Xiaomi trackers and backdoors (Update)

In my last post, I had described how I had found a constant tcp connection in the background that I suspected of being a backdoor or tracking app. Further to this, I investigated this matter more by rooting my tablet and running the netstat command in super-user mode to check what processes (apps) were actually listening on these connections.

Of course, I should mention credits to this xda-developers post that thoroughly explains how to remove some pre-installed bloatware from the MIUI such as Analytics-core app that constantly leeches your network and others like Live wallpaper themes that I’m not personally interested in.

Anyways, after removing all this bloat, the tcp connections in background didn’t go entirely, but were reduced to a substantial degree:


As you can see, the established connections were from three apps specifically. Two of them were from Google which unfortunately we can’t do anything about. Since a lot of software and services are depending on Google (including the Android OS itself), Google surveillance is something that we have to accept as part of our life.

The third process, however, is not of Google. It belongs to com.xiaomi.xmsf or in other words, the Xiaomi Service Framework.  This is one of the core system apps in the MIUI, so you can’t just disable it in a firewall – if you do that, none of the other apps will be able to access internet. In other words, this Xiaomi service is pretty much like the Windows 10 telemetry, you can’t do anything about it.

In any case, I am glad that at least I’ve reduced some bloatware on my tablet and also reduced the network overhead to some degree.

If you want, you can try this yourself and let me know in the comments below.


Xiaomi has backdoors in their phones

I didn’t believe it at first when I read this article today. However, if you are that power-user kind of guy or gal who isn’t afraid of the command line, you can do the same experiment that I performed and discover the hidden backdoors in the very backyard of your Xiaomi phone or tablet. Here is what I did on my stock Xiaomi MiPad-1 tablet running the KitKat based MIUI (Global ROM v7.5.2.0) to discover these backdoors (you don’t need to be rooted in order to do this):

  1. Head over to the Play Store and install any terminal app, the one from Jack Palevich is the standard one.
  2. Disconnect from Internet and restart the device (Make sure that you greenify all apps that start automatically in background like WhatsApp/Skype before that).
  3. Now, without connecting to the Internet, open the terminal app and run this command to check for open tcp connections: netstat -atp
  4. It should show you zero connections as you are not online yet.
  5. Now, start the internet and after a few seconds, run that command again. What should you ideally see? Zero connections because you don’t have any app running yet. However, this is what I saw:


What this means is that Xiaomi has a background app constantly running which establishes a connection with some backend servers as soon as you connect to the Internet. For example, as shown on the first line, an app is listening on the XMPP port and connected to the IP When I looked up this IP Address on the Internet, it was traced to some Chinese ISP, thus confirming my suspicion.

What this essentially means is that the person on the other end of this connection may be doing anything to our device through this established tcp connection. Now, it could well be the case that the app is genuinely listening for an update or something, but as we all know, a backdoor such as this can be exploited by any hackers and used in unintended ways.

By way of this post, its my sincere request to Xiaomi to fix these loopholes in their next updates. Updates should be checked by apps at certain frequency (like once in two days), not by constantly leeching in on the network resources. I really hope that some OTA update comes up soon that takes care of this.