Chinese Xiaomi, Oppo and OnePlus smartphones transmit a lot of personal data

  • Analysis of smartphones that feature firmware designed for the Chinese market reveals they leak data like a sieve.
  • Many third-party apps pre-installed on these handsets are granted extreme permissions without the user being fully aware of what is being captured.
  • This raises alarm bells as regards how China is able to monitor citizens beyond its borders and potentially gaining insight into who they visit.

A team of researchers from the University of Edinburgh and Trinity College Dublin have published a paper in which they analyse traffic transmitted by a number of apps pre-installed on Chinese made smartphones.

The findings were published in the paper, Android OS Privacy Under the Loupe – A Tale from the East, earlier this month and they are alarming to say the least.

“China is currently the country with the largest number of Android smartphone users. We use a combination of static and dynamic code analysis techniques to study the data transmitted by the preinstalled system apps on Android smartphones from three of the most popular vendors in China,” the researchers wrote in the paper’s abstract.

The analysis was conducted on three handsets running Android namely:

  • Xiaomi Redmi Note 11 running Android 11/MIUI RGBCNXM,
  • Oppo Realme Q3 Pro running Android 11/realme UI v2.0 RMX2205_11_A.13,
  • OnePlus 9R running Android 11/ColorOS 11.2 LE2100_11_A.05.

The researchers note that while all of its analysis was conducted on phones purchased in China, it recognises that the handsets may behave differently if they detect they are outside of China. To account for this, the researchers set up a network tunnel between their facility and a Huawei Cloud instance in Shanghai.

“The IP address observed by the backend server is thus that of the Huawei Cloud server located in Shanghai. We set up each handset using Chinese as the language to simulate a local user,” the paper reads.

The researchers found that these handsets can come out of the box with as many as 30 apps pre-installed. Furthermore many of the pre-installed apps – including third-party apps – are granted a dangerous level of runtime permissions. There is, however, a difference between what is collected from phones intended for Chinese citizens and those for the global market.

When Chinese firmware is loaded on to the phone, the list of what is collected is far longer than what isn’t collected. This includes information related to the user’s device, GPS coordinates, network-related identifiers, phone number, app usage and even their call history. All of this is captured and sent along to servers without them consenting or even knowing this data is being sent. Importantly, while this behaviour persists when outside of China, the firmware is the culprit here.

“In contrast, the data shared by the Global version of the firmware is mostly limited to device-specific information. Our study therefore highlights major differences in terms of how privacy provisions are enforced in different regions,” reads the conclusion.

The researchers point out that Google and Apple also collect data including IMEI, IMSI and telemetry data from user outside of China. However, the amount of data third-party apps are sending to Chinese mobile network operators and the likes of Baidu is incredibly alarming and stokes fears that China could gain insight into others through analysis of data gleaned from Chinese citizens outside of the country.

Still, this is a concern and given how much big tech firms rely on data collection and analysis, it’s worth keeping a sharp eye on how our data is used not just in China, but around the world.

[Image – CC 0 Pixabay]


About Author


Related News