Xiaomi says they only collect what's necessary, but their smart home app demands access to your phone's unique hardware IDs, microphone, infrared transmitter, and the ability to launch activities in the background — plus it has 8 tracking libraries built in, including advertising networks from ByteDance and Tencent. Managing a smart plug doesn't require any of this. Xiaomi says they don't sell your data, but independent investigations found they send up to 61 types of information to Chinese servers, track your web browsing even in private mode, and have been hit with GDPR complaints across Europe for illegally transferring data to China. Saying 'we don't sell data' while transmitting it to servers in Beijing and Singapore is misleading at best.
What they claim: Xiaomi Mi Home privacy policy states: 'We will only collect the information that is necessary for its specified, explicit and legitimate purposes.' Policy also states Wi-Fi credentials 'will not be uploaded to the server' and are 'encrypted and stored locally on your device.'
What we found: The Xiaomi Home app (com.xiaomi.smarthome v11.2.700) requests 52 permissions including READ_PRIVILEGED_PHONE_STATE (access to IMEI, IMSI, and SIM serial number beyond standard phone state), TRANSMIT_IR (infrared transmitter control), INTERNAL_SYSTEM_WINDOW (system-level window overlay), START_ACTIVITIES_FROM_BACKGROUND (launch activities without user interaction), and RECORD_AUDIO — none of which are necessary for managing a smart home hub. The app also embeds 8 trackers including Pangle (ByteDance's ad network), Tencent Stats, JiGuang Aurora Mobile JPush (Chinese push notification service), and Facebook Analytics/Login/Share — advertising and social media SDKs that have no connection to smart home functionality.
What they claim: A smart home hub companion app should need permissions for device discovery (Wi-Fi, Bluetooth, location) and basic device management.
What we found: The Xiaomi Home app requests CAMERA, RECORD_AUDIO, READ_PHONE_STATE, READ_PRIVILEGED_PHONE_STATE, TRANSMIT_IR, NFC, and INTERNAL_SYSTEM_WINDOW — far exceeding what is needed to control Zigbee/BLE/Wi-Fi smart home devices. The hub itself supports three protocols (Wi-Fi, Zigbee, BLE Mesh) but the app's permissions suggest extensive phone hardware access beyond device management. The app includes Pangle (ByteDance ad network) and JiGuang Aurora Mobile JPush — advertising and Chinese push notification infrastructure built into what should be a device management utility.
What they claim: The Xiaomi Home app is presented as a smart device management utility for controlling home IoT devices.
What we found: The app requests READ_PRIVILEGED_PHONE_STATE (access to IMEI, IMSI, SIM serial — device fingerprinting), START_ACTIVITIES_FROM_BACKGROUND (launch code without user awareness), and INTERNAL_SYSTEM_WINDOW (overlay on top of other apps). These are surveillance-grade permissions. Combined with the Lithuanian government's finding that Xiaomi devices can remotely enable censorship and the Forbes finding of incognito-mode data collection, these permissions enable comprehensive user surveillance far beyond smart home management. The 8 embedded trackers (including Chinese services Bugly, JiGuang JPush, Tencent Stats, and Pangle) provide multiple data exfiltration channels.
What they claim: Xiaomi Mi Home privacy policy states: 'We do not sell any personal information to third parties' and claims data is shared only with service providers for legitimate purposes.
What we found: Lithuania's National Cyber Security Centre (NKSC, September 2021) found Xiaomi's Mi Browser collects up to 61 data points about the device and owner, sending data to Google Analytics and Chinese servers. Data was transmitted to servers in Singapore — outside GDPR jurisdiction. Austrian privacy group noyb filed GDPR complaints in January 2025 across five European countries alleging Xiaomi unlawfully transfers European users' data to China. Xiaomi's own privacy policy admits to data centres in Beijing, Russia, Singapore, United States, and Germany. The Forbes investigation (May 2020) confirmed Xiaomi phones send browsing data (including incognito mode) to Alibaba servers in Singapore and Russia, encoded in trivially decodable base64.
What they claim: Xiaomi's privacy policy presents the company as privacy-respecting with GDPR compliance and transparent data practices.
What we found: Lithuania's NKSC discovered a secret censorship module in Xiaomi Mi 10T 5G capable of detecting and censoring 449 politically sensitive keywords (Free Tibet, democratic movement, Long Live Democratic Taiwan) in both Chinese and Latin characters. While disabled in EU devices, the keyword list is still periodically updated and can be remotely re-enabled at any time without user permission. Lithuania's Deputy Defence Minister recommended government institutions stop using Xiaomi devices.
What they claim: Xiaomi's privacy policy states: 'We will not transfer your personal data to our business partners for use by our business partners in direct marketing.'
What we found: The Xiaomi Home app (v11.2.700) embeds Pangle — ByteDance's advertising SDK used for targeted ad serving and user profiling. It also includes Facebook Analytics, Facebook Login, and Facebook Share SDKs which enable cross-platform user tracking and ad targeting by Meta. Tencent Stats provides analytics to Tencent's advertising ecosystem. These are not 'service providers' — they are advertising networks whose core business model is direct marketing through user data.
What they claim: Xiaomi Mi Home privacy policy states data is processed across data centres in Beijing, United States, Russia, Singapore, and Germany with appropriate safeguards for international transfers.
What we found: Hardcoded firmware endpoints show primary communication to ot.io.mi.com and api.io.mi.com (Chinese Xiaomi servers), with regional variants de.ot.io.mi.com (Germany), sg.ot.io.mi.com (Singapore), us.ot.io.mi.com (US). However, tracking.miui.com is a Chinese tracking server with no regional variant. The Forbes investigation confirmed data flowing to Alibaba servers in Singapore and Russia. China's Data Security Law (June 2021) requires Chinese enterprises to 'support, assist and cooperate with law enforcement' on data concerning national security — meaning all data on Chinese servers is accessible to the Chinese government.
What they claim: Xiaomi's IoT Privacy White Paper states smart device connections use HTTPS encryption and the privacy policy promises 'reasonable physical, electronic, and managerial procedures to protect the information.'
What we found: CVE-2024-45347 (CVSS 9.6 Critical): Authentication bypass in Xiaomi Interconnection Application allows attackers to gain unrestricted access to user devices. CVE-2023-26317: Command injection in Xiaomi routers via external interface enables remote code execution. CVE-2020-14100: Command injection in Xiaomi router R3600 via set_WAN6 interface. The gateway firmware has UART serial console with default root access. Hardcoded endpoints include tracking.miui.com — a dedicated telemetry/tracking server.
What they claim: Xiaomi's IoT Privacy White Paper describes data transmission using HTTPS encryption and AES-128 storage encryption.
What we found: Oversecured discovered 20 dangerous vulnerabilities across Xiaomi system apps and components (April 2023), including: access to arbitrary activities/receivers/services with system privileges, theft of arbitrary files with system privileges, shell command injection via System Tracing app, and disclosure of phone settings and Xiaomi account data. The Forbes investigation found browsing data was encoded in base64 (trivially decodable) rather than properly encrypted. Hardcoded endpoint tracking.miui.com indicates persistent device telemetry collection beyond what the privacy white paper discloses.
What they claim: Xiaomi's IoT Privacy White Paper states that MAC address data is collected for 'App Functionality' and 'Device Functionality' and is transmitted with HTTPS encryption.
What we found: The Xiaomi Home app requests ACCESS_COARSE_LOCATION and ACCESS_FINE_LOCATION (precise GPS coordinates), plus AUTHENTICATE_ACCOUNTS and GET_ACCOUNTS (access to all accounts on the device). The app also has WRITE_SETTING permission, allowing modification of system settings. These go far beyond MAC address collection for device connectivity. The IoT White Paper's data inventory table shows MAC addresses with 'No Encryption' for data storage — contradicting the policy's encryption commitments.