In a survey conducted by German tech portal “Elektronik Informationen,“ 84 percent of Xiaomi users reported uninstalling an app due to security concerns. This was the highest percentage among all manufacturers, indicating a “high perception of potential privacy risks“ among Xiaomi users.
Data privacy and the Xiaomi browser (2020)
In 2020, the company gained public attention following a Forbes article that highlighted privacy concerns raised by Android expert Gabi Cirlig.
The article suggested that the Xiaomi browser, “Mi Browser,“ not only transmitted data to the Chinese conglomerate Alibaba without user consent but also tracked search queries, folder accesses, and viewed news articles, even in incognito mode.
The data was allegedly sent to servers in China and Russia, with weak encryption that allowed Cirlig to trace the user data transmitted by the Xiaomi device. Xiaomi spokespersons disputed Cirlig’s portrayal, stating that the data was anonymized and encrypted, and users had consented to the transmission.
Are Xiaomi smartphones secure?
Xiaomi smartphones are highly popular, ranking third in new smartphone sales in Germany with a market share of 13.7 percent (as of Q3/2023).
Xiaomi devices are commonly included in bundles with various network providers and are increasingly prevalent in the business sector, including T-mobile’s corporate mobile offerings.
Current status of data privacy and Xiaomi phones
As of the end of 2023, Xiaomi smartphones are considered secure. The company has made significant progress in enhancing the security of its devices over the years. Xiaomi regularly releases security updates and patches to address potential vulnerabilities.
Additionally, Xiaomi has developed its security suite, “MIUI Security,“ providing extra protection against malware and other threats. However, it is advisable to follow basic security practices, such as downloading apps from trusted sources and enabling device locks.
Criticism of Xiaomi’s data privacy in 2021
The company faced criticism, not only for security concerns but also for shortcomings in sustainability and the production of eco-friendly phones.
In 2021, Xiaomi’s data privacy came under scrutiny following an investigation by the Lithuanian National Cyber Security Centre (NCSC). The Xiaomi smartphone Mi 10T 5G was found to have several issues related to data privacy (more details below).
Xiaomi payment mechanism vulnerability
In August 2022, Check Point identified a vulnerability in Xiaomi’s payment mechanism.
The flaw affected Xiaomi devices with a MediaTek processor, allowing attackers to overwrite the current application with an outdated one to manipulate or disable payment transactions, including the widely used “WeChat Pay“ in China. Following Check Point’s notification, Xiaomi addressed the security flaw within the same month.
Is the corporate data on your employees’ mobile devices secure? Do your colleagues use private devices on the job? Our data security white paper clarifies the key questions. Click here for the free download.
What data does Xiaomi collect?
In 2021, the NCSC found that the Mi 10T, through the pre-installed “Mi” browser, transmitted data to the Chinese analytics startup “Sensors Data“ and Google Analytics. The server was located in Singapore. Additionally, the phone number was sent to Singapore via an invisible, encrypted SMS when the Xiaomi cloud was activated.
Accusation of censorship against Xiaomi
The NCSC also suspected that the Xiaomi smartphone could block content from certain groups, as a list of active groups from the political and religious spectrum was discovered in a configuration file named “MiAdBlackListConfig,“ used by multiple system applications. However, other analysts suggested that this was an ad-filtering feature.
Data security and Xiaomi smartphones
One year later, in 2022, the German Federal Office for Information Security (BSI) conducted its own tests following the NCSC investigations.
The BSI performed an in-depth examination of Chinese mobile phones, with a particular focus on the Xiaomi Mi 10T 5G, for potential security vulnerabilities and built-in censorship features.
How do you prevent problematic apps and services from accessing your sensitive company data? Our white paper clarifies the key questions. Click here for the free download.
Is my data secure with Xiaomi?
The BSI investigation found no abnormalities. In Germany, there were no identified filter lists or other anomalies.
Consumer advocates still urge caution: Stating that users should assume that Chinese smartphones transfer user data to Chinese servers, bringing the data within reach of Chinese government agencies.
Users should be especially skeptical if system apps request unnecessary permissions, such as a compass app suddenly requesting access to the World Wide Web.
Ban on Huawei and ZTE in the US
For data privacy reasons, some Chinese technology manufacturers, including Huawei and ZTE, were banned from the US market. The US Federal Communications Commission (FCC) deemed the national security threat posed by these companies so severe that the import of their products was prohibited—an unprecedented move in US history.
Background: Individual state legislators are free to instruct national intelligence services and companies to collect information, as there is a lack of internationally binding regulations on this matter. This allows companies to be fundamentally compelled by their governments to engage in intelligence activities.
Xiaomi smartphones and data privacy for companies
In the corporate context, the potential espionage of economically significant data is relevant, as well as the data privacy of Xiaomi smartphones. Company smartphones should meet the highest security standards, whether companies opt for conventional purchases, popular smartphone leasing, or smartphone rental. If you’re interested in Xiaomi business phones, feel free to reach out.
Regardless of whether mobile devices come from Chinese manufacturers like Xiaomi, Oppo, or Huawei, or from Samsung and Apple: IT compliance, mobile security, and mobile threat defense should be considered from the outset.
