Xiaomi's MIUI Cloud Messaging service made optional following security criticism

Security worries raised by an automatically-activating cloud service on Xiaomi's handsets have now been quelled by the addition of opt-out features.

Screen Shot 2014-08-11 at 6.10.30 AM

Chinese smartphone company Xiaomi has made rapid changes to its MIUI Cloud Messaging service in order to stem security worries caused by an F-Secure report released last week.

MIUI Cloud Messaging is a free service offered as part of the MIUI operating system. Working much in the same way as Apple's iMessage, SMS messages are routed via the Web rather than a carrier's SMS gateway, which means MIUI users can talk to each other for free. The service is also able to backup and sync user data in the cloud, as well as prompt synchronization across multiple devices.

However, despite the similar nature of many messaging services which use these types of routing, security researchers at F-Secure released a report last week which highlighted that the service appears to share a range of user data with a server in China without permission. F-Secure stated that the data included the phone's IMEI number, phone number, contacts and text message records.

The idea of sharing such information with a server in the country without user knowledge raised concerns and criticism, especially as there was no opt-out feature on Xiaomi devices.

Following F-Secure's report, Xiaomi Vice President of International business Hugo Barra denied that the company is treading roughshod over user privacy. In a Google+ update, the executive said Xiaomi's top priority is to "protect user data and privacy," and "we do not upload or store private information or data without the permission of users."

Barra explained:

"When a Mi phone is turned on, the Cloud Messaging service is automatically activated through IP communication protocol with Xiaomi servers, in order to provide the user with the free text messaging capability. MIUI Cloud Messaging uses SIM and device identifiers (phone number, IMSI and IMEI) for routing messages between two users, in the same way as some of the most popular messaging services.

Users' phonebook contact data or social graph information (i.e. the mapping between contacts) are never stored on Cloud Messaging servers, and message content (in encrypted form) is not kept for longer than necessary."

The primary identifiers used to route messages are the sender and receiver’s phone numbers. When a user's text message is sent, if the device is connected to the Internet, the Cloud Messaging system automatically attempts to route the message via IP rather than carrier gateways. If the receiver is offline, the system falls back to the original method.

When a MIUI user opens a text message, phonebook contact or creates a new contact, the device connects to the Cloud Messaging servers, forwards the phone number of that contact and requests the online status of the user. This, in turn, changes an icon color next to the user so the sender knows whether or not sending a message will incur SMS costs.

In other words, Xiaomi says that user phone numbers are only used to look up the online status of a receiving device and in order to route messages.

However, to alleviate security concerns, in an update released yesterday an extra layer of security has been added which encrypts phone numbers when they are sent to Cloud Messaging servers, and now the MIUI Cloud Messaging is an opt-in service which no longer automatically activates for users.

"New users or users who factory reset their devices can enable the service by visiting "Settings > Mi Cloud > Cloud Messaging" from their home screen or “Settings > Cloud Messaging" inside the Messaging app -- these are also the places where users can turn off Cloud Messaging," Barra said. "We apologize for any concern caused to our users and Mi fans."