The privately held company said it had fixed a
loophole in its cloud messaging system that had triggered the
unauthorized data transfer and that the operating system upgrade
had been rolled out on Sunday.
The issue was highlighted last week in a blog post by security
firm F-Secure Oyg and had been reported by media outlets in
Taiwan. Like Apple Inc's iMessage service, Xiaomi lets users
avoid SMS charges by routing messages over the Internet rather
than through a carrier's network.
In a lengthy blogpost on Google Plus, Xiaomi Vice President Hugo
Barra apologized for the unauthorized data collection and said
the company only collects phone numbers in users' address books
to see if the users are online.
He said the smartphone's messaging system would now only
activate on an "opt-in" basis and that any phone numbers sent
back to Xiaomi servers would be encrypted and not stored.
Some industry analysts say Xiaomi has pipped Samsung Electronics
Co Ltd to become the top selling smartphone brand in China, the
world's biggest smartphone market.
Although an increasing number of smartphone apps harvest vast
troves of personal data including a user's real-time location,
the address book remains a particularly sensitive domain.
The U.S. Federal Trade Commission fined the social network Path
$800,000 last year after security researchers showed how the
company siphoned users' address books without their knowledge
and stored it on its servers.
As a result of the Path controversy, which began in 2012 and
prompted a brief Congressional inquiry, Apple changed its iPhone
operating system so that app developers would have to ask
explicitly for permission before accessing address book data.
(Editing by Miral Fahmy)
[© 2014 Thomson Reuters. All rights
Copyright 2014 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.