The Xiaomi phone includes software modules specifically designed to leak data to Chinese authorities and to censor media related to topics the Chinese government considers sensitive. The Huawei phone replaces the standard Google Play application store with third-party substitutes the NCSC found to harbor sketchy, potentially malicious repackaging of common applications.
The OnePlus 8T 5G—arguably, the best-known and most widely marketed phone of the three—was the only one to escape the NCSC's scrutiny without any red flags raised.
Xiaomi's Mi 10T 5G ships with a nonstandard browser called "Mi Browser." The NCSC found two components in Mi Browser which it didn't like—Google Analytics, and a less familiar module called Sensor Data.
The Google Analytics module in Mi Browser can read from the device's browsing and search history and can then send that data to Xiaomi servers for unspecified analysis and use. The Google Analytics module is activated automatically by default during the phone's first activation or after any factory reset.
The NCSC found that Sensor Data's module collects statistics on 61 parameters related to application activity, including time of app activation, language used, and so forth. These statistics are encrypted and sent to Xiaomi servers in Singapore, a country which the NCSC notes is not covered by the EU's GDPR and has been tied to excessive data collection and abuse of user privacy.
The NCSC also found that the user's mobile phone number is silently registered to servers in Singapore via encrypted SMS message on activation of default Xiaomi cloud services. The mobile phone number is sent whether the user ties it to a new cloud account or not, and the encrypted SMS is not visible to the user.
arstechnica.com
The OnePlus 8T 5G—arguably, the best-known and most widely marketed phone of the three—was the only one to escape the NCSC's scrutiny without any red flags raised.
Xiaomi's Mi 10T 5G ships with a nonstandard browser called "Mi Browser." The NCSC found two components in Mi Browser which it didn't like—Google Analytics, and a less familiar module called Sensor Data.
The Google Analytics module in Mi Browser can read from the device's browsing and search history and can then send that data to Xiaomi servers for unspecified analysis and use. The Google Analytics module is activated automatically by default during the phone's first activation or after any factory reset.
The NCSC found that Sensor Data's module collects statistics on 61 parameters related to application activity, including time of app activation, language used, and so forth. These statistics are encrypted and sent to Xiaomi servers in Singapore, a country which the NCSC notes is not covered by the EU's GDPR and has been tied to excessive data collection and abuse of user privacy.
The NCSC also found that the user's mobile phone number is silently registered to servers in Singapore via encrypted SMS message on activation of default Xiaomi cloud services. The mobile phone number is sent whether the user ties it to a new cloud account or not, and the encrypted SMS is not visible to the user.
Security audit raises severe warnings on Chinese smartphone models
The audit red-flagged Xiaomi and Huawei phones but gave OnePlus a pass.
arstechnica.com