokens, i.e. banks and other important institutions that sends an SMS with credentials to provide verification - it's a very insecure solution since the phone may have an app that forwards the credentials to a third party that can use this to access the system.
Re:So a non-denial denial (Score:2, Insightful)
"We saw that on startup, the phone sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server," F-Secure said.
When my Android phone starts, I'm pretty sure it sends the same shit to api.account.google.com or some such. And probably to api.account.samsung.com. Because I have Google and Samsung accounts and I'm logged in by default.
Has the F-Secure tried to, as article mentions, disable the Mi Cloud account? Probably not. Because it wouldn't have been in the news then.
When news comes from "security" consultancies, I frankly often side with the manufacturers. The ensuing hype only promotes the "consultancies" - and does nothing positive for the manufacturers. Why would they (manufacturers) add something to the phone to help promote the "consultancies"?!
Blackberry, Microsoft, Apple and Google (Score:5, Insightful)
There are 4 main smartphone brands:
Apple is in the hardware business. Their goal is to sell you hardware with a basket of software that enhances the experiences and showcases the hardware.
Blackberry is in the enterprise software business. Their goal is to sell you hardware that ties you to a management system from which they make their margin.
Microsoft is in the productivity software business. Their goal is to sell you an endpoint that showcases the features of their productivity suites including their server / cloud based collaboration tools.
Google is in the advertising business. Their goal is to sell you an endpoint that showcases their web services. Those web services are designed to collect information about you to sell to advertisers.
Of those 4 companies which do you think you are going to have the toughest time with privacy? If you care about privacy and don't have a strong reason to pick Android, don't use Android, it is quite obviously going to have to be the worst of the 4. You are going to have to cut against the grain to be secure and be on a platform designed advertisers. The other 3 while they may have problems are all much much better on privacy. Blackberry's balance feature allows you to create a container which divides your data a secure side and an insecure side. They offer things like secure browsing by default. You want security choose an operating system designed to enhance not reduce security. Apple and Microsoft are sort of midpoints. Apple is very good about now allowing applications to upload data you don't know about sharing between apps is off by default. Microsoft emulated the Apple sandboxing, certification and limited interaction approach we'll see if overtime they maintain it. If you want to use these devices and have secure data something like Good's containers (which do work on Android) provide a pretty excellent way to keep specific data associated with specific applications secure.
Re:Blackberry, Microsoft, Apple and Google (Score:2, Insightful)
Google does _not_ sell user information.
They sell _the use_ of user information.
It is not the same thing.
Selling "Joe Blow works at Acme Corp and shops for sex dolls" is selling user information.
Selling "I will advertize your sex dolls to people who shop for them" is selling the _use_ of the information. Only Google knows you are Joe Blow at Acme with an interest in sex dolls. The advertiser does not; they just get a service that makes use of Google's knowledge.
Yes, Google knows your stuff. But they don't have to sell your info in order to profit from it.
Re:Won't help my ass (Score:4, Insightful)
> Unfortunately, that won't help. Your phone number(s) and your home address are already on many of your friend's devices under your real name. Apple, Google & Co already have your details [...]
While it's important to keep that in mind, the "this won't help" mindset is a classical fallacy: someone gotta start, and if (and when) it's widespread enough, it'l help all of us. Like higiene.
You don't spit on the roads, do you? Or do you shit out your window?
So if you implement that -- have a talk with your friends about it too.
Well not really, because *everybody* has to do it or it's useless, and since your phone number could easily be in 100 phonebooks that's alot of poisoning to do. And As soon as people start doing it in numbers you can imagine a malicious Google (or whatever) would implement anti-poisoning analysis.
I believe the only real solution, which is unpopular on this largely libertarian site, is to have stronger protections in law, making data about you your property and controlled as such, and penalties for misuse the same seriousness as theft. That's a long way from where we are now though.