Following revelation from security researchers at F-Secure pointing to a clandestine storing of user data in a server in China, Xiaomi has revamped its cloud messaging service in response to security concerns.
F-Secure claimed in a report recently released that the MIUI cloud messaging service is likely to be sending private user information to a China based server without the user knowing it. Those pieces of data are even sensitive, which include the phone’s number, IMEI number, contact list and text messages.
The free cloud based messaging service is part of the MIUI operating system and operates in the same manner as other cloud messaging systems do – they route text messages through the Web, thereby bypassing the wire of mobile carriers. As it works, user data are synced and stored in the cloud to be available on multiple devices.
Privacy and security advocates were quick to slam the sharing of sensitive information with a server in China since users are helpless as there is no opt-out feature on Xiaomi handsets by the time the privacy intrusion was discovered.
However, Xiaomi officials have belied the report that the company violated the privacy of users. Vice President of International business Hugo Barra admitted that MIUI Cloud Messaging uses information such as phone number, IMSI and IMEI in order to route the messages between two users through IP communication protocol with Xiaomi servers, but he denied that contact data or social graph information were stored in the servers in China, adding that the company did not keep those pieces of information for an extended period.
What Xiaomi probably wanted to clarify was that it uses the phone numbers to determine the online status of the recipient device and thus route the message via the cloud.
The sender and receiver’s phone numbers are the primary signatures with which messages can be routed. The Cloud Messaging system works to route the message through IP instead of a carrier gateway, provided the device is in online mode. Otherwise, the system fails if the receiving device is offline.
A mobile device, particularly a Xiaomi device, is connected to the Cloud Messaging servers when user creates a new contact or message. This way, the device checks the status of the user by forwarding the phone number of that contact to the server.
Xiaomi introduced some changes to this procedure now following the security concerns. The company now encrypts the phone numbers that are being sent to the Cloud Messaging servers and the MIUI Cloud Messaging has become optional.