China Smartphone Maker Xiaomi Apologizes For Unauthorized Data Access 64
SpzToid writes Following up an earlier story here on Slashdot, now Xiaomi has apologized for collecting private data from its customers. From the article: "Xiaomi Inc said it had upgraded its operating system to ensure users knew it was collecting data from their address books after a report by a computer security firm said the Chinese budget smartphone maker was taking personal data without permission. The privately held company said it had fixed a loophole in its cloud messaging system that had triggered the unauthorized data transfer and that the operating system upgrade had been rolled out on Sunday. The issue was highlighted last week in a blog post by security firm F-Secure Oyg. In a lengthy blogpost on Google Plus, Xiaomi Vice President Hugo Barra apologized for the unauthorized data collection and said the company only collects phone numbers in users' address books to see if the users are online."
Apologies not accepted (Score:5, Insightful)
Why is it considered okay to do this until you get caught? Then you apologize? How about not stealing the information in the first place for starters. Fuckwads!
Re: (Score:2)
Why is it considered okay to do this until you get caught? Then you apologize? How about not stealing the information in the first place for starters. Fuckwads!
media spinning this. It wasn't an apology, it was an explanation of what's being used. I think it was just lazy programming honestly, read the blog post [google.com] yourself. Seems reasonable.
Re:Apologies not accepted (Score:4, Insightful)
No, it wasn't lazy programming. It was broken by design.
From the blog post:
"A: For those interested in specific details about the MIUI Cloud Messaging implementation:
- The primary identifiers used to route messages are the sender and receiver’s phone numbers. IMEI and IMSI information is also used to keep track of a device's online status."
That's not a programming mistake.
Re: (Score:2)
Not that, the part where it wasn't encrypted.
I don't see what the issue is with using a phone number and IMEI.
Why is this a big deal?
Re: (Score:3, Insightful)
Why is it considered okay to do this until you get caught? Then you apologize? How about not stealing the information in the first place for starters. Fuckwads!
Seems the only "Fuckwads" around here are us dumbass consumers who actually think that all those free apps we download wouldn't dare do the exact same fucking thing.
The only real difference is you blindly agreed to the spying in the EULA you didn't bother to read.
Re:Apologies not accepted (Score:5, Insightful)
Of course, if the operating system actually had real user-level security controls, the apps wouldn't be able to do that.
I can't see myself buying another Android device so long as they expect me to allow pretty much every possible permission for every piece of crap app that doesn't even need half of them.
Re:Apologies not accepted (Score:4, Interesting)
Cyanogenmod allows you to "accept" apps that ask for all sorts of non-core access, and then revoke it afterwards. The app can attempt to access your addressbook, but it will get blocked.
Of course I havent had to use it, because I generally dont run into issues with apps asking for insane levels of access. Maybe its the apps you're using?
Re: (Score:2, Interesting)
Pretty much any 'social media' app now wants access to pretty much everything. I know several people who've stuck with an old version of the Facebook app before it started demanding almost complete control over the device. Other mobile operating systems let you deny Facebook access to your camera or microphone, whereas Android included that feature in a recen OS release... and then removed it.
And, no, I'm not going to install some random other OS on the tablet when I can just buy a different device which in
Re: (Score:2)
Sometimes I feel like the world has gone mad.
Let me get this straight. You're using a social media app-- which generally combines functionality across basically all of your phone-- but you dont like the permissions it demands. Android gives you the ability to reject updates when they request more permissions, but thats no good; you could also choose any of a million alternative apps for any given social media site ("FAST for Facebook" for example), or use the Android Open Source Project derivitives on you
Re: (Score:2)
My SO likes to play online games. The app-driven ones tend to ask for a lot of access. If this Cyanogenmod works, I'll be forever in your debt. You may have my first-born.
thx, sr
PS: Don't tell my SO about the first-born thing.
Re: (Score:1)
"Of course, I need to sound like a douche, and I have to blame the victim."
Try to install any PushToTalk app from the play store, like Voxer, etc...
Try to install Yahoo Mail.
Try to install FB.
Try to install anything supported by ads and watch it ask for 'fine location', contacts, phone number, etc.
Not sure what you are using your phone for that you aren't running across apps ask for things that they probably shouldn't, and honestly I don't care, because I am sure it is a perfectly valid use case.
Re: (Score:2)
Try using apps that dont suck. For instance:
* Facebook-- try "Fast for Facebook" [google.com] which is simultaneously faster AND less permissions-grabby.
* Yahoo Mail-- try the inbuilt support for IMAP / POP, or any of a million other clients (TouchDown, for instance)
* Push To Talk-- 5 minutes of googling found This app [google.com] which appears to only request the bare minimum that a PTT app would need (contacts, etc)
Not sure what you are using your phone for that you aren't running across apps ask for things that they probably shouldn't,
TeamViewer, Google Authenticator, Fing, Opera, Car DashDroid, Fast for Facebook, PushBullet,
Re: (Score:1)
Like I said, I don't care, just the attitude that somehow the victim is in the wrong, and the faux scolding of 'I am better than you' your attitude implied. If you reread your sentence
"Of course I havent had to use it, because I generally dont run into issues with apps asking for insane levels of access. Maybe its the apps you're using?"
and can honestly say it doesn't sound remotely douchey, then I apologize.
"Of course I haven't ever had an STD, but I generally don't use the low end hookers you obviously us
Re: (Score:2)
TIKL is a walkie talkie app; it has to read your contacts to do the thing you downloaded it to do. Ditto call log. Location might be unnecessary, but thats "approximate", not even GPS.
This isnt "blaming the victim", because I dont buy that there is a victim. These are free apps which announce what they want to do, and theres a bazillion alternatives that do the exact same thing with better permissions.
If you want to use Privacy Ops, thats great; I just havent found an app where I would need it yet.
Re: (Score:2)
If you want to use Privacy Ops, thats great; I just havent found an app where I would need it yet.
How about the built-in web browser?
According to PDroid Monitor (using CyanogenMod with P-droid patches), it can access:
Network Location
GPS Location
Account Credentials
Accounts (Listing of accounts registered with other apps on device: Dropbox, Twitter, etc. Includes name of the service, and the user ID)
Contacts (For what?)
Call Log (Why the hell would it ever need this?)
Bookmarks and History (Duh)
Re: (Score:2)
Pretty much the only problematic one with firefox is start at boot. The others are all part of common features:
* GPS / Network location-- some sites request location data, which firefox prompts you for. It needs that permission to be able to grant the request if you approve.
* Account creds-- obvious
* Audio / camera-- voice search. Its a manually activated function. Also, HTML5 can do chats through webrtc, which needs camera / audio.
* Network info-- detect whether your onl
Re: (Score:3)
The one nice thing about Android (assuming a rooted device) is the ability to turn on and use Linux's iptables to prevent apps from phoning home. After that, Xposed and XPrivacy are good (although the interface is nowhere as nice as Protect My Privacy from Cydia on iOS) to enforce restrictions on apps that ask for more than they should.
It would be nice if XPrivacy would fake data like PMP does, so if an app asks for GPS info, it will get GPS info, but not anything useful, or if an app asks for contacts on
Re: (Score:2)
The one nice thing about Android (assuming a rooted device) is the ability to turn on and use Linux's iptables to prevent apps from phoning home. After that, Xposed and XPrivacy are good (although the interface is nowhere as nice as Protect My Privacy from Cydia on iOS) to enforce restrictions on apps that ask for more than they should.
It would be nice if XPrivacy would fake data like PMP does, so if an app asks for GPS info, it will get GPS info, but not anything useful, or if an app asks for contacts on the phone, it gets random sets of garbage.
This is all fine and good, until one app that you want to phone home uses AWS or Cloudfront, and so does another app that you don't want phoning home. Firewalls have never been a good approach to application security...evidenced by the fact that "application security" became a concept long after firewalls were commonplace.
Re: (Score:3)
Android can firewall by app, so my AWS program can access what it needs, while another app with more nefarious intentions can be blocked.
No, this isn't a cure for anything. In fact, it is a last resort. XPrivacy is the best solution for starters, as it will prompt when an app tries to use a permission, and you can allow or deny it. It would be nice to have a "fake" option, so the app -thinks- it has full permissions to do something... but in reality, it is being fed bogus data.
Re: (Score:2)
I really want to install XPrivacy but it requires Xposed. And I have had a really bad experience with Xposed. It literally burns through my battery sometimes. Specially on boot, like 90% to 70% in a couple of minutes, plus burning my hand. The tragedy is that so many Xposed modules are so incredibly useful.
More flies with honey... (Score:5, Interesting)
Why is it considered okay to do this until you get caught? Then you apologize? How about not stealing the information in the first place for starters. Fuckwads!
When an institution or a person does something right, I find it useful to commend them for it.
There may be many other things they can do right in the future, that they are doing wrong now. And there may be things done in the past that were profoundly wrong.
But they've still done a good thing.
In the United States, communications professionals (and the people they coach, like our politicians) avoid admitting when they are wrong, avoid even *engaging* in serious discussion, precisely because people so easily latch onto any words acknowledging another position and turn it into a sound byte. Attacking people who do the right thing for not doing more encourages them *not* to do the right thing in the first place.
Here, a company admitted it was wrong and apologized. It may or may not be disinformation to distract us from spying on behalf of the Chinese Government; and the company may or may not still be doing things we consider wrong. But the company's message was the right one, and they deserve praise for taking responsibility for a foul-up and acting to correct it.
Re: (Score:2, Insightful)
This is the stupidest logic I've read in a long time. It's like saying that if I apologize after raping you, then you shouldn't be angry at me for raping you. I mean, I apologized right! No harm, no foul.
Re: (Score:2)
You think it's commendable to apologize "Sorry we only copy your address book to 'see if you're online' "? No, they copy your address book to see who your contacts are. There's much less invasive ways to "see if you're online".
Re: (Score:2)
They probably use the phone numbers in the address book and see if the users of phones with those numbers are online. This is probably the most non-invasive ways to do this.
Re: (Score:2)
As the quote says... (Score:5, Insightful)
Please excuse us (Score:5, Insightful)
We'll try to hide it better next time...
Confirmed (Score:1)
Thank you very much (Score:1)
There Ain't No Such Thing As... (Score:5, Insightful)
If you're not paying with dollars, you're paying with something else...
Re: (Score:1)
Do you know what their sin is? (Score:2)
https://www.youtube.com/watch?... [youtube.com]
This does not make sense (Score:5, Insightful)
In a lengthy blogpost on Google Plus, Xiaomi Vice President Hugo Barra apologized for the unauthorized data collection and said the company only collects phone numbers in users' address books to see if the users are online.
I realize there is some translation going on here, and that can sometimes lead to misinterpretation - but in what context can this possibly make any sense? Collecting phone numbers from your address book to see if you're online? Seriously?
Re: (Score:3, Insightful)
Well in a roundabout way of thinking, its one of the simplest tests you can do to see if the phone can be accessed over the intertubes. All phones will have a contacts list/address book, so this will be supported by all Android phones.
Of course, when you think about it however, you realize that its more than a little absurd and creepy.
Re: (Score:1)
This is pathetic, and you're pathetic for saying that.
There is absolutely no evidence that they collect phone numbers from your address book.
The original f-secure blog says nothing about collecting phone numbers from your address book -- http://www.f-secure.com/weblog/archives/00002731.html. It's basically an SMS over HTTP service that they've turned on by default. All it's doing is sending a request to the server to say that you're online, so it can route SMS over HTTP to save you $ (well, sms is free wi
Cubot as well? (Score:1)
I bought one of these a few months ago, and running a netstat one day I discovered some odd IPs, most of which turned out to be Google this or that, but one struck me as very odd, to a Chinese address. Can anyone tell me, why does my phone "phone home?"
Fixed a "loophole"? (Score:2)
Thats not a fucking loophole - a program doesn't accidentaly download and store phone numbers , it has to be programmed to do it - thats deliberate data stealing. Now we get the usual meaningless corporate humble apology routine which they hope will placate everyone until next time they get caught. Pathetic.
They handled it quite nicely (Score:2)
Re: (Score:1)
Regardless of the reason or the method that they used, they LISTENED to their customer base and made appropriate adjustments. I may not like the fact that they're still collecting data but I think they did the right thing given their position. Jesus people, you just can't be happy can you?
"F-Secure Oyg"? (Score:2)
I'm thinking that should probably be "Oyj", although that typo is not so easy to make (was it in the original article - how am I supposed to know? 'tis /.). But what that means (in Finnish, F-Secure is from .fi) is a public company. And whether the company is public or private is quite irrelevant in this context. Just call them F-Secure like everyone else.
Re: (Score:1)
The one that always got me was "AOL Deutschland GmbH."
Re: (Score:2)
Food for thought: What makes you think they want to sell them to the west, or that they even can? Anything you have ever purchased from China was most likely via a "middle man" (made in China, sold to you by a non-Chinese company under their label). Go ahead, list off a few Chinese manufacturing firms you purchased products from.
In china, there are two markets. Made in China for sale in China, and Made in China but for export. If this is some "ma
" ... only collect users' phone numbers ... " (Score:2)
So they only know who you speak with.
One wonders what that information would be worth and to whom.
Was phone number collection a condition in exchange for guarantees of the company's success, or did the company, after the fact, realise it had an additional profit line as its customer base increased?