Xiaomi and data privacy—how secure are Chinese smartphones?

Consumers often express doubts about the data privacy of Xiaomi smartphones. How do these Chinese Android models handle user data?
Xiaomi-Datensicherheit
Xiaomi-Datensicherheit
Table of contents

In a survey conducted by German tech portal “Elektronik Informationen,“ 84 percent of Xiaomi users reported uninstalling an app due to security concerns. This was the highest percentage among all manufacturers, indicating a “high perception of potential privacy risks“ among Xiaomi users.

“Have you ever uninstalled an app from your smartphone because of data security concerns?” [Yes-no]
Xiaomi users expressed concerns about data privacy particularly often (Image: Elektronik Informationen).

Data privacy and the Xiaomi browser (2020)

In 2020, the company gained public attention following a Forbes article that highlighted privacy concerns raised by Android expert Gabi Cirlig. 

The article suggested that the Xiaomi browser, “Mi Browser,“ not only transmitted data to the Chinese conglomerate Alibaba without user consent but also tracked search queries, folder accesses, and viewed news articles, even in incognito mode. 

The data was allegedly sent to servers in China and Russia, with weak encryption that allowed Cirlig to trace the user data transmitted by the Xiaomi device. Xiaomi spokespersons disputed Cirlig’s portrayal, stating that the data was anonymized and encrypted, and users had consented to the transmission.

Are Xiaomi smartphones secure?

Xiaomi smartphones are highly popular, ranking third in new smartphone sales in Germany with a market share of 13.7 percent (as of Q3/2023).

Xiaomi devices are commonly included in bundles with various network providers and are increasingly prevalent in the business sector, including T-mobile’s corporate mobile offerings.

Current status of data privacy and Xiaomi phones

As of the end of 2023, Xiaomi smartphones are considered secure. The company has made significant progress in enhancing the security of its devices over the years. Xiaomi regularly releases security updates and patches to address potential vulnerabilities.

Additionally, Xiaomi has developed its security suite, “MIUI Security,“ providing extra protection against malware and other threats. However, it is advisable to follow basic security practices, such as downloading apps from trusted sources and enabling device locks.

Smartphones by Xiaomi (here the “Redmi 12”) are very popular.

Criticism of Xiaomi’s data privacy in 2021

The company faced criticism, not only for security concerns but also for shortcomings in sustainability and the production of eco-friendly phones.

In 2021, Xiaomi’s data privacy came under scrutiny following an investigation by the Lithuanian National Cyber Security Centre (NCSC). The Xiaomi smartphone Mi 10T 5G was found to have several issues related to data privacy (more details below).

Xiaomi payment mechanism vulnerability

In August 2022, Check Point identified a vulnerability in Xiaomi’s payment mechanism.

Schematic of the attack vector (Image: Check Point Research)

The flaw affected Xiaomi devices with a MediaTek processor, allowing attackers to overwrite the current application with an outdated one to manipulate or disable payment transactions, including the widely used “WeChat Pay“ in China. Following Check Point’s notification, Xiaomi addressed the security flaw within the same month.

Is the corporate data on your employees’ mobile devices secure? Do your colleagues use private devices on the job? Our data security white paper clarifies the key questions. Click here for the free download.

What data does Xiaomi collect?

In 2021, the NCSC found that the Mi 10T, through the pre-installed “Mi” browser, transmitted data to the Chinese analytics startup “Sensors Data“ and Google Analytics. The server was located in Singapore. Additionally, the phone number was sent to Singapore via an invisible, encrypted SMS when the Xiaomi cloud was activated. 

Accusation of censorship against Xiaomi

The NCSC also suspected that the Xiaomi smartphone could block content from certain groups, as a list of active groups from the political and religious spectrum was discovered in a configuration file named “MiAdBlackListConfig,“ used by multiple system applications. However, other analysts suggested that this was an ad-filtering feature.

Data security and Xiaomi smartphones

One year later, in 2022, the German Federal Office for Information Security (BSI) conducted its own tests following the NCSC investigations. 

The BSI performed an in-depth examination of Chinese mobile phones, with a particular focus on the Xiaomi Mi 10T 5G, for potential security vulnerabilities and built-in censorship features.

Is my data secure with Xiaomi?

The BSI investigation found no abnormalities. In Germany, there were no identified filter lists or other anomalies. 

Consumer advocates still urge caution: Stating that users should assume that Chinese smartphones transfer user data to Chinese servers, bringing the data within reach of Chinese government agencies. 

Users should be especially skeptical if system apps request unnecessary permissions, such as a compass app suddenly requesting access to the World Wide Web.

Ban on Huawei and ZTE in the US

For data privacy reasons, some Chinese technology manufacturers, including Huawei and ZTE, were banned from the US market. The US Federal Communications Commission (FCC) deemed the national security threat posed by these companies so severe that the import of their products was prohibited—an unprecedented move in US history.

Der Firmensitz der Xiaomi Corporation befindet sich in Peking
The Xiaomi Corporation is headquartered in Beijing

Background: Individual state legislators are free to instruct national intelligence services and companies to collect information, as there is a lack of internationally binding regulations on this matter. This allows companies to be fundamentally compelled by their governments to engage in intelligence activities.

Xiaomi smartphones and data privacy for companies

In the corporate context, the potential espionage of economically significant data is relevant, as well as the data privacy of Xiaomi smartphones. Company smartphones should meet the highest security standards, whether companies opt for conventional purchases, popular smartphone leasing, or smartphone rental. If you’re interested in Xiaomi business phones, feel free to reach out.

Regardless of whether mobile devices come from Chinese manufacturers like Xiaomi, Oppo, or Huawei, or from Samsung and Apple: IT compliance, mobile security, and mobile threat defense should be considered from the outset.

Free Download

Private mobile devices on the job – is the data secure? Find out in our free BYOD white paper. 

 

Everphone

Related articles

35464

Xiaomi and data privacy—how secure are Chinese smartphones?

9475
9662
data separation company phone

Data separation on company phones—why do you need it?

9718
Whatsapp GDPR

The GDPR WhatsApp saga or: How to become GDPR compliant

9898
9465
recycle old smartphones

Where, why and how should we recycle old smartphones?

Stay informed

Our newsletter will deliver the latest info on mobile work and mobile devices to your inbox. Subscribe here and we’ll keep you posted.

Blog categories

Mobile work

Data security

Employer branding

Technology

Business phone plans

Sustainability

Whitepaper

Gain expert knowledge from our whitepapers

Read up on mobile device topics from different perspectives. Learn what device management means for IT, Procurement, or People & Culture.

Whitepaper: Mobile devices and HIPAA compliance

Whitepaper: Company phones as benefits

Report: Mobile device sustainability