Is there any way to decode the content of https? like install certificate on phone and use Man-In-The-Mid to get decoded content, I think it possible.
Or the phone may use private protocol(not http/https) and it's hard to decode?
From the report, the tested phone send IMEI and phone number in http, it not mention if the phone send SMS by http or unencrypted form.
In my opinion, user don't know if their message send by traditional way or by data connection, the phone need to query if the SMS receiver also enable the company's SMS via data connection feature, if yes, it send via data connection. I think this mechanism is ok for me, but it's better to encrypt the "Query".
According to engadget, there is a fix on the way: "With today's ROM update, users of fresh or factory-restored Xiaomi devices will have to manually enable the cloud messaging function, meaning there should be no more stealthy connections back to Beijing."
To my understanding, my Android phone on Verizon would also upload my data (contacts, sms, etc.) to both the carrier's own cloud. My data would also gets uploaded to Google's cloud as well.
Is Mi doing it without encrypting the data or without using SSL? Can someone explain this better?
In addition to the other commentors' responses, I'd like to point something out: when you use Verizon to send an SMS, you know that they can read it (and may or may not actually store it), whereas in this case, it was being done without the user's knowledge. That's the major problem for me. (Along with it being unencrypted... eww.)
The screenshot in the article shows it's a HTTP GET request, so no encryption and the GET request makes it more likely it's getting stored not only in their db but in access logs of other servers (web server, load balancers, proxies).
FYI the bloatware named something along the lines of "Verizon Backup Assitant" does the same thing without asking for your privileges. It starts pushing your texts, contacts, photos, and possibly other bits of data up to their cloud for "safekeeping."
I think I bought a Samsung phone once as well which actually backed everything up to Lookout.com without my knowledge too.
BTW, I think Charles can do something similar. And it's got a very nice interface. I even used it to "cheat" tinder by swiping yes to all matches (https://gist.github.com/philangist/e5f94bfb887f56958667) by reverse engineering the tinder api.
It looks like what's sent to Xiaomi is Telco information, IMEI and Phone-number(s)of: the device owner, all contacts, and anyone who's called or texted; if you enable their cloud services IMSI is sent as well.
The lack of ssl is far and away more surprising to me. If they're really sending the IMSI(and not a randomly generated Temporary) in the clear over http..... That would be a glaring oversight.
apparently, it's some kind of cloud messaging service like iMessage so you can send text chats via data connection between MIUI devices instead of SMS.
I am OK with this approach but XiaoMi's problem is that it's enabled by default and it's unencrypted.
I think the title is bad, this new title makes it sound like its a normal test of a mobile phone while the article is actually about the security problem.
Is there any way to decode the content of https? like install certificate on phone and use Man-In-The-Mid to get decoded content, I think it possible. Or the phone may use private protocol(not http/https) and it's hard to decode?
From the report, the tested phone send IMEI and phone number in http, it not mention if the phone send SMS by http or unencrypted form. In my opinion, user don't know if their message send by traditional way or by data connection, the phone need to query if the SMS receiver also enable the company's SMS via data connection feature, if yes, it send via data connection. I think this mechanism is ok for me, but it's better to encrypt the "Query".