Xiaomi Officially Responds To Recent Backdoor Accusations

Xiaomi Mi 4C AH 13 logo 3

Xiaomi is one of the largest smartphone manufacturers in the world. This company was founded back in 2010, and they’ve managed to become one of the largest Chinese smartphone manufacturers in only a couple of years. That being said, Xiaomi releases quite a few devices a year, and various reports in the past accused the company of pre-installing adware, spyware and all sorts of other malicious software on their devices. Now, the company basically always responds to such accusations and explains the situation, so it’s not exactly wise to jump to conclusions. Well, we’ve actually had a similar situation today, read on.

Earlier today, we’ve stumbled upon a report claiming that Xiaomi can install any app on their devices without you knowing it. This information came from Thijs Broenink, a Computer Science student from Netherlands. He basically figured out that Xiaomi’s AnalyticsCore.apk constantly runs in the background, and reappears even if you decide to delete it. This app, according to Broenink, checks for updates from Xiaomi every 24 hours, and sends all kinds of information to Xiaomi’s servers. This app also automatically installs the update from Xiaomi’s servers, if it finds it there, the update’s file is named ‘Analytics.apk’. Now, the update will get automatically installed on your device, without your knowledge, which is what makes this quite weird, and what seemingly scared Mr. Broenink.

Well, we didn’t want to go ahead of ourselves and write about this until we contact Xiaomi to get an official explanation of what is going on here. The company was kind enough to offer an official response to Mr. Broenink’s post, here’s what they had to say: “AnalyticsCore is a built-in MIUI system component that is used by MIUI components for the purpose of data analysis to help improve user experience, such as MIUI Error Analytics. As a security measure, MIUI checks the signature of the Analytics app during installation or upgrade to ensure that only the APK with the official and correct signature will be installed. Any APK without an official signature will fail to install. As AnalyticsCore is key to ensuring better user experience, it supports a self-upgrade feature. Starting from MIUI V7.3 released in April/May, HTTPS was enabled to further secure data transfer, to prevent any man-in-the-middle attacks.”


Now, according to Xiaomi’s statement, this app functions more or less as Mr. Broenink described, but in addition to sending usage reports (which are used to improve user experience), the app also pulls updates from the server if they’re available. Now, Xiaomi also said that MIUI (Xiaomi’s user interface pre-installed on every single one of their devices) check the signature of the AnalyticsCore app before installation in order to make sure that the update is official, otherwise it won’t install it. So, all in all, the AnalyticsCore app does support the auto-update feature, though Xiaomi claims that this only improves user experience, nothing else, and it seems like this ‘issue’ was blown way out of proportion.