MIUI 11 Security and Privacy White Paper
1 MIUI 11 Security and Privacy White Paper
Contents
1 Summary 1
2 Hardware and System Security 4 Hardware Trusted Environment 5 Secure Boot 7 Security Kernel 9 Network and Communication Security 9 Device Control 10 System Software Update 13
3 Encryption and Data Security 14 Data Protection Architecture 15 Key Management 17 Encryption Application 18
4 Application Security 22 Application Security Protection 23 Application Security Features 27
5 Internet Service Security 31 Mi Account 32 Xiaomi Cloud 35 Mi Pay 40 MIUI 11 Security and Privacy White Paper
Mi AI 43 Image Intelligence 46 Location-based Services 48 MiPush 49
6 Security Certification and Privacy Policy 52
7 Peroration 55
8 Abbreviated Definition Table 57 MIUI 11 Security and Privacy White Paper
Statement
Due to the upgrade, adjustment of Xiaomi products or services and other reasons, the contents of this document may change. Xiaomi has the right to add, modify, delete and abolish such contents. Please download the latest version from the official website in time.
This document is only used as a reference guide for users to understand the information security and privacy protection of MIUI and Xiaomi Cloud. Xiaomi provides the corresponding introductions based on the current MIUI version and the main hardware architecture in service. However, due to the potential problems such as technological upgrading, product iteration, changes in applicable laws and regulations, and consistency of wording, Xiaomi hereby explicitly declares that it does not make any express or implied guarantee for the completeness, accuracy, and applicability of the contents hereof.
The intellectual property rights of all original contents of Xiaomi in this document, including but not limited to pictures, architecture design, text description, etc., are owned by Xiaomi Technology Co. Ltd and its affiliated companies (hereinafter referred to as "Xiaomi") in accordance with law. Without Xiaomi's prior written permission, no unit, company or individual is allowed to extract, translate or copy part or all of the contents hereof without authorization.
If any errors occur in this document or you have any questions about the contents hereof, please contact Xiaomi via email [email protected]. MIUI 11 Security and Privacy White Paper
01 Summary
1 MIUI 11 Security and Privacy White Paper
Summary
As the world's leading smartphone manufacturer, Xiaomi relentlessly builds amazing products with affordable prices to let everyone in the world enjoy a better life through innovative technology, which is also act as their corporate mission. In the era of Internet of Things, given the essential basic needs of security and privacy for products users, Xiaomi attaches great importance to users' security and privacy.
The MIUI developed by Xiaomi takes security and usability as its core. Every Mi phone combines software, hardware and services to integrate tightly and work together for end to end security protection, which includes the basic security capabilities such as hardware chips, system kernels and data security, as well as information security and privacy protection of a series of key services such as Mi account, Mi pay, Xiaomi Cloud, voice AI and image AI.
Adhering to the principle of objectivity and transparency, this document introduces security architecture, technical principles, functional design and privacy protection measures of MIUI in detail. It is expected that Xiaomi users, developers, partners and relevant regulatory authorities can have a clearer understanding of the architecture and implementation of its information security and privacy protection for mobile phones and cloud services.
MIUI's security technology originates from the root of trust built from hardware, and then transfer the chain of trust to the operating system by secure boot. The running state of applications is monitored by using and strengthening the Android security kernel to ensure the security of operating systems and applications. The security of file system and user data is protected through encryption and data protection functions. The cloud services are comprehensively protected by division of service function and “Defence-in-Depth” protection. Figure below indicates the logical structure of Xiaomi MIUI Security and Privacy White Paper, which is also the narrative structure of this document.
2 MIUI 11 Security and Privacy White Paper
Figure 1-1 White Paper Logic Structure
Hardware and System Security: Mi phone is the platform of a software and hardware integration, which includes hardware-supported TEE, secure boot, security kernel, network and communication security, device control and system software update.
Encryption and Data Security: The encryption application provided by the data protection architecture based on MIUI, can not only ensure the security of user data, but also improve the usability and convenience of MIUI as well.
Application Security: The basic protection mechanism and a series of application security features enables apps to run with security and protect the security of user data.
Internet Service Security: Capabilities of MIUI to protect users' privacy and data security for the main internet services by implementing protection measurements to the great extent.
Security Certification and Privacy Policy: Information on overall principles, organizational architecture, security and privacy certification, privacy policy and continuous improvement mechanism in the field of information security and privacy protection.
3 MIUI 11 Security and Privacy White Paper
02 Hardware and System Security
4 MIUI 11 Security and Privacy White Paper
Hardware and System Security
Hardware and system security is the foundation of application and data security, which provides the underlying framework for the overall security of MIUI, including hardware trusted environment, secure boot, security kernel, network and communication security, device control, system software update, etc.
With the tight integration of hardware, system and service, MIUI ensures that every component has a security verification mechanism from the initial boot, to system software update, then to the application. These mechanisms ensure that user data is protected to its greatest extent.
Hardware Trusted Environment
Trusted Execution Environment (TEE)
MIUI supports the TEE (Trusted Execution Environment) secure operating system. TEE is a small, independent operating environment isolated from the main operating system, allowing applications with higher security and privacy demands to run with isolation from Android system.
Figure 2-1 Logical Architecture of Trusted Execution Environment
5 MIUI 11 Security and Privacy White Paper
The software and hardware resources that TEE can access are separated from the main operating system. TEE provides a secure execution environment for trusted applications, it also enforces the protection of confidentiality, integrity, and access permissions to the data and resources belonging to those trusted applications. To guarantee the trustworthy of the root of trust, the TEE needs to be verified and isolated from the main operating system during the secure boot process.
Inside the TEE, each trusted application is independent from each other, and cannot access the security resources from another trusted application without authorization. TEE's internal API mainly includes resources and services such as key management, cryptographic algorithm, secure storage, secure clock and extended trusted UI.
The trusted UI means that when display sensitive information and perform sensitive operations (e.g. enter a PIN or password), hardware resources such as screen display and keyboard are completely controlled by TEE, and the software in Android system cannot access them.
Device Attestation To ensure the trustworthy of Mi phones, Xiaomi has pre-installed a device certificate in TEE to uniquely identify each mobile phone, and the public keys of these certificates are centrally managed by Xiaomi's servers. In the scenarios where a higher level of security is required, the application can send the verification requests to Xiaomi servers to verify the authenticity of the device.
Hardware Unique Key (HUK)
The HUK (Hardware Unique Key), which is solidified on the motherboards during initial manufacture, varies by phone and cannot be tampered with. It is accessible only by the hardware cryptographic engine, and it guarantees the uniqueness of the keys used for lockscreen password protection and file system encryption.
Hardware Cryptographic Engine
Encryption and decryption are very complicated operations, which requires great computing power. For mobile devices, computing speed, energy conservation and security are equally important. Mi phone has taken these factors into consideration in its design, and equipped the device with a high-performance hardware cryptographic engine * to ensure that the device achieves a balance in terms of running speed, battery life and data security. The main algorithms supported by the cryptographic engine are:
● 3DES
6 MIUI 11 Security and Privacy White Paper
● AES-128、AES-256
● SHA-1、SHA-256
● HMAC-SHA1、HMAC-SHA256
● RSA-1024、RSA-2048
● ECDSA-256
*Note: Some models are not equipped with hardware cryptographic engines.
Secure Boot
Secure boot is a program that verifies the digital signature of files and applications using the corresponding public keys to ensure the integrity and authenticity of the boot file or program, so as to prevent unauthorized programs from being loaded and run during the boot process.
Under the secure boot mechanism, the digital signature of each boot file (e.g. start the Bootloader, kernel image, baseband firmware) shall be verified prior to getting allowed to load and run. At any stage of the boot process, if the signature verification fails, the boot process will be terminated.
The ROM SoC Bootloader is written into its read-only ROM when the chip is manufactured. It cannot be modified after leaving the factory. This piece of code is first to be executed after the device is powered on.
7 MIUI 11 Security and Privacy White Paper
1. When the device is powered on, the PC pointer points to the Boot ROM address inside the chip, and the process is executed. 2. The Boot ROM is loaded from an external storage device, and the level I Bootloader gets executed after verification. 3. The level I Bootloader loads the TEE OS image file. 4. The level I Bootloader loads the level II Bootloader, then the TEE OS verifies its integrity. 5. The level II Bootloader verifies and loads the kernel file. 6. The kernel program verifies and loads the MIUI system.
Figure 2-2 MIUI Secure Boot Process
After the device is powered on, the ROM SoC Bootloader will first perform the basic system initialization, and load the level I Bootloader from the Flash memory chip. It will then utilize the public key stored in the Fuse space inside the main chip to verify the digital signature of the level I Bootloader image, and run the level I Bootloader after the successful verification. After completing the above steps, the level I Bootloader will load, verify and execute the TEE OS image. Once the TEE OS is in operation, it will verify, load and execute the level II Bootloader together with Level I Bootloader. The entire system will be booted in such a manner that ensures the chain of trust is transferred along the process, and no unauthorized program will be loaded and allowed to run.
MIUI system supports the function of Android's Verified Boot 2.0 (AVB2.0). During the boot process, before entering the next stage the digital signature of the code must be verified to ensure its integrity and free of any known security defects. It verifies the components from the hardware root of trust, to the Bootloader, then to the boot partition and other verified partitions (including system, vendor and optional OEM partitions). AVB
8 MIUI 11 Security and Privacy White Paper helps prevent persistent Rootkit from holding ROOT privilege and ensures the security of the device during boot process.
Security Kernel
MIUI supports Android's native SELinux features, and enforces mandatory access control on the operations of all resources in the system, such as processes, files, and directories. Any process that intends to perform operations in the SELinux system must obtain permissions in the security policy configuration file first. The access control policy file will be protected during the boot process and is tamper proof by third parties. With SELinux, MIUI can prevent malicious processes from reading and writing protected data, bypassing security mechanisms of the kernel, or attacking other processes.
MIUI supports KASLR (Kernel Address Space Layout Randomization) and allocates the kernel address space layout randomly for each boot. KASLR results in unpredictable kernel address space layout, and increases the difficulty to perform code-reuse attacks. It reduces the possibility of many complicated attacks, and further strengthen the security of the system kernel.
Network and Communication Security
Secure Network Protocol Using secure network protocols can reduce the risk of data leakage and tampering when user device connects to the network. MIUI users can establish their own virtual private network (VPN) over public network connections.. MIUI supports multiple VPN modes including: PPTP, L2TP/IPSec PSK, L2TP/IPSec RSK, IPSec Xauth PSK, IPSec Xauth RSA and IPSec Hybrid RSA. Users can select VPN mode on their demands to access and transmit sensitive data.
MIUI's WLAN connection supports WEP, WPA/WPA2 PSK, 802.1×EAP, WAPI and other authentication methods to provide users with different levels of security.
The WLAN hotspot function of MIUI is disabled by default. When the user enables the function, the WPA2 PSK authentication method is used by default to ensure the connection security. At the same time, WLAN hotspot function supports the device MAC address blacklisting.
Protection from Fake Base Stations
Fake base station is a type of malicious radio communication device that takes advantage
9 MIUI 11 Security and Privacy White Paper of the defects of communication systems to impersonate legitimate base stations. Attackers often use the spoofed mobile phone number to send fraudulent short messages or spam short messages to users around the fake base station. When the fake base station is in operation, the legitimate base station signals within a certain range will be disturbed or even shielded. It forces the user's mobile phones connected to these, thus affecting the normal use of the user.
MIUI provides users with a fake base station protection function * which prevents mobile phones from connecting to fake base stations. Users can turn on this function through "Settings"-"Additional settings"-"Privacy"-"protection from fake base stations" (in off state by default).
*Note: Only the Mi phones with Qualcomm chip support this function.
Recognize SMS from Fake Base Stations Even “Protection from fake base stations” function is turned off, MIUI still provides the user with the fake base station spam message identification function, which is chip, model and version independent and available for all the MIUI users.
Through the AI machine learning model of the mobile terminal, the suspected degree of the fake base station is judged and the fake base station short message is identified according to the characteristics of the fake base station accessing the mobile phone and the text characteristics of the fake base station short message.
Protection from Wi-Fi Probe Requests
The WLAN probe sniffer identifies each user by listening to Wi-Fi signals sent by other electronic devices in the air and obtaining its MAC address from the data packet. MIUI is capable of sending data packets with random MAC addresses to prevent Wi-Fi probes from obtaining the real MAC address of the mobile phone *.
*Note: Most devices using MIUI 11 already supports Wi-Fi probe protection in the unconnected state. In addition, mobile phones upgraded to Android Q support Wi-Fi probe protection in connected state.
Device Control
Find Device
MIUI provides users with the find device function, helping users find lost mobile phones, and protecting the data security of mobile phones. This function is turned off by default and can be used only when the user turns it on manually. Once the user enable this function, in case that the phone is lost, the user can log in to the Xiaomi Cloud web page
10 MIUI 11 Security and Privacy White Paper
(https://i.mi.com) to remotely perform the following operations on the lost device: Locate, Sound, Lost mode, Erase data.
Get the current location of the mobile phone through the network or Locate short message command, and display it intuitively on the map.
Make the mobile phone ring through the network or short message Sound command to find the mobile phone that may be nearby.
Lock the mobile phone through the network or short message Lost command. After locking, the phone will automatically report the location mode periodically, and at the same time Mi Pay payment of this card will be terminated automatically.
Reset the mobile phone through the network or short message Erase command, turn off data synchronization and unbind Mi Pay bank card at data the same time.
Mobile Phone Unlocking Policy
In the situations when the user loses the mobile phone or forgets the password of Mi account, the mobile phone may be locked. MIUI has designed a variety of security policies to protect user's rights under this circumstance.
After turning on the Find device function, if the mobile phone is restored Activation to the factory settings, the credentials used when turning on this locking function must be verified before reactivating the device.
In order to prevent the credentials from being reset on a lost phone Password through mobile phone verification, "Find device" function cannot be reset turned off within 3 days of Mi account password reset. It provides time protection for the user who has lost the mobile phone to reobtain the SIM card and regain the control of the account and mobile phone.
11 MIUI 11 Security and Privacy White Paper
In case that the user forgets the Mi account password and cannot retrieve it, MIUI provides an unlocking code on the mobile phone locking Customer interface for the user to unlock the phone through customer service service channel. Users who request to use the unlocking code must submit unlocking a complaint application, and can only get the phone unlocked after detailed manual review by customer service personnel.
In addition, when the mobile phone is lost, due to the existence of the screen lock password, it is very likely that it will be forced to be rooted. MIUI stores the mapping between the account and the device to its cloud server (some devices write the mapping into a special partition that is tamper-proof to root), thus ensures its integrity. When booting, the device is required to connect to the network and obtain the mapping from the server. If the current login account is different from the record on the server, MIUI will require the user to switch back to the recorded account before continuing to use it.
On the BL unlocked device, the mobile phone lock can be bypassed by using a non-MIUI system or tampered MIUI system. However, this kind of ROM cannot use the function of OTA (Over the Air) and cannot login to Mi account normally. When the devices switches back to MIUI system, it will be protected by the "Find device" function again.
MIUI Second Space
MIUI users can create a separate space completely independent of the original system through MIUI second space. This allows the complete isolation of users' accounts, applications and data from the main space, and separated encryption protection. Additionally, user can set different unlock passwords for the main space and the second space, thus realizing a virtual mobile phone experience like having a second device. Users can save all kinds of private files, pictures and other information, install private applications, etc. Moreover, this independent space is similar to a "sandbox". Any operation in this "sandbox" will not affect the main space of the mobile phone.
Mobile Device Management (MDM)
MDM (Mobile Device Management) is a device protection function MIUI provided to device management applications and an interface for managing and operating mobile phone devices. Through MDM application and API interface provided by MIUI, enterprise IT system can easily control and manage MIUI device. API calls need authorization to ensure its permission control and security.
12 MIUI 11 Security and Privacy White Paper
For applications that use device policy manager permissions abnormally, the system control policy shall be implemented according to the MDM standard, including but not limited to: suggest the user to close the application through obvious reminders, and prohibit the application from obtaining service or permission interfaces.
For applications that can cause harm to user data or device security through the use of the device policy manager, the following operations will be strictly performed: the application will be taken off from the Xiaomi GetApps, and it will be prohibited to obtain relevant service interfaces or displayed in the device policy manager application list.
System Software Update
MIUI supports Android's native OTA (Over the Air) mechanism and provides more secure and efficient system upgrade management based on Android.
Before the system software is updated, the system update program verifies the integrity of the ROM which is downloaded via OTA or copied offline. It verifies the size and hash value of the file, etc. After the verification is passed, the mobile phone restarts to initiate the underlying recovery mode, and verifies the integrity of the signing key again. Only after the verification is passed, will the recovery mode write the updated contents of ROM into the system storage.
13 MIUI 11 Security and Privacy White Paper
03 Encryption and Data Security
14 MIUI 11 Security and Privacy White Paper
Encryption and Data Security
This chapter describes MIUI data security protection mechanism. The MIUI file system is divided into the system partition and user partition. The system partition is read-only and isolated from the user partition. And common applications can only access some system partition directories. For the user partition, the system provides file-based data encryption and directory permission management mechanisms to restrict data access between different applications. At the same time, MIUI provides more security functions and applications based on encryption technology, and improves the convenience and usability of use for MIUI while protecting user data security.
Data Protection Architecture
File-Based Encryption MIUI supports Android's FBE (File-based Encryption) function. File-based encryption allows different files to be encrypted with different keys that can be unlocked independently, so not all files in the system need to be encrypted in the system and there is a binding of user credentials and keys. File-based data encryption can prevent unauthorized users from carrying out physical attacks on devices (e.g. reading Flash directly) to obtain user data and provide a more secure data protection to our users.
In MIUI, the key used for file encryption is encapsulated by Class Key, which is encrypted and protected by Keymaster Key derived from Hardware Unique Key (HUK), and users need to be authenticated and authorized through lock screen password or fingerprint before decrypting data by Class Key.
15 MIUI 11 Security and Privacy White Paper
1. Generate Keymaster Key in Hardware Key. 2. Encrypt Class Key using Keymaster Key and user passwords. 3. While starting up a system, a Wrapped- class Key is generated for each Class Key and used to prevent plaintext of Class Key from being exposed in Android environment. 4. Encrypt File Key using Wrapped-class Key. 5. Encrypt File using File Key.
Figure 3-1 Procedure of File-based Encryption*
*Note: This schematic diagram is suitable for Mi phones that use Qualcomm chips and support FBE.
Each Mi phone that supports FBE contains two storage positions for a user:
● Credential Encrypted (CE) storage area: CE area is the default storage area and only accessible after the user has input their authentication credentials.
● Device Encrypted (DE) storage area: DE area is accessible after the device has powered on regardless of whether screen is unlocked.
Credential Encrypted (CE) storage area is the default storage area of applications to store data in MIUI to ensure application security and application data security. Applications (e.g. wireless authentication, alarm clock, ringtone, Bluetooth, etc.) only store some data in device encrypted (DE) storage area to ensure that some necessary services can be running before users provide credentials and simultaneously the system can still protect user private information.
Secure Storage The secure storage function of MIUI is achieved by a TEE-based Secure File System (SFS), which is used for the secure storage of sensitive information (e.g. keys, certificates, fingerprint templates). The trusted application (TA) running in the TEE uses a storage API to encrypt and store data. The encrypted data is only accessible to the TA, but cannot be accessed by external applications. The secure storage in MIUI adopts AES-256 encryption
16 MIUI 11 Security and Privacy White Paper algorithm. The secure storage keys are derived from the hardware unique key (HUK) and stored in TEE. Data encrypted using the keys cannot be decrypted outside the TEE.
MIUI further provides Flash-based RPMB (Replay Protected Memory Block) to protect certain system data from unauthorized deletion and access. RPMB is directly controlled by the TEE and bound with the keys derived from the hardware unique key (HUK). Only the TEE can access the RPMB-protected data, and the external Android does not provide any interface for accessing the RPMB. RPMB defends replay attacks through built-in counters, keys and HMAC verification mechanism to ensure that data cannot be maliciously overwritten or tampered with.
Secure Erasure
The common "Reset phone" does not allow users to thoroughly erase data stored in physical storage. In order to improve efficiency, it is usually implemented by deleting logical address. However, physical address space is not actually cleared and the data can be restored. MIUI provides users with the option of "Format mock SD card" when they want to reset phones. Once the option is chosen, the system will format the storage space and completely erase the data to protect data security for users who want to resale or dispose of devices.
Key Management
The MIUI's key management function allows application developers to manage the lifecycle of keys and certificates, and provides remote certification for device certificates in the TEE. Key management has the following functions:
1) Generation and storage
MIUI's key management provides a key storage mechanism protected by hardware. The key generated in the application is encrypted and can only be used by the corresponding device. 2) Encryption and decryption When applications need to use the key, the previously generated encrypted key and the data to be encrypted are sent back to the TEE of the corresponding device. Data can only be encrypted and decrypted using keys in the TEE of the corresponding device. 3) Key attestation In each Mi phone, the device certificate issued by Google is injected during manufacturing,
17 MIUI 11 Security and Privacy White Paper and any generated key can be authenticated through the Google's certificate. The network service can authenticate MIUI devices by key attestation function.
The technical basis of MIUI's key management is Android Keystore which prevents the unauthorized use of key materials outside of and on the device by key extraction prevention and key use authorization:
1) Extraction prevention Key material can be protected from unauthorized use outside of MIUI devices. When an application performs encryption operations using an Android Keystore key, behind the scenes plaintext, ciphertext and messages to be signed or verified are fed to a system process which carrying out the encryption operations, rather than application process. Therefore, even if the application process is compromised, the attacker may not be able to extract the key material. At the same time, MIUI also bounds key material to the secure hardware (e.g. TEE) of the Mi phone, so key material is never exposed outside of secure hardware. Even if the MIUI OS is compromised or an attacker can read the device’s storage area, the key material bounded to secure hardware cannot be extracted from the device. 2) Key use authorization In order to mitigate unauthorized use of keys on the MIUI device, Android Keystore lets applications specify ways of authorized use of their keys when generating or importing them. Once a key is generated or imported, its authorization cannot be changed. Authorization are then enforced by the Android Keystore whenever the key is used. Supported key use authorizations in MIUI fall into the following categories:
● Cryptography: authorized key algorithm, operations or purposes (encrypt, decrypt, sign, and verify), padding scheme, block modes and digests with which the key can be used.
● Temporal validity interval: interval of time during which the key is authorized for use.
● User authentication: the key can only be used if the user has authenticated recently.
Encryption Application
Fingerprint Recognition
Fingerprint recognition uses the unique physiological feature of fingerprint to authenticate personal identities and can be applied to scenarios requiring strong authentication
18 MIUI 11 Security and Privacy White Paper mechanisms such as phone screen unlocking, application unlocking, electronic payment and privacy content protection.
MIUI processes fingerprint images, extracts fingerprint features, generates fingerprint templates, inputs and authenticates features in the TEE, and fingerprint data cannot be transferred outside of the TEE. Android external third-party applications can only initiate fingerprint authentication and receive authentication results by the external fingerprint framework, and cannot collect fingerprint data.
MIUI's fingerprint data is encrypted using AES-256, which is achieved by invoking Keystore. The key for encrypting fingerprint cannot be obtained externally, ensuring that user's fingerprint data is not leaked. The MIUI does not send or back up fingerprint template data to any external storage media including cloud servers.
Figure 3-2 Fingerprint Security Framework
Face Recognition
Face recognition uses the facial feature that is a biometric identification technology to identify personal identities. Based on the AI face recognition algorithm, MIUI intelligently detects facial features for high-precision matching, and the device is unlocked after a successful match.
The user's face feature data belongs to personal biometric information in personal sensitive information. In order to ensure security, MIUI collects facial images, extracts features, compares features in the TEE, and facial data cannot be transferred outside of the TEE. Android external third-party applications can only initiate facial authentication
19 MIUI 11 Security and Privacy White Paper and receive authentication results by the external facial framework, and cannot collect facial data.
The facial feature data is encrypted and decrypted using built-in security chip, and key for encrypting facial data cannot be obtained externally, ensuring that the facial feature data is not leaked. The MIUI does not send or back up facial features to any external storage media including cloud servers.
Electronic Identification
The network electronic identification eID (hereinafter referred to as "eID") is an electronic ID application jointly developed by Xiaomi and the Third Research Institute of Ministry of Public Security of the People's Republic of China. The eID functions the same as the physical ID card in scenarios approved by the Ministry of Public Security.
Mi phones comply with eID-related standards and specifications, specifically including the following: employing the security chip as the carrier; the chip has an independent processor, a secure storage unit and a cryptographic coprocessor; only the dedicated security chip operating system can be running. eID information is encrypted and stored in the security chip eSE and can only be accessed by specific programs. When eID is activated, the security chip uses asymmetric key algorithms to generate a pair of public and private key for signature, ensuring that eID cannot be authorized read, copied, tampered with and used, and users can be provided a more secure network digital identity service.
The MIUI's mobile wallet client supports the whole lifecycle management of eID, which allows users to open, download, use and deregister personal eID on the phone at any time.
*Note: Only some specific models are supported.
Screen Lock Password Protection
MIUI screen lock passwords support patterns, digits and hybrid characters, each of which has a minimum password length requirement to ensure a more secure password.
● Pattern password: at least 4 dots need to be connected.
● Digital password: support 4-16 bits of digital passwords.
● Hybrid password: support 4-16 bits of any combination of uppercase and lowercase letters, numbers and symbols.
20 MIUI 11 Security and Privacy White Paper
MIUI screen lock passwords are protected by the hardware unique key (HUK) and encrypted in the TEE. When a user creates or modifies a lock screen password, or unlocks the screen using the screen lock password for verification, the screen lock password is processed in the TEE.
The MIUI limits the times upon input of incorrect password. After attempting incorrect password multiple times in succession, the phone will be locked to prevent the screen lock password brute forcing.
Smart Password Manager
With the increase of built-in account system applications, it is more difficult for users to set different high-strength passwords for each application of phones and users often forget usernames and passwords. Smart password manager * is a secure account password management tool created by MIUI for users. Smart password manager is provided to store application login information (usernames and passwords) centrally and associate login information with touch fingerprints and screen lock passwords. When users log in to applications, login information is auto-filled, making it easy to use strong passwords.
Xiaomi smart password manager is also implemented based on Keystore technology which provides hardware-level encryption capability. It provides high-strength encryption of user-hosted application login information and is only allowed to be used in the TEE. Therefore, apart from fingerprints and passwords of users, login information cannot be obtained by other parties including Xiaomi.
Currently, smart password manager does not provide cloud synchronization and cloud backup and can only be used after being authorized by user on the device, so there is no need to worry that the managed password bank will be stolen or cracked.
*Note: Only domestic phones support this function.
21 MIUI 11 Security and Privacy White Paper
04 Application Security
22 MIUI 11 Security and Privacy White Paper
Application Security
On the basis of MIUI's underlying hardware security, system security framework and data security protection mechanism, the application runtime environment is protected through application layer security technologies, such as application signature, runtime protection and application security testing.
At the same time, MIUI further provides a series of security functions for users to choose, thus achieving further data security and privacy protection, such as: App lock, secure keyboard, blocklist setting and private space.
Application Security Protection
Signature
MIUI verifies the integrity and sources authority of the application package (hereinafter referred to as "APK"), in order to:
● Ensure that the APK is tamper-proof
The developer generates the public key and the private key, signs the APK with the private key, and packages the public key into the APK. When the application is installed, the public key is used to verify that the APK has not been tampered with.
When updating the installed application, the application signature verification is also required. Only application with the same signature as the updated application are allowed to be updated, so as to prevent malicious applications from replacing existing applications.
● Ensure that the APK is forgery-proof
The APP ID of the APK and the certificate used to verify the signature are signed with the official private key. If developer A signs developer B's APK with his own private key and packages this certificate file into the APK, the official signature verification will fail when developer A uploads it to the application store.
● Ensure that permissions of APK cannot be changed at will
The permission list, APP ID and certificate are all signed with the official private key. When installing the application, the consistency of the permission list and the system service actually called, and if not, the calling of MIUI service will fail.
23 MIUI 11 Security and Privacy White Paper
Figure 4-1 New Application Signature Process
Runtime Protection MIUI supports Android native Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP). ASLR is a security technique used to prevent the exploit of buffer overflow vulnerabilities. It randomizes the layout of linear areas such as heaps, stacks and shared libraries, making it harder for attackers to predict target addresses and preventing them from locating attack code, which leads to reduced overflow attacks. ASLR makes it more difficult for attackers to take advantage of memory vulnerabilities. DEP marks specific memory areas as non-executable to prevent attacks exploiting memory vulnerabilities.
24 MIUI 11 Security and Privacy White Paper
In addition, MIUI also uses the application sandbox mechanism of native Android to ensure that each application runs in the sandbox and is isolated from each other, thus ensuring the security of the runtime application.
Application Security Detection
Xiaomi GetApps conducts automatic testing, security scanning and manual review on each application to ensure the source security of the application.
For the device, MIUI provides system protection and detection mechanisms such as virus killer embedded with various antivirus engines and application installation monitor.
In addition, the "Security"-"Solve problems" also provides ROOT security detection and anomaly detection of mobile phone performance, operation, power consumption, etc. to protect application security. The following functions are included:
Performance Detect whether the device has turned on "Accessibility" and anomaly "Device admin apps", and whether the device remaining memory detection is insufficient.
Operation Detect whether the device has turned on "flight mode", anomaly "interception of contact calls", "interception of stranger calls", detection "DND mode" and "eye protection mode".
Power consumption Detect whether there are too many auto-boot applications (more anomaly than 5), and whether the hot spot has turned on. detection
Detect whether the system is rooted, and prompt the user that Other anomaly the application cannot be installed when the storage space is less detection than 5%.
Payment Security Detection The purpose of payment security scanning is to guarantee the security during user payment process. When users use the payment application, a background process will detects whether the system environment is safe, and when a certain risk is detected, the user will be notified by pop-up windows or other interactive methods to reduce the
25 MIUI 11 Security and Privacy White Paper payment risk.
MIUI has a built-in white list of payment applications or pages, which will only take effect when users open the any listed application or page. The list covers common mainstream applications in the market. Relevant detections include:
Wi-Fi security Detect whether Wi-Fi is at risk. scanning
Input method Detects whether the user's input method is an authorized secure security detection input method in the white list.
Detect whether Trojan or virus are executing as background Virus detection process.
Verification Detect whether the third-party application has obtained the code stolen risk permission to read short message notification and thus avoiding detection verification code leakage.
*Note: The feature is only available in mainland China.
System Permission Management Android native system provides a dynamic permission management mechanism for applications, aiming at limiting sensitive operations and protecting user data. The application makes a request by pop-up windows before obtaining the permission, and the user decides whether to authorize it or not.
On this basis, MIUI adds a number of custom permissions such as auto-boot management, chain start management (mutual wake-up), background pop-up window notification, lock screen display notification, etc. to restrict various behaviors such as long-term background process of applications, non-reason mutual wake-up, malicious promotion.
MIUI monitors the behavior of calling the camera and microphone in the background *. If such behavior is found, it will prompt in the status bar and send out the color prompt of notification light to warn the user.
*Note: Only some models are supported.
26 MIUI 11 Security and Privacy White Paper
Log Privacy Shield
MIUI uses “*” to partially shield private information involved in Android native logs (such us base station location, IP address and device identifier) in order to further protect the private information.
Application Security Features
App Lock
The App lock can not only protect the security of application data, but also prevent the private information in the application from being seen by others.
MIUI users can enter the "App lock" module through "Apps" and set various styles of unlocking passwords (patterns, digits and mixed) for the application. Through this module, users can set to lock after exiting the application or one minute after exiting the application, and then verify the App lock when opening the application again after locking the screen. In order to increase the convenience and security of unlocking, MIUI adds a fingerprint biometric unlocking mechanism.
Secure Keyboard *
The user sets to enable the secure keyboard in "Settings"-"Languages & input"-"Secure keyboard". MIUI automatically enables the secure keyboard when inputting the password. The secure keyboard does not have association and memory function, as well as network
27 MIUI 11 Security and Privacy White Paper permission. It also prohibits background screen recording or third-party application screenshots and third-party application suspension windows from covering the secure keyboard. In this way, the secure keyboard is able to ensure the user's password input security.
*Note: The feature is only available in mainland China.
Some bank APPs use self-developed input methods, and the MIUI secure keyboard will not take effect.
Website Detection*
Aiming at the increasingly severe network security situation, Xiaomi provides malicious website detection service, which identifies malicious websites based on a massive website category knowledge base. When users access malicious websites by Mi Browser, short messages or other accesses, pop-up windows will prompt risk notification. The service has the following characteristics:
● Various types of detection: Enable to identify malicious website categories including social engineering fraud, information fraud, false advertising, malicious files, gambling websites, porn sites, etc.
● High throughput: Enable to support 25 million website detection requests per day.
● Low latency: The average response time of the service is within 100ms.
● High detection accuracy: The detection accuracy rate of millions of labeled samples is above 97%.
● Protect user privacy: No other information will be collected except the websites.
*Note: The feature is only available in mainland China.
Blocklist Setting
MIUI blocklist setting can provide users with comprehensive blocklist setting functions, which are able to effectively intercept unwanted phone calls and spam short messages such as advertising promotion and real estate intermediary. Users can quickly add phone numbers from "Call records" and "Contacts" to the black/white list. Users can also add regions to the white/black list to intercept phone calls and release known numbers. The
28 MIUI 11 Security and Privacy White Paper
real-time updated yellow pages database can provide users with accurate yellow pages information of numbers and prevent users from being bothered by strange numbers.
MIUI provides a variety of interception rules that users can manually configure as needed. These configurations can be backed up to the cloud to implement functions such as cross-terminal synchronization:
● Black/white list: Release whitelist numbers and intercept blacklist numbers.
● Blacklist and whitelist keywords: Release short messages containing whitelist keywords and intercept messages containing blacklist keywords.
● Blacklist and whitelist area: Release phone calls and short messages of whitelist areas and intercept phone calls and short messages of blacklist areas.
● Unknown number: Intercept calls of unknown numbers.
● Call forwarding: Intercept calls of call forwarding.
● Overseas number: Intercept calls of overseas numbers.
● Smart interception: Filter unwanted calls and spam short messages through yellow pages database and interception engine.
*Note: The functions of blacklist areas, call forwarding and overseas number are available in mainland China; the smart interception is available in mainland China and India.
Private Space
MIUI provides users with a series of private space functions such as private short messages, private photo albums, private folders and private notes.
Users can set through "Settings"-"Password &security"-"Privacy protection password", and get access to the exclusive space of private short messages, private albums, private folders and private notes by the privacy password or fingerprint password. In this space, users can manage their private contacts, album pictures, files and notes. In addition, the short messages communicating with private contacts, private pictures, private files and private notes are only displayed in the private space, thus enhancing the protection of user private information.
29 MIUI 11 Security and Privacy White Paper
Users can also set whether to display private short message notifications on the conventional interface.
If users set up the second space on their device, the above functions will jointly change to: Display private content in the second space and regular content in the main space.
30 MIUI 11 Security and Privacy White Paper
05 Internet Service Security
31 MIUI 11 Security and Privacy White Paper
Internet Service Security
For Internet services running on MIUI and other Xiaomi applications, Xiaomi strictly follows the principles of Security by Design and Privacy by Design, fully protects the security of user data, and strictly abides by the legal requirements of privacy and compliance. While providing users with easy-to-use functions, users are also given corresponding privacy options to protect their rights of privacy.
Mi Account
Mi Account is an identification used to identify Xiaomi users. Users can use a series of products and services provided by Xiaomi through Mi account, including but not limited to Xiaomi Cloud, Mi Pay, Xiaomi Online Store, Mi Home APP, Mi Community, Mi Music, etc. Users can also purchase Mibi through Mi account to use Xiaomi's various virtual products and value-added services (e.g. games, e-books, etc.).
In order to prevent unauthorized use, Xiaomi has taken the following technical measures and management measures to ensure the security of users’ accounts.
Account Security Setting
When registering or changing passwords, users need to set a strong password with 8-16 characters, including at least two of the following three types: numbers, letters and special symbols. After the successful login, users can add a recovery phone number or a recovery email to the Mi account, set the security question *, and turn on the cross-device authentication in the account security settings. These security authentication methods will be used to verify users’ identity when they change account information or reset the password.
*Note: Only Mi account registered in mainland China supports this function.
Login Protection
The login of Mi account is protected by account smart risk control service, effectively reducing the risk of unauthorized login and account theft.
When users log in, in order to ensure the login security, Mi account will detect the login environment and users’ operation methods. After login failing for several times, Mi
32 MIUI 11 Security and Privacy White Paper account will switch to the interactive verification method such as picture verification code, sliding or clicking on picture for environment security detection. When abnormal login is identified, if it is determined as a login risk, users are required to carry out extra secure authentication. If it fails, the services allowed to be accessed for this account will be restricted according to the risk level. When identified as a serious risk, this account will be frozen and forced out of all current logins, and the current password cannot be used or reused.
Abnormal login behaviors defined by the account smart risk control service include:
● Log in Mi account in untrusted environment.
● Access private data (e.g. Use web pages to view albums, short messages, contacts, etc. stored in Xiaomi Cloud).
● Modify the settings in "Security" (e.g. The change bound recovery phone number or email, etc.). Verification methods include but are not limited to cross-device verification, short messages verification and email verification.
When the user’s behavior of an account changes (e.g. change the password, log in the Mi account on a new device, etc.), if it is determined as an abnormal risk, Xiaomi will send an e-mail and messages to notify the user, prompting the user to change the password immediately.
In addition, Mi account has the following secure features to further ensure account login security:
● Identify the secondary recycling phone number in various ways. While guiding new users to register Mi account, the original users are prohibited from using the same phone number to log in Mi account.
● APP whitelist technology is introduced when third-party applications call Mi account for login, which means only authorized applications can call Mi account.
● When the system distributes domain names and IP, it uses the interface independently developed by Xiaomi to prevent Mi account from DNS hijacking during login.
Data Security Xiaomi encrypts the personal information entered during registration, including:
33 MIUI 11 Security and Privacy White Paper
Personal information Encryption method
Mobile phone number, e-mail address, AES-128 account ID
Login password Salted Hash, AES-128
The string generated by random number generation function (salt value) is attached to the login password, generate a hashed value by password hash function (hash) ,and then encrypted by AES-128. The salt value of each user is different, so that even if two users use the same password, the hashed value generated is also different.
Figure 5-1 Encryption Process of Login Password
When the user registers or logs in the Mi account, the account-related information is transmitted to the server over HTTPS encrypted channel. Users’ personal information is encrypted and stored in a specialized database and carried out multi-copy backup. The security protection degree of the backup data is equivalent to that of online data. Xiaomi performs role-based multi-level access control on user data and accepts corresponding security audits.
The encryption and decryption keys of user data are managed by the Key Center key management platform independently developed by Xiaomi. The platform is operated and maintained by an independent team to separate the management responsibilities of business, data and keys. Role-based access control ensures that no individual can obtain all the permissions required to decrypt user data. In addition, the servers and databases that store user data have also deployed real-time monitoring mechanisms to alert abnormal access behaviors.
34 MIUI 11 Security and Privacy White Paper
Figure 5-2 Key Center Key Management Logical Architecture
In order to ensure the security of the key stored in Key Center, keys are encrypted by a 4096-bit Root Key, and the Root Key is generated by a hardware encryption machine.
Other Methods of Account Login
● QR code scanning login
Mi account provides QR code scanning login function. Users can scan the QR code on the web page to log in Mi account. The QR code will be invalid after a certain period of time, and the user needs to refresh the QR code web page.
● Third-party authorization login
Mi account supports the binding authorization of third-party accounts, which means users can log in Mi account using third-party accounts. Currently, users in China area can login by accounts of Weibo, WeChat, Alipay and QQ, while users in overseas area can login by accounts of Facebook and Google. Mi account adopts OAuth2.0 (Open authorization standard), which follows the standard OAuth2.0 protocol and process to authorize third- party account login. The secure mechanism of OAuth2.0’s ensures that Mi account related information will not be transmitted to third parties.
Xiaomi Cloud
35 MIUI 11 Security and Privacy White Paper
Xiaomi cloud can store the user contacts, messages, albums, call records, notes and other information, and allow these information to be automatically synchronized among user devices. At the same time, users can retrieve data as much as possible when the device is damaged or lost. Users can browse and manage their own data anytime and anywhere on other devices or through the web (https://i.xiaomi.com).
User Data Synchronization
After users turns on the Xiaomi cloud service, they can choose to synchronize the following data contents or set it to "Off" at any time.
Cloud service Synchronized data contents synchronization module
Short message User's current phone number synchronization User's local short message data
The list of short message sessions set on the top of screen, and the list of private numbers.
Call records User's current phone number synchronization User's local call records
Contacts synchronization User's contact information, profile picture
36 MIUI 11 Security and Privacy White Paper
Cloud service Synchronized data contents synchronization module
Note synchronization User's local note
Browser synchronization The user's local browser bookmarks, history, labels, etc.
Wi-Fi settings Settings of ever connected Wi-Fi networks synchronization
Recording User's local recordings and recording file information synchronization
Home screen cloud User's home screen layout, wallpaper backup User-set alarm and world clock
User's notification management
Calendar synchronization User's Mi calendar data
Album synchronization The data in the local album and the data in the folders specified by the user to be synchronized
Xiaomi Cloud storage User uploaded data
Music synchronization User ID, play list, music, etc.
Security center/Device The black and white list of the contacts set by the user, VIP manager list, DND mode, etc.
AI assistant User settings in AI assistant
Smart Photo Classification When the cloud service is turned on, the device will automatically turn on the album synchronization and smart photo classification function. After the smart photo classification function is enabled, it will automatically classify and display the user's photos according to multiple dimensions such as person, location, landscape, plant and food within the album. The user can also turn off this function in "Cloud Service"-"Album". The implementation of smart photo classification function depends on the smart image algorithms and the training models. Xiaomi will not use the photo synchronized by users to train the algorithm. After developed and fully trained in the independent environment,
37 MIUI 11 Security and Privacy White Paper the algorithm is embedded in the Xiaomi cloud server. When the photos are automatically synchronized to the user's cloud space, the picture smart algorithm model is invoked to classify the photos. Afterwards, the category labels are distributed to the album on the device, and the classified photos can be browsed in the album.
Figure 5-3 Implementation Logic of Smart Photo Classification
Data Security
In order to prevent user data from being stolen or tampered, HTTPS encrypted communication channel is used for transmission among Web terminal, phone and server during the data synchronization process. In addition, the Cloud service website has a 15 minutes session time-up and auto logoff mechanism.
During the data storage process, each file has been divided into multiple blocks, with each block encrypted separately using AES algorithms with key length of at least 128- bit, namely that, in absence of the key, the data cannot be decrypted even with physical access to the disk.
38 MIUI 11 Security and Privacy White Paper
Figure 5-4 Cloud Service Data Security Architecture
In order to prevent the loss of users' cloud storage data due to force majeure factors, Xiaomi has chosen several public cloud service providers to provide data storage and backup services. For public cloud service providers that store user data, Xiaomi has formulated strictly secure requirements and evaluation standards, and has strictly selected service providers that meet the requirements. Xiaomi only stores the encrypted data blocks on the third-party public cloud and will not share the encryption keys.
User Data Deletion
Users have the right to change or delete the data uploaded to cloud space. When the user deletes the data proactively, the corresponding data in the cloud space will be marked as deleted and temporarily stored in the recycle bin. Within 30 days, the user can still recover the data through the recycle bin to reduce the loss caused by the unintended deletion.
Data emptied manually or automatically after 30 days in the recycle bin will be permanently deleted from the server and cannot be recovered. If the user unsubscribe the Mi account, the user data in the cloud space will also be completely deleted.
39 MIUI 11 Security and Privacy White Paper
Mi Pay
Mi Pay is a mobile payment service provided by Mi Wallet. Mi Pay can complete the payment after verify the user's fingerprint, instead of the verification of the bank card and PIN. In order to ensure payment security, at the hardware level, Mi phone implements hardware level encryption of payment fingerprint information and safe storage of bank card information to achieve physical isolation of payment information; at the system software level, MIUI will automatically detect whether the payment environment is secure and reliable when paying. Meanwhile, the transaction only occurs among users, merchants and card issuers, which means Mi Pay service does not collect any transaction information of users during the payment process.
Mi Pay Component
● Secure element: the Secure Element (SE) is an industry-standard, certified chip running the Java Card platform, which complies with digital payment requirements in the finance industry.
● NFC controller: The NFC controller processes the Near Field Communication (NFC) Protocols, transmitting information between the App processor and the secure element, and between the secure element and the POS terminal.
● Mi Wallet: Users can add bank cards to Mi Wallet, manage and view the added cards, and query other information provided by card issuers (e.g. privacy policy of card issuers, recent transactions, etc.). They can also add and manage transit cards, virtual access cards, etc. in Mi Wallet.
● TEE: On Mi Phones, TEE is responsible for managing the fingerprint verification process to ensure the transaction security.
● Mi Pay server: Mi Pay server manages the settings of bank cards, transit cards and virtual access cards in Mi Wallet, as well as the device card numbers stored in the secure element. The Mi Pay server can communicate with the device and the card issuer server.
*Note: The functions of transit card and virtual access card are only available in some models.
40 MIUI 11 Security and Privacy White Paper
Mi Pay Secure Element
The secure element includes dedicated applets for managing Mi Pay, as well as applets certified by payment network or card issuers. Encrypted bank card information sent by payment network or card issuers is stored in these applets and protected by the security function provided by secure element. During the transaction, the POS terminal uses a dedicated hardware bus to communicate directly with the secure element through the NFC controller.
Mi Pay NFC Controller
As the access gateway to the secure element, the NFC controller ensures that all contactless transactions are made through POS terminals located within the close range of the device, and the NFC controller only marks contactless payment requests from POS terminal in the radio frequency field as communicable requests.
When the user uses the fingerprint to complete Mi Pay payment, the NFC controller will send the contactless response prepared by the payment applet embedded in the secure element to the radio frequency field. The payment authorization details of the transaction are encrypted by the secure element and then sent directly to the payment network without being disclosed to the App processor.
Bank Cards Binding
When users add bank cards to Mi Pay, information such as card number, expiration date and CVV code is needed. Users can manually add this information in Mi Wallet. They can also use the camera or NFC Reader/Writer application on the device to automatically enter the information and the captured bank card identification information will be released from RAM immediately after it is successfully entered, and will not be saved on the device or uploaded to the server.
After the bank card information are entered, Mi Wallet will send the card number to the Mi Pay server and then transmit it to the card issuer for verification. Mi Wallet will return the bank’s user agreement to the user after passing the verification, and only after the user accept the agreement can the adding process continue. Other bank card information filled in by the user subsequently will be encrypted by the "UnionPay Editor Control Class for Security Service" and then sent to the Mi Pay server, which will then transmit the information to the card issuer. Meanwhile, Mi will also share the device model, SE number and the approximate location of the user when adding the bank card (if the user currently
41 MIUI 11 Security and Privacy White Paper enables the "Location Based Services") with the card issuer. The card issuer will determine whether to approve the addition of bank cards to Mi Pay based on the above information.
Payment Authorization
On devices equipped with TEE, the SE will allow payment only after receiving authorization from TEE. On Mi phone, users can authorize payment through fingerprint authentication.
TEE and SE are connected through the serial interface, and ECC encryption algorithm is used for data signature based authentication to ensure communication security. In order to further enhance the payment security, MIUI implements activation controls for Mi Pay, which means that the fingerprint authentication for Mi Pay card payment is required by default.
• Both TA and SE implement the hardware- level encryption. • The ECC encryption algorithm is used for data signature based authentication between TEE and SE to ensure that SE only accepts authorization information from the native TEE, and even if the SE is physical penetrated, the bank card cannot be activated. • The bank card can only be retrieved for use after the user passed the fingerprint authentication. • The data communication between Mi Wallet client and Mi Pay server adopts the double encryption of HTTPS transmission after AES encryption to prevent interception and tampering. • Fingerprints of users will only be stored in the TEE of the device and cannot be read by any application or uploaded to the server.
Figure 5-5 Logical Architecture of Payment Authorization
Suspension or Removal of Bank Cards
Users can login to Mi Wallet and manually remove the added bank cards. For the added "Mi Pay bank card", when "Lost Mode" or "Clear Data" function of "Find Device " is on, Mi Pay
42 MIUI 11 Security and Privacy White Paper will notify the card issuer to stop the card in Mi Wallet automatically. Even if the device is not connected to the network, the payment network or the card issuer can disable the payment of the card on this device. In addition, the user can also suspend or remove the bank card by making a phone call to the card issuer.
Mi AI
Users can wake up the supported smart device by saying Mi AI” to start a conversation, check weather, make phone calls, control smart home devices, etc. Developers can make users interact with hardware devices (e.g. phones, televisions, speakers, etc.) based on Mi Speech Engine of AI technology.
Basic Architecture
Mi Speech Engine is mainly composed of the following modules:
1) Automatic Speech Recognition (ASR) module is responsible for translating the spoken language into text;
2) Natural Language Processing (NLP) module is responsible for processing and understanding the text, and converting text into structured query expression based on the context and dialogue;
3) Intelligence Search Engine & Execution (ISEE) module is responsible for controlling smart home devices through commands converted from the text, or searching high- quality content and services (e.g. music playing, weather query, etc.) to respond in the results that best meet the user’s needs and the current context;
4) Text To Speech (TTS) module converts return results of Intelligence Search into voices as outputs by converting text into voice, and then integrates with above modules to achieve smooth and natural human-computer interaction.
Mi AI integrates with third-party content, services and AI technology based on Mi Speech Engine, and provides external services through a unified API and SDK. The system architecture is shown in figure 5-6:
43 MIUI 11 Security and Privacy White Paper
Figure 5-6 Architecture of Mi AI
Speech Wake-up and Recognition
When the user says "xiao ai tong xue", the device will start to record user's voice, and recordings (including subsequent speech commands) will be sent to the server. The voice transmitted to the microphone will not be recorded and uploaded before Mi AI wakes up.
When user is using Mi AI, data (e.g. Mi Account, Hash of IMEI, etc.) that can identify the user will be uploaded through the encrypted transport layer. These data cannot be directly related to recordings of the user in the server because Mi Account will be mapped to the pseudonymized random ID.The ID mapping form is encrypted and stored in a database isolated from other user data, and keys are stored in Key Center. No personnel in Xiaomi can be granted access to the ID mapping form and keys simultaneously.
Recording segments uploaded to the server are trained with speech model using speech recognition module to optimize the accuracy of speech wake-up and recognition. These recordings are only associated with the above-mentioned randomized and encrypted ID and cannot be used to identify the user.
44 MIUI 11 Security and Privacy White Paper
Users of Mi AI can record voiceprint* himself, then only the voice mapping with the preset voiceprint can wake up the device. Also, the feature of voiceprint is only associated with the above-mentioned randomized and encrypted ID and cannot be used to identify the user.
The user who has upgraded Mi AI to v4.8 can make the following settings through Privacy Switch * in MIUI or voice device APP:
● Whether upload wake-up audio frequency and voiceprint data and use them for the optimization of speech wake-up.
● Whether use the speech data to optimize speech recognition.
*Note 1: Only some specific models and speakers are supported.
*Note 2: The setting path and content of Privacy Switch are different for some devices.
Place Phone Calls
When the user calls someone in contacts using Mi AI, Mi AI can screen out the closest one or multiple contacts according to the provided name. The screened data encrypted by AES-128 are uploaded to the server via encrypted transport layer to be processed by NLP. The NLP processed data are then downloaded to the device to match the phone number so that Mi AI can make the phone call. When making phone calls, phone numbers in contacts will not be uploaded, and contact names will not be stored in the server.
In addition, to improve the accuracy of speech recognition, users can set whether to train the data of contacts name using ASR through the privacy switch in MIUI or voice device APP. Name data will not uploaded to the server.
Voice Broadcast
When user turns on the voice broadcast function, Mi AI can broadcast messages, missed calls, WeChat messages, etc for user. TTS can only be run on the device, so the message content and user data will not be uploaded to the server.
Smart Home Device Control
When user log in smart home devices with the same Mi account, the devices supporting Mi AI can be controlled by Mi AI.
For device control, when users send a voice command* to Mi AI, Mi AI will connect with
45 MIUI 11 Security and Privacy White Paper
Mijia server and obtain the devices information (e.g. device name, room, status, etc.) under the Mi account. These information stored in the Mi AI server are only used for device control rather than analyzing user's living habits or interests.
*Note: For Mi TV control, user need to match Mi AI with nearby Mi TV through WIFI scan or Bluetooth and obtain the MAC address at first.
Data Minimization Mi AI strictly follows the principle of data minimization for collecting and sharing user data, which means Mi AI only collects or shares the least data fields to achieve business functions, for example:
● Mi AI supports authorized third-party login based on OAuth2.0 protocol. Users can check information of takeaway and express delivery (e.g. MeiTuan-DianPing and CaiNiao). Mi AI only invokes third-party APIs to check information and to get feedback. Any order information and express information from third parties will not be obtained, stored or used.
● Xiaomi may cooperate with external service providers to use their ASR and TTS capabilities as backup resource (e.g. multilingual translation) under specific scenarios. While invoking relevant APIs, Mi AI will not provide any other user personal data for partners except for the audio frequency to be recognized and the text to be synthesized.
Data Security
All the data, transmitted among user devices, servers and third parties, are encrypted at the transport layer over HTTPS or encrypted WebSocket. User’s Mi accounts, device identifiers and the above-mentioned random IDs are encrypted by AES-128 and stored in the database. The encryption and decryption keys are stored in the Key Center. Xiaomi performs role-based and multi-level access control for user data and accepts corresponding security audits.
Image Intelligence
Image intelligence provides MIUI users with smart album, image recognition, smart camera and other services based on smart vision processing technology:
● Smart album can help users edit, manage and use pictures conveniently. It provides
46 MIUI 11 Security and Privacy White Paper
multiple functions including: beautifying pictures of food, landscape and portrait with one click; editing intelligently such as changing background, smart cropping and magic elimination; allowing users to manage storage space by generating classified photo albums; helping users locate and use pictures in photo albums quickly by image recognition and searching.
● Smart camera is preset with a variety of optimized photography algorithms to provide varies functions, such as, scene optimization based on scene recognition algorithm to achieve special preference matching and fine grain image quality adjustment; portrait optimization of matching different beautify parameter schemes based on identified age and gender to achieve beautifying effects of thousands of people with thousands of faces; the special effects of short videos, helping users to quickly generate micro- movie alike videos products.
The Training and Using of AI Algorithms
The AI algorithms for image are trained in the research and development environment. Afterwards, the algorithm model will be embedded in MIUI's photo album and camera. Iteration of the model is achieved by the upgrade of photo album and camera. Users' personal information will not be used for the development, testing and optimization of the algorithm.
Figure 5-7 Logic Architecture of AI Algorithm Data Security
When users use the services provided by image intelligence, Xiaomi only collects the user data which is necessary for service providing, and all functions are given priority to be implemented on the device. When the user chooses to use the smart photo classification function of Xiaomi Cloud, user data will be uploaded to the server in an encrypted manner, see Section 5.2.2 hereof for details.
47 MIUI 11 Security and Privacy White Paper
Location-based Services
Location-based Services of Xiaomi provide device-based positioning capabilities for Xiaomi and third-party applications and websites on MIUI, including GPS, network positioning and hybrid positioning. The information collected by various positioning is as follows:
● GPS: satellite-based positioning. The collected information includes device identifiers and longitude & latitude.
● Network positioning: the collected information includes Wi-Fi hotspot and base station information.
Wi-Fi hotspot information includes: name (SSID), MAC address (BSSID), Received Signal Strength Indication (RSSI), channel (FREQUENCY) of the connected and scanned AP.
The base station information includes: Mobile Country Code (MCC), Mobile Network Code (MNC), Location Area Code (LAC), Cell Identity (CID), and Received Signal Strength Indication (RSSI) of the connected and scanned base station.
● Hybrid positioning: Base on GPS and then combine the GPS data with the data of network positioning and sensor.
When location services are turned on by users and there are applications request to receive location data, location-based services will upload the Wi-Fi hotspot information and base station information near the device to the server in an anonymous and encrypted manner. These data will be used to expand the crowd-sourced database of Wi- Fi hotspot and base station locations and cannot be used to identify the user's identity.
The data collected from location-based services are from API with authentication mechanism, encrypted using AES-128 (AES session key interacts with the server by Pre- shared key) and encoded using Base64, and then transmitted over HTTPS.
Users can determine whether to turn on the location-based services through the "Location- based Services" switch and the setting path in MIUI is "System Security"-"Privacy Settings"- "Location Information".
48 MIUI 11 Security and Privacy White Paper
MiPush
MiPush provides developers with the service of pushing messages to client applications in real time by establishing a stable and reliable long connection between the cloud server and the client.
Figure 5-8 MiPush Service Architecture
MiPush supports notification bar messages and pass-through messages, and also provides two message distribution channels, API and operation platform respectively. MiPush SDK supports Android, iOS client and server mainstream languages, which can help the developers to better meet the complex business needs based on their own business logic.
Developer Privacy Compliance Requirements Mi protects end user personal information by regulating the developers through the developer agreement:
● Developers shall agree that MiPush collects, stores, uses, discloses and protects personal information in accordance with Xiaomi Privacy Policy, in order to use MiPush Service.
● Developers shall develop and publish the privacy policy and obtain the consent of end users. Moreover, the standards for the policy must be no lower than the privacy protection standards of MiPush.
● Mi strongly recommends that the developers include the critical clauses from Xiaomi Privacy Policy in their end user-facing product privacy policy to ensure that end users agree MiPush Service to collect and use the data. Developers shall not use MiPush Service without end user consent.
49 MIUI 11 Security and Privacy White Paper
● Mi requires developers to comply with all the laws, regulations, policies and industry standards applicable to MiPush Service regarding to end users' personal information protection.
Device Identification Method
MiPush does not use the device identifier (e.g. IMEI) directly to identify the device, but processes the user's personal information through technical methods such as de- identification. MiPush hashes the three device identification parameters (device identifier, serial number and AndroidID) on the device and uploads the generated string to the server. On the server side, the string is mapped to a random ID which will be returned to the client. MiPush uses this random ID as the unique identifier of the device.
Data Minimization
MiPush is only used as a message channel and would not extract and use the content of the message, the user behavior and preferences. The original data, intermediate data and statistical results by MiPush will not be provided for Mi's partners, nor will partners be allowed to access these data in any form; MiPush only provides developers with the background statistics including time and message status dimensions, excluding any personal information of users.
Data Transmission Security
When the mobile APP initiates a registration request to the MiPush server for the first time, device information (the device identification field is irreversibly hashed) will be sent to the server, the server will return the random ID and message content key subsequently. HTTPS is used to encrypt the data in transit during this process.
MiPush Service requires developers to use HTTPS protocol to send the message content to the server. The communication between various modules of the server is encrypted using AES-128 algorithm. After the message is encrypted by symmetric encryption algorithm, the ciphertext is pushed to the device through AES-128 encrypted channel established between the server and the device, in order to achieve double encryption.
Data Deletion Once the message is successfully delivered, the message content will be deleted from the server. If the message is not delivered due to abnormal circumstances, the server will keep the message content for 14 days; MiPush Service provides developers with a user
50 MIUI 11 Security and Privacy White Paper data deletion API that can be invoked to delete the MiPush registration information of the APP. If the device is not connected to the network within 90 days, the message content related to the device will also be deleted from the server. If the developer stops accessing MiPush service or requests to stop the push service, Xiaomi will delete all relevant APP information according to developer's instructions.
51 MIUI 11 Security and Privacy White Paper
06 Security Certification and Privacy Policy
52 MIUI 11 Security and Privacy White Paper
Security Certification and Privacy Policy
Upholding the principle of respecting and protecting the privacy of users and let everyone in the world enjoy a better life through innovation technology, Xiaomi is always committed to providing the trusted products for users.
To make the most of the extensive implementation of the information security and privacy protection policies, Xiaomi has formally established the Information Security and Privacy Committee in 2014, and set up a comprehensive security management system through technical protection measures, policies and processes, assessment and audit mechanism, etc. At the same time, in order to comply with the requirements of laws and regulations of all the countries we serve, Xiaomi has employed the experienced local lawyers as the data protection officers of Europe union business.
To provide the users with services which complies with laws, regulations and industry standard requirements, Xiaomi has carried out global compliance projects and been auditing by external regulatory authority regularly. The internet services of Xiaomi comply with the requirements of cyber security multi-level protection and have passed level 3. The infrastructures, development, operations, maintenance and internet services supporting products and services of MIUI complies with international authoritative certification system, and have passed the ISO27001, ISO27018 and ISO29151 certifications of the British Standards Institute (BSI). MIUI operating system, its built-in applications and cloud services have been evaluated and certified by TrustArc, world's leading data privacy compliance company. Xiaomi's privacy policies and privacy practices conform to TRUSTe enterprise privacy standards, and have been granted the TRUSTe Privacy Certification Seal.
53 MIUI 11 Security and Privacy White Paper
Xiaomi respects and protects the personal privacy right of all users. The privacy introduces in detail about how Xiaomi collects, uses, discloses, processes and protects the information you provide to us or we collected while you are using Xiaomi products or services. Links of privacy policies in different languages: https://privacy.mi.com/all.
*Note: Some products have separate privacy policy links, which can be viewed on the corresponding product page.
Xiaomi owns a professional security and privacy team, which is responsible for providing technical support for the security and privacy of Xiaomi products, as well as review and test of security and privacy for developing and released products. Meanwhile, Xiaomi collects security issues and security intelligence from researchers around the world through a range of channels such as the self-built Xiaomi Security Center (SRC), Hackerone and mailbox, and rewards them according to the priority of the issue or intelligence.
At the same time, Xiaomi put forward "Xiaomi Smart Life Security Guard Program" and actively invites security researchers to carry out security tests on Mi products with high bonuses. Xiaomi will award the confirmed security issues a high priority and solve them as soon as possible.
Contact Xiaomi Security Center: https://sec.xiaomi.com/ , https://hackerone.com/xiaomi , [email protected].
54 MIUI 11 Security and Privacy White Paper
07 Peroration
55 MIUI 11 Security and Privacy White Paper
Peroration
Xiaomi is committed to providing digital software and hardware products with complete functions, security and usability for individuals, families and industry users around the world. MIUI, as the core component of MI phones, shoulders the responsibility to build a foundation of trust as well as provide security assurance. MIUI will give a priority to enhancing security. This paper is a comprehensive presentation of MIUI security design and implementation.
Xiaomi is trying to root the awareness of security and privacy protection into the hearts of every business department, every employee and every partner. As mentioned before, Xiaomi has established a comprehensive security and privacy management system, integrating security and privacy requirements into product design, development, testing, operation and other processes, and conducting strict security and privacy audits on partners, actively monitoring and solving new security issues and threats, to ensure user data are protected throughout the entire life cycle. In response to the evolving security situation, Xiaomi will continuously improve security technology capabilities, refine security and privacy protection functions of products and services, and optimize security and privacy management system. In addition, all practices will be presented with authoritative certificates, white papers, privacy policies and other ways so that Xiaomi can build users confidence in Xiaomi’s products and services as well as users can choose and use them confidently.
In this era of big data and artificial intelligence, there are some contradictions between enterprise development and user privacy. However, Xiaomi firmly believes that only respecting and protecting users' information security and privacy can build users’ long- term trust in Xiaomi’s products. Therefore, Xiaomi insists on prioritizing information security and privacy protection, and increasing investment in security and privacy continuously. Xiaomi would like to share its standardized methods, best practices and technical capabilities on information security and privacy protection to partners, which would promote the development and protection for user privacy.
56 MIUI 11 Security and Privacy White Paper
08 Abbreviated Definition Table
57 MIUI 11 Security and Privacy White Paper
Abbreviated Definition Table
English Full name Definition abbreviations
3DES Triple Data A symmetric-key block cipher, which applies Encryption the DES cipher algorithm three times to Algorithm each data block.
AES Advanced A commonly used symmetric encryption Encryption algorithm. A variant of Rijndael which has a Standard fixed block size of 128 bits, and a key size of 128, 192, or 256 bits.
AI Artificial A wide-ranging branch of computer science Intelligence concerned with building smart machines capable of performing tasks the typically require human intelligence.
API Application A set of functions and procedures that allow Programming for the creation of applications that access Interface data and features of other applications, services or operating system without accessing source code.
ASR Automatic The process and the related technology Speech for converting the speech signal into its Recognition corresponding sequence of words or other linguistic entities by means of algorithms implemented in a device, a computer, or computer clusters.
AVB Android Verified A process of assuring the end user of the Boot integrity of the software running on a device, which typically starts with a read- only portion of the device firmware which loads code and executes it only after cryptographically verifying that the code is authentic and doesn't have any known security flaws.
58 MIUI 11 Security and Privacy White Paper
English Full name Definition abbreviations
BL Boot Loader A vendor-proprietary image responsible for bringing up the kernel on a device.
CVV Card Validation A security feature for "card not present" Value payment card transactions instituted to reduce the incidence of credit card fraud.
ECC Elliptic Curve An approach to public-key cryptography Cryptography based on the algebraic structure of elliptic curves over finite fields. ECC requires smaller keys compared to non-EC cryptography (based on plain Galois fields) to provide equivalent security.
ECDSA Elliptic Curve A Digital Signature Algorithm (DSA) which Digital Signature uses keys derived from elliptic curve Algorithm cryptography (ECC).
FBE File-based A form of disk encryption where individual Encryption files or directories are encrypted by the file system itself.
Flash Flash Memory An electronically non-volatile memory storage medium that can be electrically erased and reprogrammed.
Fuse File System in A software interface for Unix and Unix-like User’s space operating systems that lets non-privileged users create their own file systems without editing kernel code.
НМАС Hash-based A specific type of message authentication Message code (MAC) involving a cryptographic hash Authentication function and a secret cryptographic key. Code
HTTPS Hypertext It is a secure communication channel for Transfer Protocol exchanging information between client and Secure server through secure sockets layer.
59 MIUI 11 Security and Privacy White Paper
English Full name Definition abbreviations
HUK Hardware Unique A key solidified on the mainboard of the Key device when leaving the factory to identify and verify the uniqueness of the device.
KASLR Kernel Address A technology that ensures the Space Layout unpredictability of memory addresses and Randomization offsets of kernel image, which can greatly reduce the success rate of malicious software attacks and improve system security.
MDM Mobile Device A product life-cycle management including Management all links of mobile device registration, activation, use and elimination.
NFC Near-field A set of communication protocols that Communication enable two electronic devices, one of which is usually a portable device such as a smartphone, to establish communication by bringing them within 4 cm of each other.
NLP Natural Language Processing and understanding the natural Processing language text and converting it into structured machine text.
OAuth Open An open standard for access delegation, Authorization commonly used as a way for Internet users Standards to grant websites or applications access to their information on other websites but without giving them the passwords.
OEM Original A company that purchases parts and Equipment equipment that may be manufactured by Manufacturer another company.
OS Operating System System software that manages computer hardware, software resources, and provides common services for computer programs.
60 MIUI 11 Security and Privacy White Paper
English Full name Definition abbreviations
OTA Over the Air The technology of remote management of mobile terminal device and SIM card data through the air interface of mobile communication.
Pre-shared Pre-shared Key A shared secret which was previously shared Key(PSK) between the two parties using some secure channel before it needs to be used.
ROM Read-only A solid-state semiconductor memory that memory can only read data stored in advance.
Rootkit / A collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed and often masks its existence or the existence of other software.
RPMB Replay protected A partition with security characteristics in Memory block flash memory chips.
RSA Public-key A cryptographic system that uses pairs of Cryptosystems keys: public keys which may be disseminated widely, and private keys which are known only to the owner.
SE Secure Element A microprocessor chip which can store sensitive data and run secure apps such as payment. Its internal components include: CPU, RAM, ROM, encryption engine, sensor, etc.
SELinux Security- A Linux kernel security module that provides Enhanced Linux a mechanism for supporting access control security policies.
61 MIUI 11 Security and Privacy White Paper
English Full name Definition abbreviations
SHA Secure Hash A family of cryptographic hashing functions Algorithms designed to keep data secured. The five algorithms of the SHA family are SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512.
SoC System on Chip An integrated circuit that integrates all components of a computer or other electronic system.
TA Trusted A highly secure application program that Application runs in a TEE environment.
TEE Trusted Execution A secure area on the main processor of Environment a mobile device exists in parallel with (TEE) the mobile OS, providing an isolated execution environment to ensure isolated execution, integrity of trusted applications, confidentiality of trusted data, secure storage, etc.
TTS Text-to-Speech A part of man-machine dialogue, which synthesizes and converts text into natural speech output.
UI User Interface In the industrial design field of human– computer interaction, it is the space where interactions between humans and machines occur.
WebSocket / A computer communications protocol, providing full-duplex communication channels over a single TCP connection.
62 MIUI 11 Security and Privacy White Paper
Life gets easier
miui.com