Friday, September 12, 2014

XiaoMi phone - Analysis Part 1 - Privacy Issue

With a brand new Xiao Mi 1S (Singapore version) on hand, we can observe that the phone will automatically send various information back to the backend server, even we have not inserted any Sim Card / login with Google or Mi Cloud account.

(a) Once the phone boot up, it will send a list of installed packages to the 'policy.app.xiaomi.com'. Well.

POST /cms/interface/v1/checkpackages.php HTTP/1.1
Content-Length: 778
Content-Type: text/plain; charset=ISO-8859-1
Host: policy.app.xiaomi.com
Connection: Keep-Alive

{"packages":["com.touchtype.swiftkey.xiaomi\/545390674","cn.wps.moffice_eng\/77","com.xiaomi.channel\/733","com.google.android.street\/18102","com.google.android.googlequicksearchbox\/300303110","com.facebook.katana\/381878","com.google.android.music\/1413","com.google.android.inputmethod.latin\/19133","com.google.android.apps.maps\/707001323","com.google.android.apps.docs\/1256331","com.google.android.apps.books\/30133","com.google.android.videos\/30251","com.google.android.talk\/20303130","com.google.android.apps.plus\/413065443","com.google.android.play.games\/15080136","com.google.android.gm\/4720010","com.miui.userbook\/7","com.google.android.youtube\/5527","com.google.android.apps.magazines\/140341352","com.android.chrome\/1750136"]}


HTTP/1.1 200 OK
Server: Tengine
Date: Wed, 30 Jul 2014 13:30:33 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Wed, 30 Jul 2014 13:30:33GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Length: 15

{"errCode":202}


(b) The phone is not inserted with any Sim Card. However, the phone number will continuously sent to backend server while:
- add a new contact to the contact list
- dial a number on the dialpad
- send a SMS and the recipient contact number will be sent


In this example, the phone number is being transmitted in HTTP parameter 'externalId' with the deviceId as the 'Cookie'

GET /pass/v3/user@id?type=MXPH&externalId=888888888 HTTP/1.1
User-Agent: armani_sg; MIUI/JHCSGBD27.0
Cookie: deviceId=
Host: api.account.xiaomi.com
Connection: Keep-Alive
Accept-Encoding: gzip

HTTP/1.1 200 OK
Server: Tengine/2.0.1
Date: Wed, 30 Jul 2014 13:44:04 GMT
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 68

{"result":"ok","description":"成功","data":{"userId":-1},"code":0}

The testing was carried out on JHCSGBD27.0