Related to Xiaomi, the company is also doing some sketchy things in the smart home space under their brand "Aqara". I use HomeKit in my apartment and opted for Aqara branded wireless buttons and temp/humidity sensors because of the attractive hardware and good reviews. The devices require a wi-fi connected hub, not too strange for things that use Zigbee, so I gave that a go.<p>Well, on cursory examination, the Aqara/Xiaomi hub was talking to a bunch of Chinese servers constantly. I didn't dive too deep into what all they were actually for. When I blocked the device from phoning home with my router, all the connected devices stopped working! None of the buttons or sensors would work, the RGB light on the hub couldn't even be changed. As soon as it lost the ability to ping its servers in China, the thing actually started strobe light flashing blue. Re-enable the outside network access on it, starts working again. This was totally antithetical to why I use HomeKit in the first place, so I removed the hub and paired all the Aqara accessories with a generic open source Zigbee hub (ConBee II) and added it to HomeKit with HomeBridge.<p>In the future I plan to give brands more scrutiny before investing time/money in them and granting them unfettered access to my LAN...
This paragraph stood out to me:<p>> The intention here seems to be that aigt is the timestamp when the ID was generated. So if that timestamp deviates from current time by more than 7776000000 milliseconds (90 days) a new ID is going to be generated. However, this implementation is buggy, it will update aigt on every call rather than only when a new ID is generated. So the only scenario where a new ID will be generated is: this method wasn’t called for 90 days, meaning that the browser wasn’t started for 90 days. And that’s rather unlikely, so one has to consider this ID permanent.<p>If we assume that Xiaomi aren't literally trying to spy for a government and are in fact just poorly calibrated on what's legitimate to collect for product analytics purposes, this paragraph highlights why that's still incredibly dangerous despite "good intentions".<p>I remember the UK government investigation into Huawei concluding that not only was their security posture insufficient for critical infrastructure, but their engineering practices were likely a decade away from being at a point where they could start to claim good security practice.<p>This paragraph seems to suggest a similar problem at Xiaomi. This should have been caught at a security review stage during design, it should have been caught at the code review stage, it should have been caught by automated tests, it should have been caught by QA, it should have been caught once live by data tests, it should have been seen once live by analysts, it should have been fixed at so many different points. The fact it wasn't suggests that these stages either don't exist or are insufficient.
I truly don't understand, from a security and privacy perspective, why would anyone outside of China would voluntarily choose to run closed-source software from a company that's subject to domestic laws and regulations in China. The MSS is no joke.<p><a href="https://www.google.com/search?client=firefox-b-d&q=china+mss+data+sharing" rel="nofollow">https://www.google.com/search?client=firefox-b-d&q=china+mss...</a><p>This is the same reason that Zoom is banned at my workplace and many other partner companies.<p>You've actually got two problems here. One is the commercial advertising/for-profit related data sharing problem described in the article. The second is that Xiaomi, as a company with that collected data resident in China on its servers, is obliged to provide a pipeline for a copy of their database to the MSS upon request.
I recently bought a Xiaomi phone (Poco m3) for development. I was shocked to learn that in order to enable USB debug mode in developer settings, I needed to <i>BOTH</i>:<p>1) make a Xiaomi account with<p>and<p>2) insert a SIM card to the device (!)<p>Is that not insane? Other people seem to think so too: <a href="https://android.stackexchange.com/a/186052" rel="nofollow">https://android.stackexchange.com/a/186052</a><p>Apparently the only alternative to this is rooting the device, which may break it.
Chinese browser collects your data? Spyware.<p>American company collects your data? $1,400,000,000,000 valuation.<p>This reminds me of how we call Russian billionaires "oligarchs" but we just call American billionaires...billionaires.
I use a Huawei matebook D14 as my personal device. Its primary use is in a WiFi-network (as in 99% of the time). Since I also use MS devices in the same network I log all IPs being accessed from my network (<a href="https://www.raspberrypi.org/documentation/configuration/wireless/access-point-routed.md" rel="nofollow">https://www.raspberrypi.org/documentation/configuration/wire...</a>)<p>I'll leave the log results of accessed IPs as an exercise to the reader. Hint: no chinese/russian IP addresses are being accessed.<p>I'd guess a lot more people use Huawei devices (before they were outlawed) than explicitly using a Xiaomi browser.<p>And a lot of people didn't forget Snowden.<p>Addendum: I use a MacBook pro (32gig, I7) and a Win10 pro work device (32gig, I7) as well. Neither contacts China or russia. Both of them submit ~10x of unknown traffic than the Huawei device.<p>I don't want to paint the chinese dictatorship as "good", not at all. But I <i>do</i> want to remind that the US is - as experienced by an EU consumer - worse. Not now, but maybe in the future, at least according to collected data.
I have a 5 years old oppo phone and decide to use it as podcast device. A few odd thing about this phone:<p>1) My Google, IG accounts both sent me security alert about successful login attempt from from Thailand, Vietnam. I 100% sure I only created the IG from this phone once and have not used that password from anywhere else.
IG Username / password was taken from this phone and attempt to be login from somewhere else.<p>2) I can't get the phone to disconnect from wifi. I put the phone on airplane mode, disable wifi, bt, etc. Manually change the wifi password to something else. it always successfully reconnected back after a few days with old password. There are logic in the phone can try very hard to state connected online. It remembers old password and successfully connect successfully with it after a few days.<p><pre><code> Only rename the wifi ap in my router seems to finally permanently disconnect it from the network.
</code></pre>
3) I have let the phone back online and created Google account that is 100% unique to this phone. Love know how long would it take for the login attempt for that G account from Thailand/Vietnam start to show up.
Why don't we address the root of the problem? Who controls computer? If user of computer (with phone features) doesn't have a full control over it then this situation <i>can</i> and <i>will be</i> abused by some one who does. It seems a logical consequence of not having full control over your own computer.<p>Why we discuss mostly the degree of such abuse and not the core of the problem ?<p>Another core of the problem is dealing with communist regimes. We never learn? Communists are literally responsible for millions of deaths in the 20th century.(<a href="https://www.youtube.com/watch?v=NDTbNmUgeXk" rel="nofollow">https://www.youtube.com/watch?v=NDTbNmUgeXk</a>) They have a good record of disrespecting human rights. Why someone sane would expect them to respect any of his rights now?
Xiaomi phones are insane, at least BlackShark. They replace virtually all the major user level stuff of Android with extreme data collecting alternatives. They then make it so that you cannot disable many of them (via adp, custom ROMs etc.) without bricking the phone, I'm talking wallpaper or clock apps that run with full, non-modifiable privileges. They subsidize cheap hardware with truly insane level of tracking.<p>They will also stop allowing custom ROMs once they've built up enough reputation, some newer models already will never have custom ROMs.
Really interesting. But whether what Xiaomi browser does it's a spyware, what's is Google?<p>Does Google collects our navigation data? (Yes if we are using chrome or android and logged in)<p>Does Google knows what videos and what kind of videos do we watch? (Do you need an answer?)<p>Call it's a spyware because is a chinese company? Really? Nah. Google does the same or at least worst than it.<p>I'm neither defending Xiami nor Google. The question is: almost every application does data collection. And if you call it as spyware, therefore every app which does data collection is a spyware.
>>The article accuses Xiaomi of exfiltrating a history of all visited websites.<p>Is this our definition of spyware? I see countless articles float by on HN about super cookies, spy pixels and browser fingerprinting. Those do effectively the same things, track users against their expressed wishes, but we just don't call them spyware.
Unfortunately, xiaomi's business model is to sell hardwares with little to none profit margin and make profit as a internet company, I.e. advertising and so on. I give them the benefit of doubt that 90 days renewal was added and didn't work due to not unit tested maybe. Still, it is the same ad business as fb. I love the look of their phones, but I would pay for an iPhone for the benefit of secure os and better privacy
I'm using a firewall to block tens of IP addresses and several apps.<p>Why would Xiaomi tell me to download a 26MB update from their store if the one from Google Play, where I downloaded the app it's less than 15MB?<p>I'll be getting rid of this phone by the end of the month.
Chrome is the definition of spyware, just by widely know facts. Doesn't make Xiaomi browsers better, I know.<p>Still 90%+ use Chrome. I know noone using a Xiaomi browser.
Quick scrolling through the comments, I wonder how many people actually RTFA?<p>Looking at the list of things they collect, how could it possibly be legitimate, or compared to what "western" or any other companies are doing?<p><pre><code> - Full URL history
- Full search history: engine and terms etc
- Full download history
- Full youtube activities: search, which video, for how long
</code></pre>
This is full blown home phoning trojan horse.
What's worse is that the whole OS is actually spying on you, not just the Mi browser. Even when idle my phone is trying to send bits of data to their servers.<p>Xiaomi are great but for me this is the end of the line with their phones. Privacy comes at a premium nowadays and lots of us are willing to pay for it.<p>Those affected can block the following domains from resolving:<p>- data.mistat.intl.xiaomi.com<p>- sdkconfig.ad.intl.xiaomi.com
I wonder more about their routers. For their specs they are extremely price competitive. Their AX6000 features a 2,5GBE Port, 4*4 5GHZ Antennas with supposedly 4800mbit/s max throughput over all clients for 120€ with shipping to the EU. The Netgear Orbi Pro is the only AP I could find that is similarly equipped and costs a handsome 400€.<p>The mostly chinese and russian reviews on YouTube seem to show those numbers to be at least not ouright lies, but people on the OpenWRT Forums talk about the Routers talking quite a lot back to China.<p>I really wish for somebody credible to do a teardown to look into these boxes.
For anyone trying to be privacy conscious, by deleting their FB accounts, not using all the Google services etc. It should be obvious that a good rule of thumb would also be to not use software built in China.<p>Even if they were not built with malicious purpose, they have both excellent state-funded hackers and poor security practices in most of their consumer products.<p>Unfortunately, from what I've seen, I think the same can be said about software from Korea/Japan...
> Xiaomi now announced that they will turn off collection of visited websites in incognito mode. That’s a step in the right direction, albeit a tiny one.<p>They may also collect fingerprints and other biometrics (voice, pictures) in a similar misleading way. There's a lot of wise tricks others have learned from Google. IMO only strict laws forbidding data collection from smartphones completely will change that.
That's amongst the reason I do my AOSP GSI ( <a href="https://github.com/phhusson/treble_experimentations/releases/" rel="nofollow">https://github.com/phhusson/treble_experimentations/releases...</a> ; Generic System Image, an Android that works on pretty much all recent Android phones).<p>Xiaomi devices are usually at sweet spots price/performance-wise (not really great hardware imo, but well). With custom ROMs (including my GSIs, but other custom ROMs are fine as well), buy a phone for their hardware, not for their software. (BTW my daily driver is a Pixel 5... not running Google adwares! Only high-end-ish device that fits my hand).<p>However, Xiaomi devices are bricks for like a month, because before being able to install your own software, you need to be approved (connecting a smartphone on a Windows computer), and it's only once you get your smartphone that you can install your own software.
Are [computers] spyware? Yes, they are (2000) should be the title.<p>If you use a computer, smartphone or IoT device then yes, it collects data, just as Facebook runs ads.<p>What's collected these days:<p>Your social circle,<p>every time you connect to the mobile network, when, which tower you connected to, tx/rx bytes, who you phoned, where the callee is located<p>Whether you're in a car, walking (sensors)<p>Whether your sleeping...(a recent Google blog post talked about a new "sleep tracking" API).<p>You generate data as a human, interested parties (governments) collect that and will store it for the rest of time. I suspect there's a database of every URL visited by any human in the last 20 years.<p>This is not surprising and should surprise nobody.
In other news, Xiaomi Roborock vacuum cleaners require you to enable GPS permissions and transmit back Wi-Fi PASSWORDS and floor maps back to their server.<p>They've really been on a privacy invasion spree lately.
Xiaomi is awesome phone for it's price tag you just needs to flash custom ROM like LineageOS. And they don't even make this problem contrary to other manufacturers like Samsung.
I believe Xiaomi being Chinese is kind of red herring here.<p>The thing about big data is you never know in advance what kind of data can turn into a gold mine for your business. So the strategy "collect as much as you can afford and get away with" is economically reasonable if not optimal. Until this changes, nothing will change. And Xiaomi is not an exception here.
Quote: "However, you have to make sure that you have “Incognito Mode” turned on and “Enhanced Incognito Mode” turned off – that’s the only configuration where you can have your privacy."<p>Does the article's author really believe this or is put there because of outside pressure? I, for one, would not believe that for a single second.
I know close to nothing about Android development in general and absolute nothing about Xiaomi in particular.<p>When looking at the code snippets in the article I wonder about the variable names. This doesn't look like decompiled code. And I don't think their whole browser is open source. What am I missing here?
Xiami is widespread brand in many countries because its products are really cheap and looks like this trend will continue for the next years. It's very frustrating to see this. Western world should impose standards to prevent it.
A very good rule of thumb: Freedom-respecting (fully, 100% open-source) software won't screw you.<p>Simply knowing someone could be watching you and your source code reduces the chance of malicious code.
My old Huawei phone is still my favorite phone ever. I don't care if they spy on me. Take my data, I don't care! I just want another phone that good and that cheap.
I assume that anything is spyware unless proven innocent, especially on mobile where surveillanceware is effectively the whole purpose for the platform's existence.
>
If you use Mint Browser (and presumably Mi Browser Pro similarly), Xiaomi doesn’t merely know which websites you visit but also what you search for, which videos you watch, what you download and what sites you added to the Quick Dial page<p>Yet people in Europe they LOVE Xiaomi. I swear I’ve seen so many of my friends with those high end 500$ phones.<p>Even if they are tech guys it’s like they just don’t care , they want the most powerful phone with the most features at the cheapest price.<p>At this game Xiaomi and other Chinese brands have become very good.<p>That being said Google as been doing the exact same thing for 30 years. Nobody ever considered banning google from anything.
block every company that tries to compete with US companies. First it was Huawei, now its Xiaomi. Fb, Google are both US companies nd they literally track the hell out of their users to target ads but they are doing great, never had much issue except Zuckerberg was in the news a few months ago but US didn't block them, because they are US companies nd bring $$$ into the country
I am truly appalled at the level of discussion from intellectuals as I consider on HN. Comments here are repeatedly evaluating whether the same thing would apply to US.<p>I expect more from HN. Can we please discuss the problem in isolation and especially the interesting technical bits? Ask yourself, this kind of exploitation is bad regardless of whether any country does something similar. It's anti-user in every possible interpretation.
Xiaomi devices are officially sold in EU. Wouldn't a GDPR violation basically kill the company??<p>Note that Xiaomi is a Chinese startup hub, started by former googlers. 90% of what they sell is produced by Chinese startups.<p>(That being said, I would use never Xiaomi software myself. I only use their hardware with open source 3rd party apps)
Spyware is based off intent. Collecting data doesn't necessarily make you spyware. You can literally call anything spyware depending on how schizo you want to be at this point.
And so is Google Chrome. Basically everything Android. Just don’t use that platform if you care about your privacy. And stop pretending just because millions use it or because it is supposedly more customizable. Google is Google.
Not surprising.<p>I don't see how you can expect any less of this, even in the US. American companies collect vast amount of information that are either acquired by the state later on, acquired via some deal with the state, or some network of revolving doors is further entrenching US-style state capitalism which erases the distinction. Frankly, American corporations are effectively more powerful than the government at this point, at least in certain domains (like where freedom of speech is concerned). It'll only get worse until something gives.<p>And given that American greed funded the wealth and power of the CCP in the first place, given the massive investments in China, I do not expect the globalist American imperial oligarchy to change course. Why would they? They like what the CCP is doing. They share more in common with the Chinese ruling class than with most Americans.
Hmm, I mean why Chinese capitalism is so powerful? Because the government sanctioned and allowed the capital's all-reaching power.<p>Do you believe CCP is so capable to utilize such tools?<p>If the answer is yes, then you should ask yourself is there any realistic chance of overpowering such a technologically advanced "government". And how much more powerful the private sectors would be. Think about how much gap is between silicon valley and US government in technological capabilities.<p>This framing of pin everything as government sponsored activities make it very difficult to correct such behavior effectively. Because they were easily brushed off as intentional attack on the nation.<p>Why not just put it as what is?<p>I mean 996 in Chinese high tech industry is killing the quality of the work. That's obviously the right reasoning right?
Interesting to see the quite loaded (and slightly archaic in 2020?) term "spyware" used to refer to Chinese software. I haven't seen it used to describe Facebook or Google software, even alongside all of the recent news stories highlighting their apps' tracking footprint by Apple's newer iPhone AppStore requirements.
Our schools are dumbing down math and removing advanced classes (if you can even go to school) because of “white supremacy”, meanwhile China is investing full speed into engineering disciplines and is performing extremely effective espionage against virtually all Americans.<p>I don’t know if there will ever be a sino-American war, but if there ever is one it’s going to be very painful for us.