YET ANOTHER android Security Breach!

This topic is locked from further discussion.

Avatar image for musicalmac
#1 Posted by musicalmac (24889 posts) -

This one comes compliments of the -- believe it or not -- Chinese company, Xiaomi.

At least one device from upstart Chinese smartphone maker Xiaomi has been found to transmit user data — including SMS messages and photos — back to servers in mainland China without the user's permission, according to reports from Hong Kong.

While testing Xiaomi's Redmi Note handset, Kenny Li of Hong Kong forum IMA Mobilediscovered that the device continued to make connections with IP addresses in Beijing even after switching off the company's iCloud-like MiCloud service. The transmissions occur only over Wi-Fi, though the device does stay in contact with the servers via small "handshakes" while using cellular data.

Li says that data transmission persists even after erasing and re-flashing the handset with a different Android ROM, suggesting that the functionality could be built in to the phone's firmware.

Credit AppleInsider

The world is still waiting for Xiaomi to respond, as they have thus far been quiet on the issue.

It seems as though nearly every day, at every turn, there's more bad news for android. That every day there are new breaches of security, end user betrayal, and ethically bankrupt behavior from corporations that shouldn't have been trusted in the first place.

That being said, this may not be a big deal depending on what we hear from Xiamoi -- should they choose to respond. But the fact of the matter is that sensitive user data is being transmitted to mainland China servers without the permission of the end user.

Yet another reason to avoid android.

Avatar image for NVIDIATI
#2 Posted by NVIDIATI (8339 posts) -

Privacy

Q: Online articles recently referred to some privacy issues with the Redmi Note, claiming that photos and text messages are sent to China secretly. Are they true?

A: An article severely misinterpreted a discussion thread asking about the Redmi Note's communication with a server in China. The article also neglected to refer to a Chinese version of this Q&A already posted on the Xiaomi Hong Kong Facebook page (https://www.facebook.com/Xiaomihongkong/posts/799059896795602). MIUI does not secretly upload photos and text messages.

MIUI requests public data from Xiaomi servers from time to time. These include data such as preset greeting messages (thousands of jokes, holiday greetings and poems) in the Messaging app and MIUI OTA update notifications, i.e. all non-personal data that does not infringe on user privacy.

Q: Does Xiaomi upload any personal data without my knowledge?

A: No. Xiaomi offers a service called Mi Cloud that enables users to back up and manage personal information in the cloud, as well as sync to other devices. This includes contacts, notes, text messages and photos. Mi Cloud is turned off by default. Users must log in with their Mi accounts and manually turn on Mi Cloud. They also have the option to only turn on backup for certain types of data. The use and storage of data in Mi Cloud fully respects the local laws of each country and region. Strict encryption algorithms are implemented to protect user privacy.

Q: Can I turn Mi Cloud off?

A: Yes. Just go to Settings > Mi Cloud to turn it off. If you would like to use a cloud back up service from another provider, there are options from Google, Dropbox and many others.

Q: Why should I believe you?

A: Xiaomi is serious about user privacy and takes all possible steps to ensure our Internet services adhere to our privacy policy. We do not upload any personal information and data without the permission of users. In a globalized economy, Chinese manufacturers' handsets are selling well internationally, and many international brands are similarly successful in China – any unlawful activity would be greatly detrimental to a company's global expansion efforts.

Credit Hugo Barra - Xiaomi VP
Avatar image for musicalmac
#3 Posted by musicalmac (24889 posts) -

I respect the speed with which they responded.

The top-most layer of the onion of issues has been peeled relative to this one company. Many troublesome android layers still reside below.

Avatar image for NVIDIATI
#4 Posted by NVIDIATI (8339 posts) -

@musicalmac

In the future I would discourage posting click-bait articles from AppleInsider (and this isn't the first time you've done so).

It becomes especially difficult to take them seriously when the first article on their front page is this:

Al-Qaeda prefers Android over Apple's iOS

By Daniel Eran Dilger

Apple's iOS has taken majority market share in education, government and the enterprise, but Google's Android has become the favored mobile platform among Al-Qaeda operatives.

Avatar image for musicalmac
#5 Posted by musicalmac (24889 posts) -

@NVIDIATI: Did you read the Recorded Future reports? AppleInsider is an excellent source that has almost flawlessly provided excellent news and commentary (I say almost flawlessly because there are bound to be mistakes, but I haven't found one or cannot recall one at this time). In this case specifically, I can provide compelling evidence that this isn't click bait because this article (than YOU linked) is a combination of a compelling headline and considerable analysis. Had you read it (like the source material it chose to draw from), I think you would have had a different opinion. (That's why the first thing I did was ask if you had read anything.) There's rarely any substance in an article that one could consider "click bait."

It was a nice attempt at invalidating a very well-run news operation, though. However, if you do find a series of glaring holes that are devoid of their usually well-conceived analysis and conclusions, I will gladly eat my words. But as I've said so... many... times... I'm rarely surprised. Please, surprise me with something.

Moreover, it's become very difficult to find much fault with Apple these days, especially in light of the many security and patent woes that have befallen Google's most flattering product ever.

Avatar image for slimdogmilionar
#6 Posted by slimdogmilionar (967 posts) -

More and more bad news for android. I'm due for an upgrade in Feb. and couldn't be more anxious to join my daughter and wife in Apple land.

Avatar image for mister-man
#7 Posted by Mister-Man (603 posts) -

@slimdogmilionar:

You are in for quite a good time. I just switched from my Samsung to an iPhone 4S while I wait for the new iPhone to come out next month. The difference is night and day, and I'm using a 4 year old iPhone. That speaks volumes about the state of Android versus iOS.

Avatar image for slimdogmilionar
#8 Edited by slimdogmilionar (967 posts) -

@mister-man: yea my wife has the iphone 5 and my daughter has the 4s and they don't have any of the problems I have with my G2. eveyrthing works and they get better signal than I do they hardly ever drop LTE, and their games don't act up as much as mine do. I can't wait for the iphone 6 to come out.

Avatar image for NVIDIATI
#9 Posted by NVIDIATI (8339 posts) -

@musicalmac

Click bait, as in a sensational title to gain clicks for advertising purposes. The content of the report from Recorded Future was already reported a few days earlier from non-Apple centric websites.

AppleInsider has an agenda to boost Apple and slander just about anything that's not in AAPL's favour. Information is more meaningful straight from the source, the author's bias is better left aside.

Avatar image for musicalmac
#10 Posted by musicalmac (24889 posts) -

@NVIDIATI said:

@musicalmac

Click bait, as in a sensational title to gain clicks for advertising purposes. The content of the report from Recorded Future was already reported a few days earlier from non-Apple centric websites.

AppleInsider has an agenda to boost Apple and slander just about anything that's not in AAPL's favour. Information is more meaningful straight from the source, the author's bias is better left aside.

That is incorrect.

---

Schools lament shortcomings of Apple's iPad as some opt instead for Chromebooks

Even as Apple's education sales boom, some schools have begun to transition students and classrooms away from the iPad in favor of laptops — including Google's cheap cloud-based Chromebooks — as weaknesses have begun to emerge with the tablet form factor.

China bans government agencies from purchasing Apple products - report

New procurement regulations handed down last month by the Chinese central government will prevent both national and local agencies from considering future purchases of some Apple products with public funds, a Wednesday report said.

---

There is no agenda other than to report the realities of the various news items that AppleInsider reports. Both of those very recent articles directly contradict your statement. The problem is not the source, the problem seems to be more related to your own personal bias.

The idea that we're talking about sources and not about debunking the information in these sources is indicative of just that.

Avatar image for NVIDIATI
#11 Edited by NVIDIATI (8339 posts) -

@musicalmac

They're an Apple news site, they're going to report everything Apple, good or bad, but that doesn't mean they don't have a strong Apple bias. For an Apple centric webpage, their reports on Android are generally negative:

New Android 'Fake ID' flaw empowers stealthy new class of super-malware

Google and Samsung escalate hostilities over watches, Tizen and Android's openness

Gameover Zeus botnet reanimated, exposing the harm in "open" Android, Windows malware platforms

Audit contradicts Samsung's claim that it does not use child labor for Android phones

Inside Accessibility: Apple advances iOS 8 & OS X Yosemite as Android users left frustrated

This has nothing to do with bias, other than the fact that I generally avoid these types of websites from any perspective.

As for the underlying content, which directly pertains to this thread, in this case, the article about Xiaomi proved to be incorrect.

Avatar image for musicalmac
#12 Posted by musicalmac (24889 posts) -

@NVIDIATI:

Where is the unfair bias in those factually accurate news articles? AppleInsider wasn't the first to report any of them, I don't think. It would be easier to determine if they were linked.

If you avoid websites like AppleInsider, how can you presume to judge them? How can you generalize anything that you have taken special care to avoid?

Avatar image for NVIDIATI
#13 Posted by NVIDIATI (8339 posts) -

@musicalmac

I became familiar with the site and the content long ago, I didn't just jump to a conclusion. The website's negative stance on Android (and other non-Apple systems) is pretty clear. To remain on topic, AppleInsider still hasn't bothered to correct or follow-up on their Xiaomi article. Meanwhile, Xiaomi issued a second statement regarding this issue:

MIUI Cloud Messaging & Privacy

Xiaomi is a mobile Internet company committed to providing high-quality products and easy-to-use Internet services. We believe it is our top priority to protect user data and privacy. We do not upload or store private information or data without the permission of users. This Q&A aims to address privacy concerns raised over the past 48 hours.

Q: What is MIUI Cloud Messaging?

A: Xiaomi offers a free service called Cloud Messaging as part of its MIUI operating system. This service allows MIUI users to exchange text messages with each other free of SMS charges, by routing messages via IP instead of using the carrier’s SMS gateway.

Q: How does Cloud Messaging work? Does it store any private user information?

A: When a Mi phone is turned on, the Cloud Messaging service is automatically activated through IP communication protocol with Xiaomi servers, in order to provide the user with the free text messaging capability. MIUI Cloud Messaging uses SIM and device identifiers (phone number, IMSI and IMEI) for routing messages between two users, in the same way as some of the most popular messaging services. Some technical implementation details are provided below. Users’ phonebook contact data or social graph information (i.e. the mapping between contacts) are never stored on Cloud Messaging servers, and message content (in encrypted form) is not kept for longer than necessary to ensure immediate delivery to the receiver.

Q: How does this relate to the privacy concerns raised about Xiaomi over the last 48 hours? What’s your response?

A: A recent article in Taiwan and a related report by F-Secure raised privacy concerns by stating that Xiaomi devices are sending phone numbers to Xiaomi’s servers. These concerns refer to the MIUI Cloud Messaging service described above. As we believe it is our top priority to protect user data and privacy, we have decided to make MIUI Cloud Messaging an opt-in service and no longer automatically activate users. We have scheduled an OTA system update for today (Aug 10th) to implement this change. After the upgrade, new users or users who factory reset their devices can enable the service by visiting “Settings > Mi Cloud > Cloud Messaging” from their home screen or “Settings > Cloud Messaging” inside the Messaging app — these are also the places where users can turn off Cloud Messaging.

We apologize for any concern caused to our users and Mi fans. We would also like to thank the media and users who have been sending us feedback and suggestions, allowing us to improve and provide better Internet services.

Q: How exactly does the MIUI Cloud Messaging system handle phone numbers?

A: For those interested in specific details about the MIUI Cloud Messaging implementation:

- The primary identifiers used to route messages are the sender and receiver’s phone numbers. IMEI and IMSI information is also used to keep track of a device's online status.

- When a user sends a text message, if there is an Internet connection available, the Cloud Messaging system will attempt to route the message via IP. If the receiver is offline (i.e. not immediately reachable via IP), the system falls back to sending a normal SMS message from the sender’s device.

- When a MIUI user opens a text message or a phonebook contact, or creates a new contact, the device connects to the Cloud Messaging servers, forwards the phone number of that contact and requests the online status of the corresponding user, which is indicated by a blue icon when that user is online or gray icon if that user is offline (or is not a Cloud Messaging user). This allows the sender to immediately know whether they can text that user without incurring SMS costs.

- In any of these flows, the receiver’s phone number is only used to look up online status and to route messages. No phonebook contact details or social graph information (i.e. the mapping between contacts) is stored on Cloud Messaging servers, and message content (in encrypted form) is not kept for longer than necessary to ensure immediate delivery to the receiver.

- The OTA system update made available today (Aug 10th) adds an extra layer of security by encrypting phone numbers whenever they are sent to Cloud Messaging servers.

- We will continue to make changes and improvements to this architecture as needed over time.

Credit Hugo Barra - Xiaomi VP
Avatar image for musicalmac
#14 Posted by musicalmac (24889 posts) -

@NVIDIATI: You have cited one issue that many other sites have certainly also not corrected. I'd hardly call that a pattern.

Again, Kudos to Xiaomi, though. It still doesn't save them from their unabashed flattery, however.