MIUI Privacy en

MIUI 11 Security and Privacy White Paper
1
Contents
1 Summary 1
2 Hardware and System Security 4
Hardware Trusted Environment 5

Secure Boot 7
Security Kernel 9
Network and Communication Security 9
Device Control 10
System Software Update 13
3 Encryption and Data Security 14
Data Protection Architecture 15

Key Management 17
Encryption Application 18
4 Application Security 22
Application Security Protection 23

Application Security Features 27
5 Internet Service Security 31
Mi Account 32
Xiaomi Cloud 35
Mi Pay 40
Mi AI 43
Image Intelligence 46
Location-based Services 48
MiPush 49
6 Security Certification and Privacy Policy 52
7 Peroration 55
8 Abbreviated Definition Table 57

Statement
Due to the upgrade, adjustment of Xiaomi products or services and other reasons, the
contents of this document may change. Xiaomi has the right to add, modify, delete and
abolish such contents. Please download the latest version from the official website in
time.
This document is only used as a reference guide for users to understand the information
security and privacy protection of MIUI and Xiaomi Cloud. Xiaomi provides the
corresponding introductions based on the current MIUI version and the main hardware
architecture in service. However, due to the potential problems such as technological
upgrading, product iteration, changes in applicable laws and regulations, and consistency
of wording, Xiaomi hereby explicitly declares that it does not make any express or implied
guarantee for the completeness, accuracy, and applicability of the contents hereof.
The intellectual property rights of all original contents of Xiaomi in this document,
including but not limited to pictures, architecture design, text description, etc., are owned
by Xiaomi Technology Co. Ltd and its affiliated companies (hereinafter referred to as
"Xiaomi") in accordance with law. Without Xiaomi's prior written permission, no unit,
company or individual is allowed to extract, translate or copy part or all of the contents
hereof without authorization.
If any errors occur in this document or you have any questions about the contents hereof,
please contact Xiaomi via email [email protected].
01
Summary
1
Summary
As the world's leading smartphone manufacturer, Xiaomi relentlessly builds amazing
products with affordable prices to let everyone in the world enjoy a better life through
innovative technology, which is also act as their corporate mission. In the era of Internet of
Things, given the essential basic needs of security and privacy for products users, Xiaomi
attaches great importance to users' security and privacy.
The MIUI developed by Xiaomi takes security and usability as its core. Every Mi phone
combines software, hardware and services to integrate tightly and work together for end
to end security protection, which includes the basic security capabilities such as hardware
chips, system kernels and data security, as well as information security and privacy
protection of a series of key services such as Mi account, Mi pay, Xiaomi Cloud, voice AI
and image AI.
Adhering to the principle of objectivity and transparency, this document introduces

security architecture, technical principles, functional design and privacy protection
measures of MIUI in detail. It is expected that Xiaomi users, developers, partners and
relevant regulatory authorities can have a clearer understanding of the architecture and
implementation of its information security and privacy protection for mobile phones and
cloud services.
MIUI's security technology originates from the root of trust built from hardware, and then
transfer the chain of trust to the operating system by secure boot. The running state of
applications is monitored by using and strengthening the Android security kernel to ensure
the security of operating systems and applications. The security of file system and user
data is protected through encryption and data protection functions. The cloud services
are comprehensively protected by division of service function and “Defence-in-Depth”
protection. Figure below indicates the logical structure of Xiaomi MIUI Security and Privacy
White Paper, which is also the narrative structure of this document.
2
Figure 1-1 White Paper Logic Structure
Hardware and System Security: Mi phone is the platform of a software and hardware
integration, which includes hardware-supported TEE, secure boot, security kernel, network
and communication security, device control and system software update.
Encryption and Data Security: The encryption application provided by the data protection
architecture based on MIUI, can not only ensure the security of user data, but also improve
the usability and convenience of MIUI as well.
Application Security: The basic protection mechanism and a series of application security
features enables apps to run with security and protect the security of user data.
Internet Service Security: Capabilities of MIUI to protect users' privacy and data security
for the main internet services by implementing protection measurements to the great
extent.
Security Certification and Privacy Policy: Information on overall principles, organizational

architecture, security and privacy certification, privacy policy and continuous improvement
mechanism in the field of information security and privacy protection.
3
02
Hardware and System Security
4
Hardware and System Security

Hardware and system security is the foundation of application and data security, which
provides the underlying framework for the overall security of MIUI, including hardware
trusted environment, secure boot, security kernel, network and communication security,
device control, system software update, etc.
With the tight integration of hardware, system and service, MIUI ensures that every
component has a security verification mechanism from the initial boot, to system software
update, then to the application. These mechanisms ensure that user data is protected to
its greatest extent.
Hardware Trusted Environment

Trusted Execution Environment (TEE)
MIUI supports the TEE (Trusted Execution Environment) secure operating system. TEE
is a small, independent operating environment isolated from the main operating system,
allowing applications with higher security and privacy demands to run with isolation from
Android system.
Figure 2-1 Logical Architecture of Trusted Execution Environment
5
The software and hardware resources that TEE can access are separated from the main
operating system. TEE provides a secure execution environment for trusted applications,
it also enforces the protection of confidentiality, integrity, and access permissions to the
data and resources belonging to those trusted applications. To guarantee the trustworthy
of the root of trust, the TEE needs to be verified and isolated from the main operating
system during the secure boot process.
Inside the TEE, each trusted application is independent from each other, and cannot
access the security resources from another trusted application without authorization.
TEE's internal API mainly includes resources and services such as key management,
cryptographic algorithm, secure storage, secure clock and extended trusted UI.
The trusted UI means that when display sensitive information and perform sensitive operations
(e.g. enter a PIN or password), hardware resources such as screen display and keyboard are
completely controlled by TEE, and the software in Android system cannot access them.
Device Attestation
To ensure the trustworthy of Mi phones, Xiaomi has pre-installed a device certificate in
TEE to uniquely identify each mobile phone, and the public keys of these certificates are
centrally managed by Xiaomi's servers. In the scenarios where a higher level of security is
required, the application can send the verification requests to Xiaomi servers to verify the
authenticity of the device.
Hardware Unique Key (HUK)
The HUK (Hardware Unique Key), which is solidified on the motherboards during initial
manufacture, varies by phone and cannot be tampered with. It is accessible only by the
hardware cryptographic engine, and it guarantees the uniqueness of the keys used for
lockscreen password protection and file system encryption.
Hardware Cryptographic Engine
Encryption and decryption are very complicated operations, which requires great
computing power. For mobile devices, computing speed, energy conservation and security
are equally important. Mi phone has taken these factors into consideration in its design,
and equipped the device with a high-performance hardware cryptographic engine * to
ensure that the device achieves a balance in terms of running speed, battery life and data
security. The main algorithms supported by the cryptographic engine are:
● 3DES
6
● AES-128、AES-256
● SHA-1、SHA-256
● HMAC-SHA1、HMAC-SHA256
● RSA-1024、RSA-2048
● ECDSA-256
*Note: Some models are not equipped with hardware cryptographic engines.
Secure Boot
Secure boot is a program that verifies the digital signature of files and applications using
the corresponding public keys to ensure the integrity and authenticity of the boot file or
program, so as to prevent unauthorized programs from being loaded and run during the
boot process.
Under the secure boot mechanism, the digital signature of each boot file (e.g. start the
Bootloader, kernel image, baseband firmware) shall be verified prior to getting allowed to
load and run. At any stage of the boot process, if the signature verification fails, the boot
process will be terminated.
The ROM SoC Bootloader is written into its read-only ROM when the chip is manufactured.
It cannot be modified after leaving the factory. This piece of code is first to be executed
after the device is powered on.
7
1. When the device is powered on, the

PC pointer points to the Boot ROM
address inside the chip, and the
process is executed.
2. The Boot ROM is loaded from an
external storage device, and the
level I Bootloader gets executed
after verification.
3. The level I Bootloader loads the TEE
OS image file.
4. The level I Bootloader loads the
level II Bootloader, then the TEE OS
verifies its integrity.
5. The level II Bootloader verifies and
loads the kernel file.
6. The kernel program verifies and loads
the MIUI system.
Figure 2-2 MIUI Secure Boot Process
After the device is powered on, the ROM SoC Bootloader will first perform the basic
system initialization, and load the level I Bootloader from the Flash memory chip. It will
then utilize the public key stored in the Fuse space inside the main chip to verify the
digital signature of the level I Bootloader image, and run the level I Bootloader after the
successful verification. After completing the above steps, the level I Bootloader will load,
verify and execute the TEE OS image. Once the TEE OS is in operation, it will verify, load
and execute the level II Bootloader together with Level I Bootloader. The entire system
will be booted in such a manner that ensures the chain of trust is transferred along the
process, and no unauthorized program will be loaded and allowed to run.
MIUI system supports the function of Android's Verified Boot 2.0 (AVB2.0). During the
boot process, before entering the next stage the digital signature of the code must be
verified to ensure its integrity and free of any known security defects. It verifies the
components from the hardware root of trust, to the Bootloader, then to the boot partition
and other verified partitions (including system, vendor and optional OEM partitions). AVB
8
helps prevent persistent Rootkit from holding ROOT privilege and ensures the security of
the device during boot process.
Security Kernel
MIUI supports Android's native SELinux features, and enforces mandatory access control
on the operations of all resources in the system, such as processes, files, and directories.
Any process that intends to perform operations in the SELinux system must obtain
permissions in the security policy configuration file first. The access control policy file will
be protected during the boot process and is tamper proof by third parties. With SELinux,
MIUI can prevent malicious processes from reading and writing protected data, bypassing
security mechanisms of the kernel, or attacking other processes.
MIUI supports KASLR (Kernel Address Space Layout Randomization) and allocates the
kernel address space layout randomly for each boot. KASLR results in unpredictable
kernel address space layout, and increases the difficulty to perform code-reuse attacks. It
reduces the possibility of many complicated attacks, and further strengthen the security
of the system kernel.
Network and Communication Security

Secure Network Protocol
Using secure network protocols can reduce the risk of data leakage and tampering when
user device connects to the network. MIUI users can establish their own virtual private
network (VPN) over public network connections.. MIUI supports multiple VPN modes
including: PPTP, L2TP/IPSec PSK, L2TP/IPSec RSK, IPSec Xauth PSK, IPSec Xauth RSA and
IPSec Hybrid RSA. Users can select VPN mode on their demands to access and transmit
sensitive data.
MIUI's WLAN connection supports WEP, WPA/WPA2 PSK, 802.1×EAP, WAPI and other
authentication methods to provide users with different levels of security.
The WLAN hotspot function of MIUI is disabled by default. When the user enables
the function, the WPA2 PSK authentication method is used by default to ensure the
connection security. At the same time, WLAN hotspot function supports the device MAC
address blacklisting.
Protection from Fake Base Stations
Fake base station is a type of malicious radio communication device that takes advantage
9
of the defects of communication systems to impersonate legitimate base stations.

Attackers often use the spoofed mobile phone number to send fraudulent short messages
or spam short messages to users around the fake base station. When the fake base
station is in operation, the legitimate base station signals within a certain range will be
disturbed or even shielded. It forces the user's mobile phones connected to these, thus
affecting the normal use of the user.
MIUI provides users with a fake base station protection function * which prevents mobile
phones from connecting to fake base stations. Users can turn on this function through
"Settings"-"Additional settings"-"Privacy"-"protection from fake base stations" (in off
state by default).
*Note: Only the Mi phones with Qualcomm chip support this function.
Recognize SMS from Fake Base Stations

Even “Protection from fake base stations” function is turned off, MIUI still provides the
user with the fake base station spam message identification function, which is chip, model
and version independent and available for all the MIUI users.
Through the AI machine learning model of the mobile terminal, the suspected degree
of the fake base station is judged and the fake base station short message is identified
according to the characteristics of the fake base station accessing the mobile phone and
the text characteristics of the fake base station short message.
Protection from Wi-Fi Probe Requests
The WLAN probe sniffer identifies each user by listening to Wi-Fi signals sent by other
electronic devices in the air and obtaining its MAC address from the data packet. MIUI is
capable of sending data packets with random MAC addresses to prevent Wi-Fi probes
from obtaining the real MAC address of the mobile phone *.
*Note: Most devices using MIUI 11 already supports Wi-Fi probe protection in the unconnected state. In
addition, mobile phones upgraded to Android Q support Wi-Fi probe protection in connected state.
Device Control
Find Device
MIUI provides users with the find device function, helping users find lost mobile phones,
and protecting the data security of mobile phones. This function is turned off by default
and can be used only when the user turns it on manually. Once the user enable this
function, in case that the phone is lost, the user can log in to the Xiaomi Cloud web page
10
(https://i.mi.com) to remotely perform the following operations on the lost device:

Locate, Sound, Lost mode, Erase data.
Get the current location of the mobile phone through the network or
Locate
short message command, and display it intuitively on the map.
Make the mobile phone ring through the network or short message
Sound
command to find the mobile phone that may be nearby.
Lock the mobile phone through the network or short message

Lost command. After locking, the phone will automatically report the location
mode periodically, and at the same time Mi Pay payment of this card will be
terminated automatically.
Reset the mobile phone through the network or short message

Erase
command, turn off data synchronization and unbind Mi Pay bank card at
data
the same time.
Mobile Phone Unlocking Policy
In the situations when the user loses the mobile phone or forgets the password of Mi
account, the mobile phone may be locked. MIUI has designed a variety of security policies
to protect user's rights under this circumstance.
After turning on the Find device function, if the mobile phone is restored
Activation
to the factory settings, the credentials used when turning on this
locking
function must be verified before reactivating the device.
In order to prevent the credentials from being reset on a lost phone

Password through mobile phone verification, "Find device" function cannot be
reset turned off within 3 days of Mi account password reset. It provides time
protection for the user who has lost the mobile phone to reobtain the SIM card and
regain the control of the account and mobile phone.
11
In case that the user forgets the Mi account password and cannot
retrieve it, MIUI provides an unlocking code on the mobile phone locking
Customer
interface for the user to unlock the phone through customer service
service
channel. Users who request to use the unlocking code must submit
unlocking
a complaint application, and can only get the phone unlocked after
detailed manual review by customer service personnel.
In addition, when the mobile phone is lost, due to the existence of the screen lock
password, it is very likely that it will be forced to be rooted. MIUI stores the mapping
between the account and the device to its cloud server (some devices write the mapping
into a special partition that is tamper-proof to root), thus ensures its integrity. When
booting, the device is required to connect to the network and obtain the mapping from
the server. If the current login account is different from the record on the server, MIUI will
require the user to switch back to the recorded account before continuing to use it.
On the BL unlocked device, the mobile phone lock can be bypassed by using a non-MIUI system
or tampered MIUI system. However, this kind of ROM cannot use the function of OTA (Over the
Air) and cannot login to Mi account normally. When the devices switches back to MIUI system, it
will be protected by the "Find device" function again.
MIUI Second Space
MIUI users can create a separate space completely independent of the original system
through MIUI second space. This allows the complete isolation of users' accounts,
applications and data from the main space, and separated encryption protection.
Additionally, user can set different unlock passwords for the main space and the second
space, thus realizing a virtual mobile phone experience like having a second device.
Users can save all kinds of private files, pictures and other information, install private
applications, etc. Moreover, this independent space is similar to a "sandbox". Any
operation in this "sandbox" will not affect the main space of the mobile phone.
Mobile Device Management (MDM)
MDM (Mobile Device Management) is a device protection function MIUI provided to

device management applications and an interface for managing and operating mobile
phone devices. Through MDM application and API interface provided by MIUI, enterprise IT
system can easily control and manage MIUI device. API calls need authorization to ensure
its permission control and security.
12
For applications that use device policy manager permissions abnormally, the system control
policy shall be implemented according to the MDM standard, including but not limited to:
suggest the user to close the application through obvious reminders, and prohibit the
application from obtaining service or permission interfaces.
For applications that can cause harm to user data or device security through the use
of the device policy manager, the following operations will be strictly performed: the
application will be taken off from the Xiaomi GetApps, and it will be prohibited to obtain
relevant service interfaces or displayed in the device policy manager application list.
System Software Update

MIUI supports Android's native OTA (Over the Air) mechanism and provides more secure
and efficient system upgrade management based on Android.
Before the system software is updated, the system update program verifies the integrity
of the ROM which is downloaded via OTA or copied offline. It verifies the size and hash
value of the file, etc. After the verification is passed, the mobile phone restarts to initiate
the underlying recovery mode, and verifies the integrity of the signing key again. Only
after the verification is passed, will the recovery mode write the updated contents of ROM
into the system storage.
13
03
Encryption and Data Security
14
Encryption and Data Security

This chapter describes MIUI data security protection mechanism. The MIUI file system
is divided into the system partition and user partition. The system partition is read-only
and isolated from the user partition. And common applications can only access some
system partition directories. For the user partition, the system provides file-based data
encryption and directory permission management mechanisms to restrict data access
between different applications. At the same time, MIUI provides more security functions
and applications based on encryption technology, and improves the convenience and
usability of use for MIUI while protecting user data security.
Data Protection Architecture

File-Based Encryption
MIUI supports Android's FBE (File-based Encryption) function. File-based encryption
allows different files to be encrypted with different keys that can be unlocked
independently, so not all files in the system need to be encrypted in the system and
there is a binding of user credentials and keys. File-based data encryption can prevent
unauthorized users from carrying out physical attacks on devices (e.g. reading Flash
directly) to obtain user data and provide a more secure data protection to our users.
In MIUI, the key used for file encryption is encapsulated by Class Key, which is encrypted
and protected by Keymaster Key derived from Hardware Unique Key (HUK), and users need
to be authenticated and authorized through lock screen password or fingerprint before
decrypting data by Class Key.
15
1. Generate Keymaster Key in Hardware Key.

2. Encrypt Class Key using Keymaster Key
and user passwords.
3. While starting up a system, a Wrapped-
class Key is generated for each Class
Key and used to prevent plaintext of
Class Key from being exposed in Android
environment.
4. Encrypt File Key using Wrapped-class Key.
5. Encrypt File using File Key.
Figure 3-1 Procedure of File-based Encryption*
*Note: This schematic diagram is suitable for Mi phones that use Qualcomm chips and support FBE.
Each Mi phone that supports FBE contains two storage positions for a user:
● Credential Encrypted (CE) storage area: CE area is the default storage area and only
accessible after the user has input their authentication credentials.
● Device Encrypted (DE) storage area: DE area is accessible after the device has
powered on regardless of whether screen is unlocked.
Credential Encrypted (CE) storage area is the default storage area of applications to
store data in MIUI to ensure application security and application data security. Applications
(e.g. wireless authentication, alarm clock, ringtone, Bluetooth, etc.) only store some data
in device encrypted (DE) storage area to ensure that some necessary services can be
running before users provide credentials and simultaneously the system can still protect
user private information.
Secure Storage
The secure storage function of MIUI is achieved by a TEE-based Secure File System
(SFS), which is used for the secure storage of sensitive information (e.g. keys, certificates,
fingerprint templates). The trusted application (TA) running in the TEE uses a storage API
to encrypt and store data. The encrypted data is only accessible to the TA, but cannot be
accessed by external applications. The secure storage in MIUI adopts AES-256 encryption
16
algorithm. The secure storage keys are derived from the hardware unique key (HUK) and
stored in TEE. Data encrypted using the keys cannot be decrypted outside the TEE.
MIUI further provides Flash-based RPMB (Replay Protected Memory Block) to protect
certain system data from unauthorized deletion and access. RPMB is directly controlled by
the TEE and bound with the keys derived from the hardware unique key (HUK). Only the
TEE can access the RPMB-protected data, and the external Android does not provide any
interface for accessing the RPMB. RPMB defends replay attacks through built-in counters,
keys and HMAC verification mechanism to ensure that data cannot be maliciously
overwritten or tampered with.
Secure Erasure
The common "Reset phone" does not allow users to thoroughly erase data stored in
physical storage. In order to improve efficiency, it is usually implemented by deleting
logical address. However, physical address space is not actually cleared and the data can
be restored. MIUI provides users with the option of "Format mock SD card" when they
want to reset phones. Once the option is chosen, the system will format the storage
space and completely erase the data to protect data security for users who want to resale
or dispose of devices.
Key Management
The MIUI's key management function allows application developers to manage the
lifecycle of keys and certificates, and provides remote certification for device certificates
in the TEE. Key management has the following functions:
1) Generation and storage
MIUI's key management provides a key storage mechanism protected by hardware. The
key generated in the application is encrypted and can only be used by the corresponding
device.
2) Encryption and decryption
When applications need to use the key, the previously generated encrypted key and the
data to be encrypted are sent back to the TEE of the corresponding device. Data can only
be encrypted and decrypted using keys in the TEE of the corresponding device.
3) Key attestation
In each Mi phone, the device certificate issued by Google is injected during manufacturing,
17
and any generated key can be authenticated through the Google's certificate. The
network service can authenticate MIUI devices by key attestation function.
The technical basis of MIUI's key management is Android Keystore which prevents
the unauthorized use of key materials outside of and on the device by key extraction
prevention and key use authorization:
1) Extraction prevention
Key material can be protected from unauthorized use outside of MIUI devices. When an
application performs encryption operations using an Android Keystore key, behind the
scenes plaintext, ciphertext and messages to be signed or verified are fed to a system
process which carrying out the encryption operations, rather than application process.
Therefore, even if the application process is compromised, the attacker may not be able
to extract the key material.
At the same time, MIUI also bounds key material to the secure hardware (e.g. TEE) of the
Mi phone, so key material is never exposed outside of secure hardware. Even if the MIUI
OS is compromised or an attacker can read the device’s storage area, the key material
bounded to secure hardware cannot be extracted from the device.
2) Key use authorization
In order to mitigate unauthorized use of keys on the MIUI device, Android Keystore lets
applications specify ways of authorized use of their keys when generating or importing
them. Once a key is generated or imported, its authorization cannot be changed.
Authorization are then enforced by the Android Keystore whenever the key is used.
Supported key use authorizations in MIUI fall into the following categories:
● Cryptography: authorized key algorithm, operations or purposes (encrypt, decrypt,
sign, and verify), padding scheme, block modes and digests with which the key can be
used.
● Temporal validity interval: interval of time during which the key is authorized for use.
● User authentication: the key can only be used if the user has authenticated recently.
Encryption Application
Fingerprint Recognition
Fingerprint recognition uses the unique physiological feature of fingerprint to authenticate

personal identities and can be applied to scenarios requiring strong authentication
18
mechanisms such as phone screen unlocking, application unlocking, electronic payment

and privacy content protection.
MIUI processes fingerprint images, extracts fingerprint features, generates fingerprint

templates, inputs and authenticates features in the TEE, and fingerprint data cannot be
transferred outside of the TEE. Android external third-party applications can only initiate
fingerprint authentication and receive authentication results by the external fingerprint
framework, and cannot collect fingerprint data.
MIUI's fingerprint data is encrypted using AES-256, which is achieved by invoking Keystore.
The key for encrypting fingerprint cannot be obtained externally, ensuring that user's
fingerprint data is not leaked. The MIUI does not send or back up fingerprint template data
to any external storage media including cloud servers.
Figure 3-2 Fingerprint Security Framework
Face Recognition
Face recognition uses the facial feature that is a biometric identification technology to
identify personal identities. Based on the AI face recognition algorithm, MIUI intelligently
detects facial features for high-precision matching, and the device is unlocked after a
successful match.
The user's face feature data belongs to personal biometric information in personal
sensitive information. In order to ensure security, MIUI collects facial images, extracts
features, compares features in the TEE, and facial data cannot be transferred outside of
the TEE. Android external third-party applications can only initiate facial authentication
19
and receive authentication results by the external facial framework, and cannot collect
facial data.
The facial feature data is encrypted and decrypted using built-in security chip, and key for
encrypting facial data cannot be obtained externally, ensuring that the facial feature data
is not leaked. The MIUI does not send or back up facial features to any external storage
media including cloud servers.
Electronic Identification
The network electronic identification eID (hereinafter referred to as "eID") is an electronic

ID application jointly developed by Xiaomi and the Third Research Institute of Ministry
of Public Security of the People's Republic of China. The eID functions the same as the
physical ID card in scenarios approved by the Ministry of Public Security.
Mi phones comply with eID-related standards and specifications, specifically including

the following: employing the security chip as the carrier; the chip has an independent
processor, a secure storage unit and a cryptographic coprocessor; only the dedicated
security chip operating system can be running. eID information is encrypted and stored
in the security chip eSE and can only be accessed by specific programs. When eID is
activated, the security chip uses asymmetric key algorithms to generate a pair of public
and private key for signature, ensuring that eID cannot be authorized read, copied,
tampered with and used, and users can be provided a more secure network digital identity
service.
The MIUI's mobile wallet client supports the whole lifecycle management of eID, which
allows users to open, download, use and deregister personal eID on the phone at any time.
*Note: Only some specific models are supported.
Screen Lock Password Protection
MIUI screen lock passwords support patterns, digits and hybrid characters, each of which
has a minimum password length requirement to ensure a more secure password.
● Pattern password: at least 4 dots need to be connected.
● Digital password: support 4-16 bits of digital passwords.
● Hybrid password: support 4-16 bits of any combination of uppercase and lowercase
letters, numbers and symbols.
20
MIUI screen lock passwords are protected by the hardware unique key (HUK) and
encrypted in the TEE. When a user creates or modifies a lock screen password, or unlocks
the screen using the screen lock password for verification, the screen lock password is
processed in the TEE.
The MIUI limits the times upon input of incorrect password. After attempting incorrect
password multiple times in succession, the phone will be locked to prevent the screen
lock password brute forcing.
Smart Password Manager
With the increase of built-in account system applications, it is more difficult for users to
set different high-strength passwords for each application of phones and users often
forget usernames and passwords. Smart password manager * is a secure account password
management tool created by MIUI for users. Smart password manager is provided to
store application login information (usernames and passwords) centrally and associate
login information with touch fingerprints and screen lock passwords. When users log in to
applications, login information is auto-filled, making it easy to use strong passwords.
Xiaomi smart password manager is also implemented based on Keystore technology

which provides hardware-level encryption capability. It provides high-strength encryption
of user-hosted application login information and is only allowed to be used in the TEE.
Therefore, apart from fingerprints and passwords of users, login information cannot be
obtained by other parties including Xiaomi.
Currently, smart password manager does not provide cloud synchronization and cloud
backup and can only be used after being authorized by user on the device, so there is no
need to worry that the managed password bank will be stolen or cracked.
*Note: Only domestic phones support this function.
21
04
Application Security
22
Application Security
On the basis of MIUI's underlying hardware security, system security framework and data
security protection mechanism, the application runtime environment is protected through
application layer security technologies, such as application signature, runtime protection
and application security testing.
At the same time, MIUI further provides a series of security functions for users to choose,
thus achieving further data security and privacy protection, such as: App lock, secure
keyboard, blocklist setting and private space.
Application Security Protection

Signature
MIUI verifies the integrity and sources authority of the application package (hereinafter
referred to as "APK"), in order to:
● Ensure that the APK is tamper-proof
The developer generates the public key and the private key, signs the APK with the private
key, and packages the public key into the APK. When the application is installed, the public
key is used to verify that the APK has not been tampered with.
When updating the installed application, the application signature verification is also
required. Only application with the same signature as the updated application are allowed
to be updated, so as to prevent malicious applications from replacing existing applications.
● Ensure that the APK is forgery-proof
The APP ID of the APK and the certificate used to verify the signature are signed with the
official private key. If developer A signs developer B's APK with his own private key and
packages this certificate file into the APK, the official signature verification will fail when
developer A uploads it to the application store.
● Ensure that permissions of APK cannot be changed at will
The permission list, APP ID and certificate are all signed with the official private key. When
installing the application, the consistency of the permission list and the system service
actually called, and if not, the calling of MIUI service will fail.
23
Figure 4-1 New Application Signature Process
Runtime Protection
MIUI supports Android native Address Space Layout Randomization (ASLR) and Data
Execution Prevention (DEP). ASLR is a security technique used to prevent the exploit
of buffer overflow vulnerabilities. It randomizes the layout of linear areas such as heaps,
stacks and shared libraries, making it harder for attackers to predict target addresses and
preventing them from locating attack code, which leads to reduced overflow attacks.
ASLR makes it more difficult for attackers to take advantage of memory vulnerabilities.
DEP marks specific memory areas as non-executable to prevent attacks exploiting
memory vulnerabilities.
24
In addition, MIUI also uses the application sandbox mechanism of native Android to ensure
that each application runs in the sandbox and is isolated from each other, thus ensuring
the security of the runtime application.
Application Security Detection
Xiaomi GetApps conducts automatic testing, security scanning and manual review on each
application to ensure the source security of the application.
For the device, MIUI provides system protection and detection mechanisms such as virus
killer embedded with various antivirus engines and application installation monitor.
In addition, the "Security"-"Solve problems" also provides ROOT security detection and
anomaly detection of mobile phone performance, operation, power consumption, etc. to
protect application security. The following functions are included:
Performance Detect whether the device has turned on "Accessibility" and

anomaly "Device admin apps", and whether the device remaining memory
detection is insufficient.
Operation Detect whether the device has turned on "flight mode",

anomaly "interception of contact calls", "interception of stranger calls",
detection "DND mode" and "eye protection mode".
Power
consumption Detect whether there are too many auto-boot applications (more
anomaly than 5), and whether the hot spot has turned on.
detection
Detect whether the system is rooted, and prompt the user that
Other anomaly
the application cannot be installed when the storage space is less
detection
than 5%.
Payment Security Detection

The purpose of payment security scanning is to guarantee the security during user
payment process. When users use the payment application, a background process will
detects whether the system environment is safe, and when a certain risk is detected, the
user will be notified by pop-up windows or other interactive methods to reduce the
25
payment risk.
MIUI has a built-in white list of payment applications or pages, which will only take effect
when users open the any listed application or page. The list covers common mainstream
applications in the market. Relevant detections include:
Wi-Fi security
Detect whether Wi-Fi is at risk.
scanning
Input method Detects whether the user's input method is an authorized secure
security detection input method in the white list.
Detect whether Trojan or virus are executing as background

Virus detection
process.
Verification Detect whether the third-party application has obtained the

code stolen risk permission to read short message notification and thus avoiding
detection verification code leakage.
*Note: The feature is only available in mainland China.
System Permission Management

Android native system provides a dynamic permission management mechanism for
applications, aiming at limiting sensitive operations and protecting user data. The
application makes a request by pop-up windows before obtaining the permission, and the
user decides whether to authorize it or not.
On this basis, MIUI adds a number of custom permissions such as auto-boot management,
chain start management (mutual wake-up), background pop-up window notification,
lock screen display notification, etc. to restrict various behaviors such as long-term
background process of applications, non-reason mutual wake-up, malicious promotion.
MIUI monitors the behavior of calling the camera and microphone in the background *. If
such behavior is found, it will prompt in the status bar and send out the color prompt of
notification light to warn the user.
*Note: Only some models are supported.
26
Log Privacy Shield
MIUI uses “*” to partially shield private information involved in Android native logs (such
us base station location, IP address and device identifier) in order to further protect the
private information.
Application Security Features

App Lock
The App lock can not only protect the security of application data, but also prevent the
private information in the application from being seen by others.
MIUI users can enter the "App lock" module through "Apps" and set various styles
of unlocking passwords (patterns, digits and mixed) for the application. Through this
module, users can set to lock after exiting the application or one minute after exiting the
application, and then verify the App lock when opening the application again after locking
the screen. In order to increase the convenience and security of unlocking, MIUI adds a
fingerprint biometric unlocking mechanism.
Secure Keyboard *
The user sets to enable the secure keyboard in "Settings"-"Languages & input"-"Secure
keyboard". MIUI automatically enables the secure keyboard when inputting the password.
The secure keyboard does not have association and memory function, as well as network
27
permission. It also prohibits background screen recording or third-party application

screenshots and third-party application suspension windows from covering the secure
keyboard. In this way, the secure keyboard is able to ensure the user's password input
security.
Some bank APPs use self-developed input methods, and the MIUI secure keyboard will not take effect.
Website Detection*
Aiming at the increasingly severe network security situation, Xiaomi provides malicious
website detection service, which identifies malicious websites based on a massive website
category knowledge base. When users access malicious websites by Mi Browser, short
messages or other accesses, pop-up windows will prompt risk notification. The service
has the following characteristics:
● Various types of detection: Enable to identify malicious website categories including

social engineering fraud, information fraud, false advertising, malicious files, gambling
websites, porn sites, etc.
● High throughput: Enable to support 25 million website detection requests per day.
● Low latency: The average response time of the service is within 100ms.
● High detection accuracy: The detection accuracy rate of millions of labeled samples is
above 97%.
● Protect user privacy: No other information will be collected except the websites.
Blocklist Setting
MIUI blocklist setting can provide users with comprehensive blocklist setting functions,
which are able to effectively intercept unwanted phone calls and spam short messages
such as advertising promotion and real estate intermediary. Users can quickly add phone
numbers from "Call records" and "Contacts" to the black/white list. Users can also add
regions to the white/black list to intercept phone calls and release known numbers. The
28
real-time updated yellow pages database can provide users with accurate yellow pages
information of numbers and prevent users from being bothered by strange numbers.
MIUI provides a variety of interception rules that users can manually configure as needed.
These configurations can be backed up to the cloud to implement functions such as
cross-terminal synchronization:
● Black/white list: Release whitelist numbers and intercept blacklist numbers.
● Blacklist and whitelist keywords: Release short messages containing whitelist keywords
and intercept messages containing blacklist keywords.
● Blacklist and whitelist area: Release phone calls and short messages of whitelist areas
and intercept phone calls and short messages of blacklist areas.
● Unknown number: Intercept calls of unknown numbers.
● Call forwarding: Intercept calls of call forwarding.
● Overseas number: Intercept calls of overseas numbers.
● Smart interception: Filter unwanted calls and spam short messages through yellow
pages database and interception engine.
*Note: The functions of blacklist areas, call forwarding and overseas number are available in mainland China;
the smart interception is available in mainland China and India.
Private Space
MIUI provides users with a series of private space functions such as private short
messages, private photo albums, private folders and private notes.
Users can set through "Settings"-"Password &security"-"Privacy protection password",

and get access to the exclusive space of private short messages, private albums, private
folders and private notes by the privacy password or fingerprint password. In this space,
users can manage their private contacts, album pictures, files and notes. In addition, the
short messages communicating with private contacts, private pictures, private files and
private notes are only displayed in the private space, thus enhancing the protection of
user private information.
29
Users can also set whether to display private short message notifications on the
conventional interface.
If users set up the second space on their device, the above functions will jointly change
to: Display private content in the second space and regular content in the main space.
30
05
Internet Service Security
31
Internet Service Security

For Internet services running on MIUI and other Xiaomi applications, Xiaomi strictly follows
the principles of Security by Design and Privacy by Design, fully protects the security of
user data, and strictly abides by the legal requirements of privacy and compliance. While
providing users with easy-to-use functions, users are also given corresponding privacy
options to protect their rights of privacy.
Mi Account
Mi Account is an identification used to identify Xiaomi users. Users can use a series of
products and services provided by Xiaomi through Mi account, including but not limited
to Xiaomi Cloud, Mi Pay, Xiaomi Online Store, Mi Home APP, Mi Community, Mi Music, etc.
Users can also purchase Mibi through Mi account to use Xiaomi's various virtual products
and value-added services (e.g. games, e-books, etc.).
In order to prevent unauthorized use, Xiaomi has taken the following technical measures
and management measures to ensure the security of users’ accounts.
Account Security Setting
When registering or changing passwords, users need to set a strong password with 8-16
characters, including at least two of the following three types: numbers, letters and
special symbols. After the successful login, users can add a recovery phone number or a
recovery email to the Mi account, set the security question *, and turn on the cross-device
authentication in the account security settings. These security authentication methods
will be used to verify users’ identity when they change account information or reset the
password.
*Note: Only Mi account registered in mainland China supports this function.
Login Protection
The login of Mi account is protected by account smart risk control service, effectively
reducing the risk of unauthorized login and account theft.
When users log in, in order to ensure the login security, Mi account will detect the login
environment and users’ operation methods. After login failing for several times, Mi
32
account will switch to the interactive verification method such as picture verification
code, sliding or clicking on picture for environment security detection. When abnormal
login is identified, if it is determined as a login risk, users are required to carry out extra
secure authentication. If it fails, the services allowed to be accessed for this account will
be restricted according to the risk level. When identified as a serious risk, this account will
be frozen and forced out of all current logins, and the current password cannot be used or
reused.
Abnormal login behaviors defined by the account smart risk control service include:
● Log in Mi account in untrusted environment.
● Access private data (e.g. Use web pages to view albums, short messages, contacts,
etc. stored in Xiaomi Cloud).
● Modify the settings in "Security" (e.g. The change bound recovery phone number or
email, etc.).
Verification methods include but are not limited to cross-device verification, short
messages verification and email verification.
When the user’s behavior of an account changes (e.g. change the password, log in the
Mi account on a new device, etc.), if it is determined as an abnormal risk, Xiaomi will send
an e-mail and messages to notify the user, prompting the user to change the password
immediately.
In addition, Mi account has the following secure features to further ensure account login
security:
● Identify the secondary recycling phone number in various ways. While guiding new
users to register Mi account, the original users are prohibited from using the same
phone number to log in Mi account.
● APP whitelist technology is introduced when third-party applications call Mi account
for login, which means only authorized applications can call Mi account.
● When the system distributes domain names and IP, it uses the interface independently
developed by Xiaomi to prevent Mi account from DNS hijacking during login.
Data Security
Xiaomi encrypts the personal information entered during registration, including:
33
Personal information Encryption method
Mobile phone number, e-mail address, AES-128

account ID
Login password Salted Hash, AES-128
The string generated by random number

generation function (salt value) is attached
to the login password, generate a hashed
value by password hash function (hash)
,and then encrypted by AES-128. The salt
value of each user is different, so that even
if two users use the same password, the
hashed value generated is also different.
Figure 5-1 Encryption Process of Login Password
When the user registers or logs in the Mi account, the account-related information is
transmitted to the server over HTTPS encrypted channel. Users’ personal information is
encrypted and stored in a specialized database and carried out multi-copy backup. The
security protection degree of the backup data is equivalent to that of online data. Xiaomi
performs role-based multi-level access control on user data and accepts corresponding
security audits.
The encryption and decryption keys of user data are managed by the Key Center key
management platform independently developed by Xiaomi. The platform is operated
and maintained by an independent team to separate the management responsibilities of
business, data and keys. Role-based access control ensures that no individual can obtain
all the permissions required to decrypt user data. In addition, the servers and databases
that store user data have also deployed real-time monitoring mechanisms to alert
abnormal access behaviors.
34
Figure 5-2 Key Center Key Management Logical Architecture
In order to ensure the security of the key stored in Key Center, keys are encrypted by a
4096-bit Root Key, and the Root Key is generated by a hardware encryption machine.
Other Methods of Account Login
● QR code scanning login
Mi account provides QR code scanning login function. Users can scan the QR code on the
web page to log in Mi account. The QR code will be invalid after a certain period of time,
and the user needs to refresh the QR code web page.
● Third-party authorization login
Mi account supports the binding authorization of third-party accounts, which means users
can log in Mi account using third-party accounts. Currently, users in China area can login
by accounts of Weibo, WeChat, Alipay and QQ, while users in overseas area can login by
accounts of Facebook and Google. Mi account adopts OAuth2.0 (Open authorization
standard), which follows the standard OAuth2.0 protocol and process to authorize third-
party account login. The secure mechanism of OAuth2.0’s ensures that Mi account
related information will not be transmitted to third parties.
Xiaomi Cloud
35
Xiaomi cloud can store the user contacts, messages, albums, call records, notes and other
information, and allow these information to be automatically synchronized among user
devices. At the same time, users can retrieve data as much as possible when the device is
damaged or lost. Users can browse and manage their own data anytime and anywhere on
other devices or through the web (https://i.xiaomi.com).
User Data Synchronization
After users turns on the Xiaomi cloud service, they can choose to synchronize the
following data contents or set it to "Off" at any time.
Cloud service Synchronized data contents

synchronization module
Short message User's current phone number

synchronization
User's local short message data
The list of short message sessions set on the top of

screen, and the list of private numbers.
Call records User's current phone number

synchronization
User's local call records
Contacts synchronization User's contact information, profile picture
36
Cloud service Synchronized data contents

synchronization module
Note synchronization User's local note
Browser synchronization The user's local browser bookmarks, history, labels, etc.
Wi-Fi settings Settings of ever connected Wi-Fi networks

synchronization
Recording User's local recordings and recording file information

synchronization
Home screen cloud User's home screen layout, wallpaper

backup
User-set alarm and world clock
User's notification management
Calendar synchronization User's Mi calendar data
Album synchronization The data in the local album and the data in the folders
specified by the user to be synchronized
Xiaomi Cloud storage User uploaded data
Music synchronization User ID, play list, music, etc.
Security center/Device The black and white list of the contacts set by the user, VIP
manager list, DND mode, etc.
AI assistant User settings in AI assistant
Smart Photo Classification

When the cloud service is turned on, the device will automatically turn on the album
synchronization and smart photo classification function. After the smart photo
classification function is enabled, it will automatically classify and display the user's photos
according to multiple dimensions such as person, location, landscape, plant and food
within the album. The user can also turn off this function in "Cloud Service"-"Album".
The implementation of smart photo classification function depends on the smart image
algorithms and the training models. Xiaomi will not use the photo synchronized by users
to train the algorithm. After developed and fully trained in the independent environment,
37
the algorithm is embedded in the Xiaomi cloud server. When the photos are automatically
synchronized to the user's cloud space, the picture smart algorithm model is invoked to
classify the photos. Afterwards, the category labels are distributed to the album on the
device, and the classified photos can be browsed in the album.
Figure 5-3 Implementation Logic of Smart Photo Classification
Data Security
In order to prevent user data from being stolen or tampered, HTTPS encrypted
communication channel is used for transmission among Web terminal, phone and server
during the data synchronization process. In addition, the Cloud service website has a 15
minutes session time-up and auto logoff mechanism.
During the data storage process, each file has been divided into multiple blocks, with
each block encrypted separately using AES algorithms with key length of at least 128-
bit, namely that, in absence of the key, the data cannot be decrypted even with physical
access to the disk.
38
Figure 5-4 Cloud Service Data Security Architecture
In order to prevent the loss of users' cloud storage data due to force majeure factors,
Xiaomi has chosen several public cloud service providers to provide data storage and
backup services. For public cloud service providers that store user data, Xiaomi has
formulated strictly secure requirements and evaluation standards, and has strictly selected
service providers that meet the requirements. Xiaomi only stores the encrypted data
blocks on the third-party public cloud and will not share the encryption keys.
User Data Deletion
Users have the right to change or delete the data uploaded to cloud space. When the user
deletes the data proactively, the corresponding data in the cloud space will be marked as
deleted and temporarily stored in the recycle bin. Within 30 days, the user can still recover
the data through the recycle bin to reduce the loss caused by the unintended deletion.
Data emptied manually or automatically after 30 days in the recycle bin will be
permanently deleted from the server and cannot be recovered. If the user unsubscribe
the Mi account, the user data in the cloud space will also be completely deleted.
39
Mi Pay
Mi Pay is a mobile payment service provided by Mi Wallet. Mi Pay can complete the
payment after verify the user's fingerprint, instead of the verification of the bank card
and PIN. In order to ensure payment security, at the hardware level, Mi phone implements
hardware level encryption of payment fingerprint information and safe storage of bank
card information to achieve physical isolation of payment information; at the system
software level, MIUI will automatically detect whether the payment environment is secure
and reliable when paying. Meanwhile, the transaction only occurs among users, merchants
and card issuers, which means Mi Pay service does not collect any transaction information
of users during the payment process.
Mi Pay Component
● Secure element: the Secure Element (SE) is an industry-standard, certified chip
running the Java Card platform, which complies with digital payment requirements in
the finance industry.
● NFC controller: The NFC controller processes the Near Field Communication (NFC)
Protocols, transmitting information between the App processor and the secure
element, and between the secure element and the POS terminal.
● Mi Wallet: Users can add bank cards to Mi Wallet, manage and view the added cards,
and query other information provided by card issuers (e.g. privacy policy of card
issuers, recent transactions, etc.). They can also add and manage transit cards, virtual
access cards, etc. in Mi Wallet.
● TEE: On Mi Phones, TEE is responsible for managing the fingerprint verification process
to ensure the transaction security.
● Mi Pay server: Mi Pay server manages the settings of bank cards, transit cards and
virtual access cards in Mi Wallet, as well as the device card numbers stored in the
secure element. The Mi Pay server can communicate with the device and the card
issuer server.
*Note: The functions of transit card and virtual access card are only available in some models.
40
Mi Pay Secure Element
The secure element includes dedicated applets for managing Mi Pay, as well as applets
certified by payment network or card issuers. Encrypted bank card information sent by
payment network or card issuers is stored in these applets and protected by the security
function provided by secure element. During the transaction, the POS terminal uses a
dedicated hardware bus to communicate directly with the secure element through the
NFC controller.
Mi Pay NFC Controller
As the access gateway to the secure element, the NFC controller ensures that all
contactless transactions are made through POS terminals located within the close range
of the device, and the NFC controller only marks contactless payment requests from POS
terminal in the radio frequency field as communicable requests.
When the user uses the fingerprint to complete Mi Pay payment, the NFC controller will
send the contactless response prepared by the payment applet embedded in the secure
element to the radio frequency field. The payment authorization details of the transaction
are encrypted by the secure element and then sent directly to the payment network
without being disclosed to the App processor.
Bank Cards Binding
When users add bank cards to Mi Pay, information such as card number, expiration date
and CVV code is needed. Users can manually add this information in Mi Wallet. They can
also use the camera or NFC Reader/Writer application on the device to automatically
enter the information and the captured bank card identification information will be
released from RAM immediately after it is successfully entered, and will not be saved on
the device or uploaded to the server.
After the bank card information are entered, Mi Wallet will send the card number to the
Mi Pay server and then transmit it to the card issuer for verification. Mi Wallet will return
the bank’s user agreement to the user after passing the verification, and only after the
user accept the agreement can the adding process continue. Other bank card information
filled in by the user subsequently will be encrypted by the "UnionPay Editor Control Class
for Security Service" and then sent to the Mi Pay server, which will then transmit the
information to the card issuer. Meanwhile, Mi will also share the device model, SE number
and the approximate location of the user when adding the bank card (if the user currently
41
enables the "Location Based Services") with the card issuer. The card issuer will determine
whether to approve the addition of bank cards to Mi Pay based on the above information.
Payment Authorization
On devices equipped with TEE, the SE will allow payment only after receiving authorization
from TEE. On Mi phone, users can authorize payment through fingerprint authentication.
TEE and SE are connected through the serial interface, and ECC encryption algorithm is
used for data signature based authentication to ensure communication security. In order
to further enhance the payment security, MIUI implements activation controls for Mi Pay,
which means that the fingerprint authentication for Mi Pay card payment is required by
default.
• Both TA and SE implement the hardware-

level encryption.
• The ECC encryption algorithm is used

for data signature based authentication
between TEE and SE to ensure that SE
only accepts authorization information
from the native TEE, and even if the SE is
physical penetrated, the bank card cannot
be activated.
• The bank card can only be retrieved for

use after the user passed the fingerprint
authentication.
• The data communication between Mi

Wallet client and Mi Pay server adopts the
double encryption of HTTPS transmission
after AES encryption to prevent
interception and tampering.
• Fingerprints of users will only be stored

in the TEE of the device and cannot be
read by any application or uploaded to the
server.
Figure 5-5 Logical Architecture of Payment Authorization
Suspension or Removal of Bank Cards
Users can login to Mi Wallet and manually remove the added bank cards. For the added "Mi
Pay bank card", when "Lost Mode" or "Clear Data" function of "Find Device " is on, Mi Pay
42
will notify the card issuer to stop the card in Mi Wallet automatically. Even if the device
is not connected to the network, the payment network or the card issuer can disable the
payment of the card on this device. In addition, the user can also suspend or remove the
bank card by making a phone call to the card issuer.
Mi AI
Users can wake up the supported smart device by saying Mi AI” to start a conversation,
check weather, make phone calls, control smart home devices, etc. Developers can make
users interact with hardware devices (e.g. phones, televisions, speakers, etc.) based on Mi
Speech Engine of AI technology.
Basic Architecture
Mi Speech Engine is mainly composed of the following modules:
1) Automatic Speech Recognition (ASR) module is responsible for translating the spoken
language into text;
2) Natural Language Processing (NLP) module is responsible for processing and

understanding the text, and converting text into structured query expression based on the
context and dialogue;
3) Intelligence Search Engine & Execution (ISEE) module is responsible for controlling
smart home devices through commands converted from the text, or searching high-
quality content and services (e.g. music playing, weather query, etc.) to respond in the
results that best meet the user’s needs and the current context;
4) Text To Speech (TTS) module converts return results of Intelligence Search into voices
as outputs by converting text into voice, and then integrates with above modules to
achieve smooth and natural human-computer interaction.
Mi AI integrates with third-party content, services and AI technology based on Mi Speech

Engine, and provides external services through a unified API and SDK. The system
architecture is shown in figure 5-6:
43
Figure 5-6 Architecture of Mi AI
Speech Wake-up and Recognition
When the user says "xiao ai tong xue", the device will start to record user's voice, and
recordings (including subsequent speech commands) will be sent to the server. The voice
transmitted to the microphone will not be recorded and uploaded before Mi AI wakes up.
When user is using Mi AI, data (e.g. Mi Account, Hash of IMEI, etc.) that can identify the
user will be uploaded through the encrypted transport layer. These data cannot be directly
related to recordings of the user in the server because Mi Account will be mapped to the
pseudonymized random ID.The ID mapping form is encrypted and stored in a database
isolated from other user data, and keys are stored in Key Center. No personnel in Xiaomi
can be granted access to the ID mapping form and keys simultaneously.
Recording segments uploaded to the server are trained with speech model using speech
recognition module to optimize the accuracy of speech wake-up and recognition. These
recordings are only associated with the above-mentioned randomized and encrypted ID
and cannot be used to identify the user.
44
Users of Mi AI can record voiceprint* himself, then only the voice mapping with the preset
voiceprint can wake up the device. Also, the feature of voiceprint is only associated with
the above-mentioned randomized and encrypted ID and cannot be used to identify the
user.
The user who has upgraded Mi AI to v4.8 can make the following settings through Privacy
Switch * in MIUI or voice device APP:
● Whether upload wake-up audio frequency and voiceprint data and use them for the
optimization of speech wake-up.
● Whether use the speech data to optimize speech recognition.
*Note 1: Only some specific models and speakers are supported.
*Note 2: The setting path and content of Privacy Switch are different for some devices.
Place Phone Calls
When the user calls someone in contacts using Mi AI, Mi AI can screen out the closest
one or multiple contacts according to the provided name. The screened data encrypted
by AES-128 are uploaded to the server via encrypted transport layer to be processed by
NLP. The NLP processed data are then downloaded to the device to match the phone
number so that Mi AI can make the phone call. When making phone calls, phone numbers
in contacts will not be uploaded, and contact names will not be stored in the server.
In addition, to improve the accuracy of speech recognition, users can set whether to train
the data of contacts name using ASR through the privacy switch in MIUI or voice device
APP. Name data will not uploaded to the server.
Voice Broadcast
When user turns on the voice broadcast function, Mi AI can broadcast messages, missed
calls, WeChat messages, etc for user. TTS can only be run on the device, so the message
content and user data will not be uploaded to the server.
Smart Home Device Control
When user log in smart home devices with the same Mi account, the devices supporting
Mi AI can be controlled by Mi AI.
For device control, when users send a voice command* to Mi AI, Mi AI will connect with
45
Mijia server and obtain the devices information (e.g. device name, room, status, etc.)
under the Mi account. These information stored in the Mi AI server are only used for
device control rather than analyzing user's living habits or interests.
*Note: For Mi TV control, user need to match Mi AI with nearby Mi TV through WIFI scan or Bluetooth and
obtain the MAC address at first.
Data Minimization
Mi AI strictly follows the principle of data minimization for collecting and sharing user
data, which means Mi AI only collects or shares the least data fields to achieve business
functions, for example:
● Mi AI supports authorized third-party login based on OAuth2.0 protocol. Users can

check information of takeaway and express delivery (e.g. MeiTuan-DianPing and
CaiNiao). Mi AI only invokes third-party APIs to check information and to get feedback.
Any order information and express information from third parties will not be obtained,
stored or used.
● Xiaomi may cooperate with external service providers to use their ASR and TTS
capabilities as backup resource (e.g. multilingual translation) under specific scenarios.
While invoking relevant APIs, Mi AI will not provide any other user personal data
for partners except for the audio frequency to be recognized and the text to be
synthesized.
Data Security
All the data, transmitted among user devices, servers and third parties, are encrypted at
the transport layer over HTTPS or encrypted WebSocket. User’s Mi accounts, device
identifiers and the above-mentioned random IDs are encrypted by AES-128 and stored
in the database. The encryption and decryption keys are stored in the Key Center.
Xiaomi performs role-based and multi-level access control for user data and accepts
corresponding security audits.
Image Intelligence
Image intelligence provides MIUI users with smart album, image recognition, smart camera
and other services based on smart vision processing technology:
● Smart album can help users edit, manage and use pictures conveniently. It provides
46
multiple functions including: beautifying pictures of food, landscape and portrait

with one click; editing intelligently such as changing background, smart cropping and
magic elimination; allowing users to manage storage space by generating classified
photo albums; helping users locate and use pictures in photo albums quickly by image
recognition and searching.
● Smart camera is preset with a variety of optimized photography algorithms to provide

varies functions, such as, scene optimization based on scene recognition algorithm to
achieve special preference matching and fine grain image quality adjustment; portrait
optimization of matching different beautify parameter schemes based on identified
age and gender to achieve beautifying effects of thousands of people with thousands
of faces; the special effects of short videos, helping users to quickly generate micro-
movie alike videos products.
The Training and Using of AI Algorithms
The AI algorithms for image are trained in the research and development environment.
Afterwards, the algorithm model will be embedded in MIUI's photo album and camera.
Iteration of the model is achieved by the upgrade of photo album and camera. Users'
personal information will not be used for the development, testing and optimization of the
algorithm.
Figure 5-7 Logic Architecture of AI Algorithm

Data Security
When users use the services provided by image intelligence, Xiaomi only collects the user
data which is necessary for service providing, and all functions are given priority to be
implemented on the device. When the user chooses to use the smart photo classification
function of Xiaomi Cloud, user data will be uploaded to the server in an encrypted manner,
see Section 5.2.2 hereof for details.
47
Location-based Services
Location-based Services of Xiaomi provide device-based positioning capabilities for
Xiaomi and third-party applications and websites on MIUI, including GPS, network
positioning and hybrid positioning. The information collected by various positioning is as
follows:
● GPS: satellite-based positioning. The collected information includes device identifiers

and longitude & latitude.
● Network positioning: the collected information includes Wi-Fi hotspot and base station
information.
Wi-Fi hotspot information includes: name (SSID), MAC address (BSSID), Received
Signal Strength Indication (RSSI), channel (FREQUENCY) of the connected and
scanned AP.
The base station information includes: Mobile Country Code (MCC), Mobile Network
Code (MNC), Location Area Code (LAC), Cell Identity (CID), and Received Signal
Strength Indication (RSSI) of the connected and scanned base station.
● Hybrid positioning: Base on GPS and then combine the GPS data with the data of
network positioning and sensor.
When location services are turned on by users and there are applications request to
receive location data, location-based services will upload the Wi-Fi hotspot information
and base station information near the device to the server in an anonymous and
encrypted manner. These data will be used to expand the crowd-sourced database of Wi-
Fi hotspot and base station locations and cannot be used to identify the user's identity.
The data collected from location-based services are from API with authentication
mechanism, encrypted using AES-128 (AES session key interacts with the server by Pre-
shared key) and encoded using Base64, and then transmitted over HTTPS.
Users can determine whether to turn on the location-based services through the "Location-
based Services" switch and the setting path in MIUI is "System Security"-"Privacy Settings"-
"Location Information".
48
MiPush
MiPush provides developers with the service of pushing messages to client applications in
real time by establishing a stable and reliable long connection between the cloud server
and the client.
Figure 5-8 MiPush Service Architecture
MiPush supports notification bar messages and pass-through messages, and also provides
two message distribution channels, API and operation platform respectively. MiPush
SDK supports Android, iOS client and server mainstream languages, which can help the
developers to better meet the complex business needs based on their own business logic.
Developer Privacy Compliance Requirements

Mi protects end user personal information by regulating the developers through the
developer agreement:
● Developers shall agree that MiPush collects, stores, uses, discloses and protects
personal information in accordance with Xiaomi Privacy Policy, in order to use MiPush
Service.
● Developers shall develop and publish the privacy policy and obtain the consent of
end users. Moreover, the standards for the policy must be no lower than the privacy
protection standards of MiPush.
● Mi strongly recommends that the developers include the critical clauses from Xiaomi
Privacy Policy in their end user-facing product privacy policy to ensure that end users
agree MiPush Service to collect and use the data. Developers shall not use MiPush
Service without end user consent.
49
● Mi requires developers to comply with all the laws, regulations, policies and industry
standards applicable to MiPush Service regarding to end users' personal information
protection.
Device Identification Method
MiPush does not use the device identifier (e.g. IMEI) directly to identify the device,
but processes the user's personal information through technical methods such as de-
identification. MiPush hashes the three device identification parameters (device identifier,
serial number and AndroidID) on the device and uploads the generated string to the
server. On the server side, the string is mapped to a random ID which will be returned to
the client. MiPush uses this random ID as the unique identifier of the device.
Data Minimization
MiPush is only used as a message channel and would not extract and use the content
of the message, the user behavior and preferences. The original data, intermediate data
and statistical results by MiPush will not be provided for Mi's partners, nor will partners
be allowed to access these data in any form; MiPush only provides developers with the
background statistics including time and message status dimensions, excluding any
personal information of users.
Data Transmission Security
When the mobile APP initiates a registration request to the MiPush server for the first
time, device information (the device identification field is irreversibly hashed) will be sent
to the server, the server will return the random ID and message content key subsequently.
HTTPS is used to encrypt the data in transit during this process.
MiPush Service requires developers to use HTTPS protocol to send the message content
to the server. The communication between various modules of the server is encrypted
using AES-128 algorithm. After the message is encrypted by symmetric encryption
algorithm, the ciphertext is pushed to the device through AES-128 encrypted channel
established between the server and the device, in order to achieve double encryption.
Data Deletion
Once the message is successfully delivered, the message content will be deleted from
the server. If the message is not delivered due to abnormal circumstances, the server will
keep the message content for 14 days; MiPush Service provides developers with a user
50
data deletion API that can be invoked to delete the MiPush registration information of the
APP. If the device is not connected to the network within 90 days, the message content
related to the device will also be deleted from the server. If the developer stops accessing
MiPush service or requests to stop the push service, Xiaomi will delete all relevant APP
information according to developer's instructions.
51
06
Security Certification and Privacy Policy
52
Security Certification and Privacy Policy
Upholding the principle of respecting and protecting the privacy of users and let everyone
in the world enjoy a better life through innovation technology, Xiaomi is always committed
to providing the trusted products for users.
To make the most of the extensive implementation of the information security and
privacy protection policies, Xiaomi has formally established the Information Security and
Privacy Committee in 2014, and set up a comprehensive security management system
through technical protection measures, policies and processes, assessment and audit
mechanism, etc. At the same time, in order to comply with the requirements of laws and
regulations of all the countries we serve, Xiaomi has employed the experienced local
lawyers as the data protection officers of Europe union business.
To provide the users with services which complies with laws, regulations and industry
standard requirements, Xiaomi has carried out global compliance projects and been
auditing by external regulatory authority regularly. The internet services of Xiaomi
comply with the requirements of cyber security multi-level protection and have passed
level 3. The infrastructures, development, operations, maintenance and internet services
supporting products and services of MIUI complies with international authoritative
certification system, and have passed the ISO27001, ISO27018 and ISO29151 certifications
of the British Standards Institute (BSI). MIUI operating system, its built-in applications and
cloud services have been evaluated and certified by TrustArc, world's leading data privacy
compliance company. Xiaomi's privacy policies and privacy practices conform to TRUSTe
enterprise privacy standards, and have been granted the TRUSTe Privacy Certification
Seal.
53
Xiaomi respects and protects the personal privacy right of all users. The privacy
introduces in detail about how Xiaomi collects, uses, discloses, processes and protects
the information you provide to us or we collected while you are using Xiaomi products or
services. Links of privacy policies in different languages: https://privacy.mi.com/all.
*Note: Some products have separate privacy policy links, which can be viewed on the corresponding product
page.
Xiaomi owns a professional security and privacy team, which is responsible for providing
technical support for the security and privacy of Xiaomi products, as well as review
and test of security and privacy for developing and released products. Meanwhile,
Xiaomi collects security issues and security intelligence from researchers around the
world through a range of channels such as the self-built Xiaomi Security Center (SRC),
Hackerone and mailbox, and rewards them according to the priority of the issue or
intelligence.
At the same time, Xiaomi put forward "Xiaomi Smart Life Security Guard Program" and
actively invites security researchers to carry out security tests on Mi products with high
bonuses. Xiaomi will award the confirmed security issues a high priority and solve them as
soon as possible.
Contact Xiaomi Security Center: https://sec.xiaomi.com/ , https://hackerone.com/xiaomi

, [email protected].
54
07
Peroration
55
Peroration
Xiaomi is committed to providing digital software and hardware products with complete
functions, security and usability for individuals, families and industry users around the
world. MIUI, as the core component of MI phones, shoulders the responsibility to build
a foundation of trust as well as provide security assurance. MIUI will give a priority to
enhancing security. This paper is a comprehensive presentation of MIUI security design
and implementation.
Xiaomi is trying to root the awareness of security and privacy protection into the hearts
of every business department, every employee and every partner. As mentioned before,
Xiaomi has established a comprehensive security and privacy management system,
integrating security and privacy requirements into product design, development, testing,
operation and other processes, and conducting strict security and privacy audits on
partners, actively monitoring and solving new security issues and threats, to ensure user
data are protected throughout the entire life cycle. In response to the evolving security
situation, Xiaomi will continuously improve security technology capabilities, refine security
and privacy protection functions of products and services, and optimize security and
privacy management system. In addition, all practices will be presented with authoritative
certificates, white papers, privacy policies and other ways so that Xiaomi can build users
confidence in Xiaomi’s products and services as well as users can choose and use them
confidently.
In this era of big data and artificial intelligence, there are some contradictions between
enterprise development and user privacy. However, Xiaomi firmly believes that only
respecting and protecting users' information security and privacy can build users’ long-
term trust in Xiaomi’s products. Therefore, Xiaomi insists on prioritizing information
security and privacy protection, and increasing investment in security and privacy
continuously. Xiaomi would like to share its standardized methods, best practices and
technical capabilities on information security and privacy protection to partners, which
would promote the development and protection for user privacy.
56
08
Abbreviated Definition Table
57
Abbreviated Definition Table

English Full name Definition
abbreviations
3DES Triple Data A symmetric-key block cipher, which applies

Encryption the DES cipher algorithm three times to
Algorithm each data block.
AES Advanced A commonly used symmetric encryption

Encryption algorithm. A variant of Rijndael which has a
Standard fixed block size of 128 bits, and a key size of
128, 192, or 256 bits.
AI Artificial A wide-ranging branch of computer science

Intelligence concerned with building smart machines
capable of performing tasks the typically
require human intelligence.
API Application A set of functions and procedures that allow

Programming for the creation of applications that access
Interface data and features of other applications,
services or operating system without
accessing source code.
ASR Automatic The process and the related technology

Speech for converting the speech signal into its
Recognition corresponding sequence of words or other
linguistic entities by means of algorithms
implemented in a device, a computer, or
computer clusters.
AVB Android Verified A process of assuring the end user of the

Boot integrity of the software running on a
device, which typically starts with a read-
only portion of the device firmware which
loads code and executes it only after
cryptographically verifying that the code
is authentic and doesn't have any known
security flaws.
58

abbreviations
BL Boot Loader A vendor-proprietary image responsible for

bringing up the kernel on a device.
CVV Card Validation A security feature for "card not present"

Value payment card transactions instituted to
reduce the incidence of credit card fraud.
ECC Elliptic Curve An approach to public-key cryptography

Cryptography based on the algebraic structure of elliptic
curves over finite fields. ECC requires smaller
keys compared to non-EC cryptography
(based on plain Galois fields) to provide
equivalent security.
ECDSA Elliptic Curve A Digital Signature Algorithm (DSA) which

Digital Signature uses keys derived from elliptic curve
Algorithm cryptography (ECC).
FBE File-based A form of disk encryption where individual

Encryption files or directories are encrypted by the file
system itself.
Flash Flash Memory An electronically non-volatile memory

storage medium that can be electrically
erased and reprogrammed.
Fuse File System in A software interface for Unix and Unix-like

User’s space operating systems that lets non-privileged
users create their own file systems without
editing kernel code.
НМАС Hash-based A specific type of message authentication

Message code (MAC) involving a cryptographic hash
Authentication function and a secret cryptographic key.
Code
HTTPS Hypertext It is a secure communication channel for

Transfer Protocol exchanging information between client and
Secure server through secure sockets layer.
59

abbreviations
HUK Hardware Unique A key solidified on the mainboard of the

Key device when leaving the factory to identify
and verify the uniqueness of the device.
KASLR Kernel Address A technology that ensures the

Space Layout unpredictability of memory addresses and
Randomization offsets of kernel image, which can greatly
reduce the success rate of malicious software
attacks and improve system security.
MDM Mobile Device A product life-cycle management including

Management all links of mobile device registration,
activation, use and elimination.
NFC Near-field A set of communication protocols that

Communication enable two electronic devices, one of
which is usually a portable device such as a
smartphone, to establish communication by
bringing them within 4 cm of each other.
NLP Natural Language Processing and understanding the natural

Processing language text and converting it into
structured machine text.
OAuth Open An open standard for access delegation,

Authorization commonly used as a way for Internet users
Standards to grant websites or applications access
to their information on other websites but
without giving them the passwords.
OEM Original A company that purchases parts and

Equipment equipment that may be manufactured by
Manufacturer another company.
OS Operating System System software that manages computer

hardware, software resources, and provides
common services for computer programs.
60

abbreviations
OTA Over the Air The technology of remote management

of mobile terminal device and SIM card
data through the air interface of mobile
communication.
Pre-shared Pre-shared Key A shared secret which was previously shared

Key(PSK) between the two parties using some secure
channel before it needs to be used.
ROM Read-only A solid-state semiconductor memory that

memory can only read data stored in advance.
Rootkit / A collection of computer software, typically

malicious, designed to enable access to a
computer or an area of its software that is
not otherwise allowed and often masks its
existence or the existence of other software.
RPMB Replay protected A partition with security characteristics in

Memory block flash memory chips.
RSA Public-key A cryptographic system that uses pairs of

Cryptosystems keys: public keys which may be disseminated
widely, and private keys which are known
only to the owner.
SE Secure Element A microprocessor chip which can store

sensitive data and run secure apps such as
payment. Its internal components include:
CPU, RAM, ROM, encryption engine, sensor,
etc.
SELinux Security- A Linux kernel security module that provides

Enhanced Linux a mechanism for supporting access control
security policies.
61

abbreviations
SHA Secure Hash A family of cryptographic hashing functions

Algorithms designed to keep data secured. The five
algorithms of the SHA family are SHA-1,
SHA-224, SHA-256, SHA-384, and SHA-512.
SoC System on Chip An integrated circuit that integrates all

components of a computer or other
electronic system.
TA Trusted A highly secure application program that

Application runs in a TEE environment.
TEE Trusted Execution A secure area on the main processor of

Environment a mobile device exists in parallel with
(TEE) the mobile OS, providing an isolated
execution environment to ensure isolated
execution, integrity of trusted applications,
confidentiality of trusted data, secure
storage, etc.
TTS Text-to-Speech A part of man-machine dialogue, which

synthesizes and converts text into natural
speech output.
UI User Interface In the industrial design field of human–

computer interaction, it is the space where
interactions between humans and machines
occur.
WebSocket / A computer communications protocol,

providing full-duplex communication
channels over a single TCP connection.
62
L i fe g e t s e a s i e r
miui.com

MIUI Privacy en

Uploaded by

Copyright:

Available Formats

MIUI Privacy en

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MIUI Privacy en

Uploaded by

Copyright:

Available Formats

MIUI 11 Security and Privacy White Paper

2 Hardware and System Security 4

Hardware Trusted Environment 5

3 Encryption and Data Security 14

Data Protection Architecture 15

Application Security Protection 23

5 Internet Service Security 31

6 Security Certification and Privacy Policy 52

8 Abbreviated Definition Table 57

Adhering to the principle of objectivity and transparency, this document introduces

Figure 1-1 White Paper Logic Structure

Security Certification and Privacy Policy: Information on overall principles, organizational

Hardware and System Security

Hardware Trusted Environment

Figure 2-1 Logical Architecture of Trusted Execution Environment

Hardware Unique Key (HUK)

Hardware Cryptographic Engine

1. When the device is powered on, the

Figure 2-2 MIUI Secure Boot Process

Network and Communication Security

Protection from Fake Base Stations

of the defects of communication systems to impersonate legitimate base stations.

Recognize SMS from Fake Base Stations

Protection from Wi-Fi Probe Requests

(https://i.mi.com) to remotely perform the following operations on the lost device:

Lock the mobile phone through the network or short message

Reset the mobile phone through the network or short message

Mobile Phone Unlocking Policy

In order to prevent the credentials from being reset on a lost phone

MIUI Second Space

Mobile Device Management (MDM)

MDM (Mobile Device Management) is a device protection function MIUI provided to

System Software Update

Encryption and Data Security

Data Protection Architecture

1. Generate Keymaster Key in Hardware Key.

Figure 3-1 Procedure of File-based Encryption*

1) Generation and storage

Fingerprint recognition uses the unique physiological feature of fingerprint to authenticate

mechanisms such as phone screen unlocking, application unlocking, electronic payment

MIUI processes fingerprint images, extracts fingerprint features, generates fingerprint

Figure 3-2 Fingerprint Security Framework

The network electronic identification eID (hereinafter referred to as "eID") is an electronic

Mi phones comply with eID-related standards and specifications, specifically including

*Note: Only some specific models are supported.

Screen Lock Password Protection

● Pattern password: at least 4 dots need to be connected.

● Digital password: support 4-16 bits of digital passwords.

Smart Password Manager

Xiaomi smart password manager is also implemented based on Keystore technology

*Note: Only domestic phones support this function.

Application Security Protection

● Ensure that the APK is tamper-proof

● Ensure that the APK is forgery-proof

● Ensure that permissions of APK cannot be changed at will

Figure 4-1 New Application Signature Process

Application Security Detection

Performance Detect whether the device has turned on "Accessibility" and

Operation Detect whether the device has turned on "flight mode",