Xiaomi says it only collects data it needs, but the app for this fitness band can read your text messages, access your camera, record through your microphone, and read your contacts. None of these are needed to track your heart rate or count your steps. Xiaomi says your data stays in your region, but the fitness band's app sends data to Xiaomi's advertising and tracking servers. Xiaomi is a Chinese company legally required to cooperate with Chinese intelligence services if asked — meaning your heart rate, sleep, and exercise data could be accessed by a foreign government no matter where you live.
What they claim: Xiaomi's privacy policy states it collects 'only the information that is necessary' and shares data only for stated purposes. The product page markets Smart Band 8 as a fitness and health tracker.
What we found: Mi Fitness app (com.xiaomi.wearable) requests 40 permissions including READ_SMS, RECEIVE_SMS, SEND_SMS (full SMS access), READ_CONTACTS, WRITE_CONTACTS (contact list access), CAMERA, RECORD_AUDIO (microphone access), READ_CALENDAR, WRITE_CALENDAR, and ACCESS_BACKGROUND_LOCATION. A fitness band that tracks heart rate and steps has no functional need to read, receive, or send SMS messages, access the camera, record audio, or modify contacts. These permissions enable data collection far beyond what is 'necessary' for fitness tracking.
What they claim: Mi Fitness app requests BODY_SENSORS and ACTIVITY_RECOGNITION permissions to collect continuous biometric data including heart rate, blood oxygen, sleep stages, stress levels, and menstrual cycle tracking.
What we found: Peer-reviewed research published in npj Digital Medicine (2025) found Xiaomi had one of the highest cumulative privacy risk scores among all wearable manufacturers evaluated across 24 criteria. The study specifically noted that sensitive health metrics from Xiaomi fitness bands including sleep and heart rate data were being sent to servers with inadequate data residency safeguards. Despite collecting medical-grade biometric data (heart rate variability, blood oxygen saturation, sleep stage analysis), Xiaomi has no HIPAA obligations and its privacy policy provides no specific retention periods for health data.
What they claim: Xiaomi's privacy policy mentions sharing data with 'advertising partners' using OAID/GAID identifiers but does not explicitly connect this to health data from wearables.
What we found: Mi Fitness app embeds Google Firebase Analytics, Google CrashLytics, and Xiaomi Analytics trackers. The app has hardcoded connections to sdkconfig.ad.xiaomi.com and api.ad.xiaomi.com — Xiaomi's advertising infrastructure. Combined with ACCESS_FINE_LOCATION and ACCESS_BACKGROUND_LOCATION permissions, this means biometric data from the band (heart rate, exercise patterns, sleep) can be correlated with precise location and fed into advertising profiles. A fitness band user would not expect their health data to power targeted advertising.
What they claim: The Smart Band 8 bootloader disables the SWD (Serial Wire Debug) interface on startup and uses OTA signature verification as security measures.
What we found: Security researcher Aaron Christophel demonstrated that the Ambiq Apollo4 Blue Lite MCU lacks hardware-level cryptographic protection. Physical access bypasses the SWD disable, enabling full firmware extraction and modification. Custom firmware can be flashed that could exfiltrate biometric data or alter health readings without detection. For a device worn 24/7 that collects heart rate, blood oxygen, sleep data, and menstrual cycle information, this means anyone with brief physical access (a partner, employer, or border agent) could install surveillance firmware undetectably.
What they claim: Xiaomi's privacy policy states data is disclosed to 'public bodies, courts, and law enforcement agencies' only under 'specific requirements made in accordance with applicable law.'
What we found: China's National Intelligence Law (Article 7) requires all organisations and citizens to 'support, assist, and cooperate with national intelligence efforts.' Xiaomi is headquartered in Beijing. The privacy policy provides no transparency mechanism for reporting government data requests and no warrant canary. Mozilla's *Privacy Not Included review flagged the Mi Band ecosystem as concerning for privacy. For 240+ million Mi Band users globally, there is no way to know whether Chinese intelligence has accessed biometric data, as Xiaomi would be legally prohibited from disclosing such access.
What they claim: Xiaomi's general privacy policy defers health data practices to the Mi Fitness app privacy policy, fragmenting user understanding across multiple documents.
What we found: Users must read at least three separate privacy policies to understand data collection: the Xiaomi general privacy policy (privacy.mi.com), the Mi Fitness privacy policy (watch.iot.mi.com), and the Xiaomi Account privacy policy. Meanwhile the app requests READ_SMS, SEND_SMS, READ_CONTACTS, WRITE_CONTACTS, CAMERA, and RECORD_AUDIO — permissions that are not prominently disclosed in the product marketing or the fragmented privacy documentation. The $35 price point targets users in developing markets who are least likely to read multiple privacy policies in English.
What they claim: Mi Fitness requests RECEIVE_BOOT_COMPLETED and REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permissions.
What we found: These permissions ensure Mi Fitness starts automatically when the phone boots and runs continuously without being killed by Android's battery optimisation. Combined with 40 permissions including background location, body sensors, and advertising tracker connections (sdkconfig.ad.xiaomi.com, api.ad.xiaomi.com), this creates a persistent data collection service that operates 24/7. The FCC filing lists the manufacturer as Hao Ming Electronics, not Xiaomi — obscuring the actual data controller in regulatory records. Users cannot easily determine who controls their biometric data from the regulatory filing alone.
What they claim: Xiaomi markets the Smart Band 8 with '16 days battery life' and emphasises health tracking features: heart rate monitoring, SpO2, sleep tracking, stress monitoring, and women's health management.
What we found: The product page emphasises health benefits and long battery life but does not mention that the companion app communicates with 11 hardcoded endpoints including advertising servers (sdkconfig.ad.xiaomi.com, api.ad.xiaomi.com) and tracking infrastructure (tracking.miui.com, data.mistat.xiaomi.com). The marketing presents the band as a health device, but the infrastructure reveals it is also a data collection platform feeding Xiaomi's advertising business. The Zepp Health/Huami corporate structure means biometric data flows through multiple corporate entities across jurisdictions, further obscuring accountability.
What they claim: Xiaomi's privacy policy states it does not sell personal information to third parties.
What we found: While Xiaomi may not technically 'sell' data, Mi Fitness embeds Google Firebase Analytics and Xiaomi Analytics trackers that share data with advertising partners. The app requests GET_ACCOUNTS (Google account access) and uses OAID/GAID advertising identifiers to correlate fitness data with ad profiles. The distinction between 'selling' data and 'sharing' data with advertising partners through embedded trackers is meaningless to users whose biometric data ends up in advertising systems either way.
What they claim: Xiaomi's IoT Privacy White Paper states data is 'processed in the region closest to the user' and the privacy policy emphasises data protection standards equivalent to GDPR.
What we found: Firmware analysis reveals hardcoded endpoints including sdkconfig.ad.xiaomi.com and api.ad.xiaomi.com (advertising infrastructure), tracking.miui.com (telemetry/tracking), and data.mistat.xiaomi.com (Xiaomi statistics). These advertising and tracking endpoints transmit data to Xiaomi's infrastructure regardless of user's region. Xiaomi is subject to China's National Intelligence Law (Article 7) which may compel data access by Chinese intelligence services from any server globally, contradicting the implication of regional data sovereignty.
What they claim: The Smart Band 8 is a BLE-only wearable (no Wi-Fi, no cellular) that communicates exclusively through a paired smartphone.
What we found: Mi Fitness requests ACCESS_BACKGROUND_LOCATION, ACCESS_FINE_LOCATION, NEARBY_WIFI_DEVICES, and CHANGE_WIFI_STATE permissions. While BLE scanning requires location permissions on Android, the combination with NEARBY_WIFI_DEVICES and CHANGE_WIFI_STATE enables WiFi-based location tracking and network scanning beyond what BLE communication requires. The REQUEST_IGNORE_BATTERY_OPTIMIZATIONS permission ensures the app runs continuously in the background, maintaining persistent data collection even when the user is not actively using the fitness band.