(Some) Chinese Android Phones Leak and Censor User Data

One of the most common benefits to Android phones is the sheer number of options available to consumers.

You can find high-priced, quality-made phones made by companies like Samsung, and you can find low-quality, suspiciously cheap phones made by companies that the average consumer has never heard of.

While some of these lesser-known companies can give you decent hardware value for the money, it’s worth noting that not all software on these phones is created equally.

A security audit performed by the Lithuanian National Cyber Security Centre of three Chinese-made Android phones showed some troubling software practices in preinstalled apps.

The Phones

The phones covered in the NCSC audit were:

  • Huawei P40 5G
  • Xiaomi Mi 10T 5G
  • OnePlus 8T 5G

The Mi 10T and the OnePlus 8T are both mid-range phones, costing about $400-500. The P40 is a bit higher-end, costing around $900.

The Issues

Xiaomi Mi 10T 5G

The Xiaomi Mi 10T 5G seems to have the most problems.

This phone ships with a browser called the “MiBrowser”. This browser contains two programs designed to collect data on what the user does – Google Analytics and Sensor Data.

Google Analytics is fairly common on apps and websites (including this one). Since this is implemented on the entire browser, it reads the data about all sites visited and searches performed by the user. It then sends this information to servers controlled by Xiaomi. This obviously gives Xiaomi a “birds-eye” view of all the websites visited by a user.

The Sensor Data software also collects data on how the user sets up and is using their phone (61 parameters including browser settings, language settings, notification settings, etc), and sends this data (encrypted) to Xiaomi servers in Singapore. The audit points out that Singapore is not covered by GDPR regulations concerning data collection and use, and there have been reports of excessive (and unauthorized) data collection.

Additionally, the Xiaomi Cloud Service, which synchronizes contacts, call and message history, photos, Wi-Fi settings, browser history, etc., also uses servers located in Singapore.

Finally (and most troubling), several system apps (MiBrowser, Security, Cleaner, etc.) regularly download files from a Xiaomi server. These files contain “a list composed of the titles, names, and other information of various religious and political groups and social movements”. This blacklist is then used by the phone to analyze keywords and metadata of media being viewed on the phone – if a file contains any “objectionable” keywords, it can be blocked.

Since there is a phone number (and user account) tied to the phone, Xiaomi also knows who tried to view blacklisted information. I don’t know if they share this information with the Chinese government, it is possible.

Huawei P40 5G

The biggest issue with this phone seems to be the way it handles installing applications.

Huawei isn’t using Google Play Services on their phone, and so they don’t have the Google Play Store installed. Instead, users use Huawei’s own AppGallery store.

However, if a user searches for an app that is not in AppGallery, the user is automatically and silently redirected to a 3rd-party app distribution store.

Apps in these stores have a couple of major problems. The first is that many of these services are not located in countries that follow GDPR regulations, so there is no guarantee that user data is not leaked all over the place. But the bigger issue is that these apps are unmonitored for malicious code or viruses.

I mentioned a couple of months ago how the Google Play Store’s anti-malware software isn’t perfect, but it does help. Apps in these 3rd-party stores can be copies of well-respected apps, but with malicious code inserted. This code can track user behavior, steal passwords, collected personal information, and more.

Downloading an app from an untrusted 3rd-party without notifying the user of these dangers is asking for lots of trouble!

OnePlus 8T 5G

I’m pleased to report that there were no security concerns found in this OnePlus phone.

I have recommended OnePlus phones in the past, and I’m glad they are not (currently) shipping insecure software.

Conclusion

While Android phones offer more flexibility in software and capabilities, this means the user must take a more active role in securing their devices. This means users should understand good practices and follow them. They should also know what can go wrong if a malicious app (or OS) gets installed.