Why So Sneaky Xiaomi: Preloaded Apps, Ads, Browser Breaches and More
Xiaomi is in the line of fire. A recent report pointed out a major security flaw where the company’s phones send a large amount of user data to remote servers outsourced by certain Chinese partners. The report said that data collected through preinstalled apps on Xiaomi’s MIUI interface include browsing history, accessed services, app usage behaviour as well as music listening preferences.
Xiaomi India did respond to the allegations in an official statement, saying that the claims are "incorrect and not true.” While the long statement might be enough to reassure consumers’ faith in the brand, the information given out by independent cybersecurity researcher Gabi Cirlig cannot be ignored. Considering I have reviewed a few Xiaomi smartphones in the past, there are certain things that do give the undeniable feeling that the company’s MIUI interface is flawed. And it is a consistent experience which makes me say that. I am absolutely not alleging that Xiaomi is saving user data to some remote servers, but there are certain things that make it pretty evident that some data is being collected. Even if it isn't, doesn't help with the privacy sentiment which consumers are now becoming more aware of. Also, there is a lot of clutter and preloaded stuff on the custom Android ROM that is a bit of a nuisance.
I did a quick experiment by resetting a Redmi Note 9 Pro and going through the setup procedure in detail. Things look pretty much in order, the phone asks me to sign into my Google account and the regular set of permissions. Things start to get interesting once I get a prompt to log into my Xiaomi account. There is an Additional Settings page asking you to enable certain services. These include Location as well as prompts for User Experience Programme, sending diagnostic data automatically, personalized ads and Glance for Mi.
While the first one is straightforward, the user experience and diagnostic data is essential information sent to Xiaomi so they can analyze it and improve on bugs and issues in future updates. Now, this is something that a lot of manufacturers do and it doesn’t seem suspicious to a large extent.
Lastly, there is the Glance for Mi which is an information tab sitting on the left-most home screen of the phone. This gathers information to offer personalized content including app shortcuts, news, sports updates, calendar events, as well as suggestions to download apps.
In my opinion, you should switch off the personalized ads toggle during the setup, especially if you don’t want to be spammed with annoying notifications and pop-ups. If you plan to use the Glance with Mi feature, then keep the toggle on, else switch it off as well. As for the company accessing your data for User Experience and diagnostic data shouldn’t be an issue, but if you are privy of your data, you can turn them off and they shouldn’t affect the functioning of the device.
The issues don’t stop here. The phone setup then asks whether you want to download additional apps, specifically from Xiaomi’s own app store. This is a problem in itself as a bunch of recommended apps having a size of over 1GB are pre-selected. I highly recommend to deselect all of them or skip this step altogether to avoid your device to load up unnecessary apps. Through this, Xiaomi is technically force-feeding its own app store called ‘GetApps’ to customers. Xiaomi has confirmed that the app store has security certification based on tests carried out by Avast, Tencent, and Kingsoft. Having said that, Xiaomi’s app store still has certain apps that run in the background, display full-screen ads, and even monitor screen unlocking functionality. On top of that, unless you revoke notification access, the app store also throws random suggestions of apps for you to download. It is best to completely block all notification access form the GetApps store.
Despite skipping the optional installation of apps, you will notice that some apps are already installed on the phone. In my case apps like Facebook, Amazon India, Helo, Zili, Opera Browser, and so on. Thankfully you have the option of completely removing these apps.
As for the pre-installed Xiaomi apps, which cannot be completely removed from the device, are yet again a nuisance. Apps like Mi Music and even the Clock app seek permission and ask you to agree to certain privacy policies. Unless you agree to them, you cannot use the app. The Music app, just like the GetApps store, will generate many notifications, hence revoking all notification access is advised.
Last but not the least, the default Xiaomi browser app. I suggest you completely disable this app. Long press on the app icon, and revoke all permissions, notification access, clear data, and uninstall updates. Not only does this browser send you unnecessary notifications, but it also potentially sends user data to Chinese servers, even in Incognito Mode.
In case you own a Xiaomi smartphone, especially any of the Redmi or, a Poco device that runs on the company’s MIUI interface, chances are that you will face a similar experience. It is best to remove or disable the apps that you are less likely to use. Additionally, make sure that you disable notification access from all such apps. There shouldn’t be any issues with the company’s A-series phones as well as the Redmi Go, as they come with stock Android, although the ‘Mint Browser’ is a Xiaomi product.