Xiaomi says your data is anonymized, but your phone sends your permanent device ID (IMEI) and hardware serial number to Xiaomi tracking servers — meaning they can always identify your specific phone regardless of what settings you change. Xiaomi gives you a button to turn off data collection, but researchers proved that turning it off doesn't actually stop your phone from reporting what apps you use and how long you use them.
What they claim: Xiaomi Home app requests RECORD_AUDIO, CAMERA, START_ACTIVITIES_FROM_BACKGROUND, SYSTEM_ALERT_WINDOW, STATUS_BAR_SERVICE, and DISABLE_KEYGUARD — 48 total permissions for a smart home control app
What we found: Xiaomi product page markets the Redmi Note 13 as an affordable smartphone. The privacy policy does not justify why the companion smart home app needs microphone recording, camera access, ability to start activities in the background, draw over other apps, access the status bar as a service, or disable the lock screen.
What they claim: Xiaomi privacy policy states collected data is 'anonymized' and users can opt out of analytics via Settings > System Security > Usage and Diagnostics
What we found: Firmware contains 9 hardcoded tracking/analytics endpoints including tracking.miui.com, data.mistat.xiaomi.com, sdkconfig.ad.xiaomi.com, and api.ad.xiaomi.com. Trinity College Dublin research confirmed these endpoints receive IMEI, hardware serial number, and installed app lists — persistent hardware identifiers that cannot be anonymized and survive factory resets. Even with analytics opted out, core telemetry continues.
What they claim: Xiaomi privacy policy does not disclose built-in content filtering or censorship capabilities in its firmware
What we found: Lithuanian National Cyber Security Centre (NCSC) audit found MIUI firmware contains MiAdBlacklist module capable of censoring 449 keywords (expanded to 1,376) related to Tibet, Taiwan, democracy movements, and Chinese political topics. This capability was disabled for EU devices but could be remotely re-enabled by Xiaomi at any time. The same MIUI/HyperOS codebase runs on the Redmi Note 13.
What they claim: Xiaomi Home companion app (com.xiaomi.smarthome) embeds 8 third-party trackers: Bugly, Facebook Analytics, Facebook Login, Facebook Share, Google Firebase Analytics, JiGuang Aurora Mobile JPush, Pangle (ByteDance ad network), and Tencent Stats
What we found: Xiaomi privacy policy generically mentions sharing data with 'trusted partners or service providers' and 'third-party SDKs' but does not name specific tracker partners, particularly Chinese ad networks Pangle (ByteDance/TikTok) and JiGuang Aurora Mobile, or disclose that Bugly and Tencent Stats send crash and usage data to Tencent servers in China.
What they claim: Firmware contains hardcoded endpoints sdkconfig.ad.xiaomi.com, api.ad.xiaomi.com, and globalapi.ad.xiaomi.com — dedicated advertising infrastructure baked into the operating system
What we found: Xiaomi privacy policy states data is used for 'providing personalised services and content, including ads' and 'device optimization', framing advertising as optional personalization. But hardcoded ad endpoints in firmware mean advertising data collection is architectural — built into the OS, not an optional feature.
What they claim: Xiaomi Home app embeds Pangle tracker — ByteDance/TikTok's advertising SDK that collects device fingerprints, app usage data, and ad interaction data
What we found: Multiple governments (Lithuania, India, US congressional committees) have raised national security concerns about data flowing to Chinese tech companies. Pangle (ByteDance) collects data on Xiaomi Home app users and sends it to ByteDance infrastructure. Xiaomi privacy policy does not disclose the national security implications.
What they claim: Xiaomi Home app requests AD_ID permission and embeds advertising trackers (Pangle, Facebook Analytics, Google Firebase Analytics) for a device companion app
What we found: Xiaomi's MIUI Privacy White Paper (Section 4.12) describes app usage data collection as necessary for 'improving user experience'. But embedding 3 separate advertising/analytics frameworks in a companion app reveals the app is an advertising platform monitoring behaviour for targeted ads, not just a device controller.
What they claim: 20 security vulnerabilities discovered by Oversecured in pre-installed Xiaomi system apps (Security, GetApps, Mi Video, Gallery, Settings, MIUI Bluetooth, ShareMe, Xiaomi Cloud) — all non-removable
What we found: Xiaomi Security Center (trust.mi.com) presents itself as proactively protecting user security with regular bulletins and patches. However, 20 vulnerabilities in non-removable system apps exposed users to system-privilege file theft, arbitrary activity access, XSS attacks, and account data disclosure — undermining the security posture Xiaomi markets.
What they claim: Xiaomi privacy policy provides opt-out: 'You can disable the collection of app usage data in Settings > System Security > Usage and Diagnostics'
What we found: Trinity College Dublin/University of Edinburgh peer-reviewed study found that even when all analytics and Usage and Diagnostics options are disabled, Xiaomi handsets continue transmitting app screen views, timing and duration of every app interaction, and installed app lists to Xiaomi servers in Singapore. The study states: 'There is no opt-out from this data collection.'
What they claim: Xiaomi initially publicly denied collecting browsing data, stating all data was anonymized and aggregated
What we found: Forbes investigation and independent security researchers demonstrated that Xiaomi's Mi Browser sent browsing history, search queries, and visited websites to Xiaomi servers — including when Incognito Mode was enabled. Xiaomi subsequently admitted to the data collection after the evidence was published, reversing their earlier denial.
What they claim: Xiaomi Home app requests READ_PRIVILEGED_PHONE_STATE permission granting access to IMEI, IMSI, phone number, and SIM serial number at the system level
What we found: Xiaomi privacy policy mentions collecting 'IMEI/OAID, GAID number, IMSI number' but categorizes this as routine 'device data' without explaining that READ_PRIVILEGED_PHONE_STATE is a system-level permission that bypasses normal Android privacy protections and provides deeper access than standard phone state permissions.
What they claim: Data transmitted to tracking.miui.com and data.mistat.xiaomi.com servers located in Singapore, outside EU GDPR and Australian Privacy Act jurisdiction
What we found: Xiaomi global privacy policy mentions cross-border data transfer generally but does not prominently disclose that core telemetry data — including hardware identifiers and app usage patterns — goes to Singapore servers where weaker data protection laws apply. Trinity College Dublin study specifically flagged this as a privacy concern for EU users.