Xiaomi admits to obtaining unauthorised user data

Chinese manufacturer Xiaomi has admitted to collecting user data following a report by a Chinese security firm accused the company of taking personal data without permission.

Xiaomi apologised for the breach and said it had upgraded its operating system to ensure users knew it was collecting data from their address books.

The firm said the unauthorised data transfer had been triggered after it tried to fix a loophole in its cloud messaging system. The OS upgrade, rolled out on Sunday, was the company’s attempt at rectifying the issue.

The breach was highlighted last week in a blog post by security firm F-Secure Oyg and had been reported by media outlets in Taiwan.

To counter the claims, Xiaomi’s Vice President Hugo Barra wrote an extensive blog post on Google+   in which he apologised for the unauthorised data collection. Barra added the company only collects users’ phone numbers from their address books to see if users are online.

Like Apple’s iMessage service, Xiaomi lets users send messages over the Internet rather than through a network operator.

Barra stated that the smartphone’s messaging system would now only activate on an “opt-in” basis and that any phone numbers sent back to Xiami would be encrypted and not stored on its servers.

Despite an increasing number of smartphone apps collecting user data – including location – the address book remains a sensitive domain.

The US Federal Trade Commission previously fined the social network Path $800,000 ( £476,817) after security researchers proved that the company had collected users’ address book data without their knowledge and stored it on its servers.

Following the 2012 Path controversy, which also prompted a Congress inquiry, Apple made changes to iOS that forced app developers to explicitly ask for permission before accessing address book data.

Xiaomi recently beat Samsung to become the leading smartphone vendor in China, and fifth largest in the world.

Source