Xiaomi's Hugo Barra
Xiaomi's head of global expansion - and former Google executive - Hugo Barra has strongly denied the company steals customer data without their knowledgeReuters

UPDATE: Xiaomi Changes Data Policy Following Latest User Privacy Concerns  

Finnish security firm F-Secure has shown that a smartphone from Chinese manufacturer Xiaomi does secretly steal user data without their permission despite strong denials by the company last month. 

At the end of July a number of articles claimed that phones made by up-and-coming Chinese manufacturer Xiaomi - often called the 'Apple of the East' - were silently uploading user information to servers based in Beijing.

The company came out strongly to deny these rumours with the company's head of global expansion - and former Google executive - Hugo Barra writing an extensive question and answer post on Google+ to clarify the situation.

Xiaomi RedMi 1S
The Xiaomi RedMi 1S tested by F-Secure researchers.F-Secure

Barra said the company's forked version of Android - called MIUI - does not secretly upload photos or text messages but that it does upload this information through its Mi Cloud service (similar to Apple's iCloud) but only with the express permission of the user.

Silent

However today Finnish security firm F-Secure has published a blog detailing how a brand new RedMi 1S smartphone silently uploaded a users' phone number, the network being used, the phone's IMEI number (used to identify a specific phone), as well as the phone numbers of contacts added to the address book and phone numbers of SMS messages received.

The security company said that it took a brand new smartphone from the box with no prior set-up or cloud connect allowed. It then followed the following steps:

  • Inserted SIM card
  • Connected to WiFi
  • Allowed the GPS location service
  • Added a new contact into the phonebook
  • Send and received an SMS and MMS message
  • Made and received a phone call

"We saw that on startup, the phone sent the telco name to the server api.account.xiaomi.com. It also sent IMEI and phone number to the same server," F-Secure said.

Xiaomi Uploading User Data Secretly
F-Secure

The company then repeated the above steps but this time connecting to the Mi Cloud service. This time around the IMSI details (used to identify the user of a cellular network) were sent to api.account.xiaomi.com, as well as the IMEI and phone number.

In his Google+ post on the controversy, Barra claimed:

"Xiaomi is serious about user privacy and takes all possible steps to ensure our Internet services adhere to our privacy policy. We do not upload any personal information and data without the permission of users."

This experiment from F-Secure would suggest otherwise.

However F-Secure's security researcher Sean Sullivan cautioned that what Xiaomi is doing could be replicated by other smartphone manufacturers:

"It's important to note that all 'smart' phones are more or less nothing more than a tracking device in your pocket. Our research is ongoing to determine how much metadata vs data is being collected, and whether or not it differs significantly from other vendors in the industry."

IBTimes UK contacted Xiaomi and Barra to try and get a response to these fresh allegations but at the time of publication had received no response.