Xiaomi Security and other Questions

Hello,
A few days ago, I posted this post https://forums.puri.sm/t/brand-new-quality-phones-with-a-removable-battery/16717/6. I am doing research for phones and I have pretty much given up on the removable battery concept. As a side note, due to environmental regulations, the EU is soon going to mandate that phone manufacturers make their batteries removable.

I am considering Xiaomi, specifically this model ( https://www.gsmarena.com/xiaomi_poco_f3-10758.php . I have never purchase Xiaomi. I care about the size of the screen (for reading), the battery life (I am fine with disabling higher screen refresh and other battery consuming wares), and the camera. Regarding the camera, I want something “good enough”. Regarding the colors differences as compared to let’s say, a Pixel, I have seen reviews stating the camera isn’t as good as the true flagship phones. I have never really noticed the difference between the cameras aside from the overall image quality (pixelation). I do not do photo shooting professionally. I do videos which do get uploaded to the web. I do not do anything at night time and I am not extremely picky about this.

Is the camera good enough for this application?

I have seen security concerns about Xiaomi because of the bloatware and spyware type browsers. I plan to put LineageOS on the phone, which would resolve the software security concerns. As I consider all phones more or less the same in terms of security, especially when it comes to their default setup.

Is there anything above and beyond that should disqualify Xiaomi as a brand for someone concerned about privacy/security, when I am planning on putting LineageOS on it anyway?

Thanks

Time to bring up my two year old joke about 3 triple A’s?

Never heard/read it… go for it…

Actually that was the joke. However some other fellow replied with a picture of the back of an open phone with 3 triple A’s mounted. I’d have to search for it.

I don’t see a security concern. Most mobile phones are assembled in China, except for phones sold in Indian, Brazil and Indonesia which have policies for phones to be assembled domestically. About 70% of Samsung and 50% of LG phones are assembled in Vietnam. Samsung assembles some Galaxy S/Z/Note in S. Korea and Sony assembles some flagship Xperias in Japan.

If you buy a Xiaomi Redmi, you are likely getting a phone designed by Wingtech. Three Chinese ODM’s (Huaquin, Longcheer and Wingtech) control roughly 75% of the outsourced phone market. See: https://amosbbatto.wordpress.com/2021/12/10/comparing-l5-and-pp/#branding-and-custom-design

Xiaomi has a policy that you have to apply on their website to unlock the bootloader, and it voids your warranty. After waiting between 3 and 14 days (it is usually 7 days), they will give you a code to unlock the bootloader. The problem I found was that Xiaomi’s software to unlock the bootloader only runs in Windows, and I couldn’t get it to work through the USB port running inside VirtualBox in Linux, I had to install Windows in a normal partition in order to use the software. I blogged about it: https://amosbbatto.wordpress.com/2019/11/17/why-we-dont-own-our-mobile-phones/

Motorola also makes you wait between 3 and 14 days, but you don’t have to install Windows software, so it is easier than Xiaomi. With Samsung, you usually have to use some unauthorized method. Sony, Google, OnePlus and Fairphone make it easy to unlock the bootloader. With Google, you will need to reflash the phone to the original ROM and relock the bootloader before sending the phone in for warranty service, and I think it is similar situation with Sony and OnePlus. Fairphone, Shift and Teracube have the best policies, but they are all small brands. Sony has the best policies of the big brands in my opinion since Xperias are easy to unlock and Sony publishes the AOSP code for many of its phones, but you have to check the XDA forums to see how well they run LineageOS.

Didn’t it used to be a lot easier or simpler to unlock phones?

I can verify that Sony is very good about unlocking; you’ll get the unlock code within seconds.

The article at gsmarena which you linked to has an extensive section about the camera in the accompanying review.

Part of the issue I have with that is that they compare to models which I have no experience with and that some of those real high end cameras are so good, that when images or video are on the web for streaming or with compression, there are minor differences at best. But of course the original files are drastically different.

Hence why I ask others what their experiences are.

Install a tracker-blocking app, also. (e.g. Blokada 5, from F-droid). Then you will be able to see in real time if there are any suspicious connections happening under the hood. And block them.

I think it basically comes down to this:

Can devices designed and manufactured by a company from the PRC (with alleged ties to the Chinese military) still contain malicious code even after installation of a custom ROM? If so, does that code still have the ability to execute, transmit, etc.?

(Ignoring for the moment all the devices simply built in the PRC for OEMs of other countries…)

I don’t have any technical knowledge when it comes to custom Android ROMs; do they replace all the original firmware? Vendor files?

Unlocking bootloaders has always been tricky, as long as I can remember. Apple never allowed the unlocking of the bootloader on iPhones or iPads. Huawei used to allow it, but then decided to stop allowing it in 2018.

MediaTek recently overtook Qualcomm as the world’s biggest producer of mobile processors, which is a problem, because MediaTek generally doesn’t release the code for its phones, so custom ROMs can’t be made. On the other hand, Exynos has gotten better about releasing code and info in recent years, so it is easier to make ROMs for Samsung phones than in the past. The general rule is to avoid MediaTek and UNISOC, and only buy phones with Qualcomm and Exynos.

PS: When people say a phone is “unlocked”, they are generally talking about the phone not being locked to the cellular bands of a particular carrier.

Although I believe custom ROMs are currently unable to implement VoLTE in Samsungs, from my reading in XDA devs and /e/ forum.

I am looking at the S10e

As a person who cares about privacy, I wouldn’t consider any phone from a Chinese brand (Xiaomi, Redmi, any brand really). I totally say this from trust point of view, so it is definitely not a racist statement. Although almost every phone is being manufactured in China, I believe there is still difference between a phone designed by a “trusted” brand and made in china and a phone designed and made in china. In the past a friend of mine had a Chinese phone, after he installed an antivirus software he realised that multiple the system apps (which are not uninstallable) were marked as malicious. I’ve helped him to root his phone and remove those apps but after a restart, just before the Android starts up, they would get downloaded again. Finally installing a firewall and blocking many apps solved the issue. Obviously the brand have put quite a lot of effort to keep those spying apps running. It so much hassle and in the end I’m not even sure whether that phone was privacy friendly enough.

By using Lineage maybe you will ensure that there is nothing malicious in the operating system but Lineage still uses binary blobs (“drivers”) from Xiaomi and other companies.
You can put all sorts of malicious code in driver blobs without av app noticing anything.

If you think about it, catching a trojan or a virus on your pc is bad enough but, having malicious code in a smart phone is much worse as the device doesn’t just contain personal data. Most people carry it with them all the time, so it has continuous access to mic, camera, it can even generate biometric data from your face, fingerprint, voice. A pro-surveillance government would do anything to access such information, like “motivating” domestic companies to put surveillance features in their products…

Actually, in evergreen, five AAA fit, and there’s plenty of room for a step-down voltage regulator and a termal resistor. But this is still low priority work in progress, and this year deadline will be missed again, as it is only in four days…

Why aren’t there more companies building an open source phone, or something closer to it? Seems like a great business model that would automatically attract a large customer base. Especially if it was under $1,000.

Doesn’t look to be exactly an open source phone:

Security and UI improvement updates issued and digitally signed exclusively from Volta. Devices apply updates only after verifying the authenticity of the digital signature.

So you can’t make updates to your own phone(!) and you really only have their word for it that it is:

The VoltaOS is a de-Googled version of the Android mobile operating system without any Google apps or Google services.

And if they lose interest in providing updates, you have an abandonware phone.

And if they are compulsorily compromised by their local government …

So who exactly is Volta? Where are they based?
And do you trust them? because you certainly can’t verify them.

I guess their business model has its place but it has very different ideals as compared with Purism.

They use the same firmware, since those are proprietary blobs, and many component suppliers don’t publicly release their firmware, so the only way to get it is from the phone vendor. For the drivers, they generally reuse whatever the phone vendor provided, which comes from the component maker. Sometimes they copy the drivers and configuration files from other phone models using the same hardware components.

There are a lot of red flags for me about these Volta phones.

Secure Hardware
Security hardened custom hardware design with a controlled manufacturing process ensures no Zero Day hardware attacks are possible.

There is no info on their “custom hardware design”. They don’t give any specs on the two phones that they are offering, but they expect people to pre-order without having any idea what kind of hardware they will receive.

What does a “controlled manufacturing process” mean? Bittium and the Librem 5 USA market their phones like that, but they are charging $2k for the phones and they are assembling their PCBs onsite, so they can make that kind of claim, whereas this company gives no indication where anything is being assembled. Given the prices being charged, we know they aren’t running their own PCB assembly lines like Purism and Bittium. Any assembly plant in the lower Yangtze can claim to have a “controlled manufacturing process”.

How can they know that “no Zero Day hardware attacks are possible”? The nature of a zero day attack is that it is using a new technique that was previously unknown, and how can they guarantee that? I’m guessing that they mean that they know that no hardware has been inserted (like the supposed Chinese spychips in the Supermicro servers), but stuff can be inserted at many points, including in the design of chips, so there is no way to know with 100% certainty that there will be no “Zero Day hardware attacks” even if using all components from the approved sources.

Secure OS
The VoltaOS is a de-Googled version of the Android mobile operating system without any Google apps or Google services.

Since Google doesn’t give any OEM a license to use Android without Google’s apps, they shouldn’t even be calling it “Android”, There is no info on the web site about the OS or the app store. There is no source code repository or even a mention of which AOSP derivative they will be using or whether they will be creating their own derivative.

Maybe they will turn out to be trustworthy, but I see no reason to trust them based on the info they have provided so far. Before taking a chance with Volta, I recommend looking at the other companies selling phones with AOSP-derivatives preinstalled:

• Rob Braxman sells 13 models (Pixels, Motorola and OnePlus) with LineageOS (USA models)
• /e/ Solutions sells 6 models with /e/ (Fairphone 3/4, Teracube, Galaxy S9, Nord) (6 models for Europe and 1 model for USA)
• Volla Phone with Volla OS (only for Europe)
• jolla-devices.com sells the Volla Phone and the Pixel 3a/4 with GrapheneOS (only for Europe)

I hate break it to you, but every single one of the major phone ODMs (Wingtech, Huaqin, Longcheer, Wind, TINNO, Ragentek, Chino/OnTim, CK, Haipai, Huiye, Gionee, FIH Mobile) are Chinese companies, and most of the major Western brands outsource a large percentage of their phones to these ODMs:

714×438 39.9 KB

With the ban on Huawei using western fabs and Honor being spun off, I expect that a very high percentage of their phones are now being outsourced to the ODMs, so it is only Samsung and Apple (and probably ASUS) where the majority of their phones are still designed in-house.

Which brand? Almost anything can be called a “Chinese phone” in terms of the hardware now-a-days, but the branding company usually makes the decision which software gets installed on top of Android, so the brand matters.

By the way, Motorola and OnePlus are brands owned by Chinese companies, but they are marketed mostly for Western markets, so it is unclear whether you consider those to be “Chinese phones” or not. Xiaomi also mainly focuses on markets outside China, since it was the #1 brand in India, #3 brand in Europe and #3 in Latin America in terms of unit sales in 2021, but it was the #5 brand in China in Q4 2021.

But, at least in theory, the non-China OEM has the ability, and perhaps the motivation, to verify that their products’ internals have not been tampered with.