<<<
Thursday, August 14, 2014
>>>
 
Testing the Xiaomi RedMi 1S - now with OTA update Posted by FSLabs @ 05:42 GMT

On August 10 Xiaomi addressed privacy concerns related to the MIUI Cloud Messaging function of its smartphones by releasing an OTA update intended to make this an opt-in feature, rather then a default one.

Since we already had the phone set up, we downloaded and applied the update to the same Redmi 1S phone we used in the previous testing:

xiaomi_otaupdate (48k image) xiaomi_phone (124k image)

Then we factory reset it. Once the phone restarted, we noted that cloud messaging is now by default set to Off under Settings:

xiaomi_phone_settings (42k image)

We then went through the following steps:

   • Add a new contact
   • Send and receive an SMS message
   • Make and receive a phone call

During these activities, we did not see any data being sent out from the phone.

Next, we activated the cloud messaging function and logged into the Mi Cloud. At this point, we saw base-64 encoded traffic being sent to https://api.account.xiaomi.com:

for_xm_cropped (181k image)

Note that this is now over HTTPS rather than HTTP, as seen in our previous testing. We had to use a HTTPS proxy in order to view what was being passed:

traffic_cropped (33k image)

This was a quick test to check if the update had addressed points highlighted in various media reports. Xiaomi VP Hugo Barra has also posted more details of the MIUI Cloud Messaging implementation.






<<< Ransomware Race (Part 3): SynoLocker Under The Hood
|
Ransomware Race (Part 4): Adult Content, Browlock's Staying Power >>>