Xiaomi’s secret blacklist of phrases sounds scary, but it may not be what it seems

Xiaomi’s secret blacklist of phrases sounds scary, but it may not be what it seems

Chinese smartphone makers are often under heavy scrutiny due to geopolitical reasons, and the company that has taken the brunt of criticism is Huawei. However, other companies like Xiaomi haven’t been left untouched, as the world’s number one smartphone vendor recently had to fight off the U.S. Government’s attempt to label it a “Communist Chinese military company“. Now the company is back in the headlines again, as the Lithuanian National Cyber Security Centre urged citizens not to use the company’s products. The reason, the Lithuanian NCSC says, is that Xiaomi smartphones have “censorship capabilities”.

Per the NCSC‘s report, it’s alleged that Xiaomi smartphones download a file called “MiAdBlacklistConfig”, which contains a number of “titles, names, and other information of various religious and political groups and social movements”. It says that there are 449 records in the MiAdBlacklistConfig file. Furthermore, the report says that “when it is determined that such content contains keywords from the list, the device blocks this content. It is thought that this functionality can pose potential threats to the free availability of information.” The NCSC says that the file was found on a Xiaomi Mi 10T running MIUI Global 12.0.10.

“Our recommendation is to not buy new Chinese phones, and to get rid of those already purchased as fast as reasonably possible”, said Defense Deputy Minister Margiris Abukevicius, according to Reuters.

Dissecting the MiAdBlacklistConfig

I have a Xiaomi Mi 11 Ultra running on the latest Xiaomi.eu ROM. While Xiaomi.eu is a debloated version of MIUI, it’s still based on the Chinese version of MIUI, which I thought would be a prime candidate to detect whether the MiAdBlacklistConfig file exists on my smartphone. On investigation, I found it in the Mi Video application (though not the Mi Browser) and retrieved the file via root access. The file does contain the names of religious and political groups; however, it also contains a lot more than that. The report also notes that there are 449 records identified in the MiAdBlacklistConfig file — in my file, there are 2210 records, most of which are not related to any kind of political or religious groups.

On analysis of the file, I found that the vast majority of the records are actually related to sex, porn, and other smartphone brands. There are mentions of Tibet, Hong Kong, and other religious groups, however, mentions of the CCP and “China” are also included, too (albeit there are a lot fewer mentions of China and Chinese politicians comparatively). One would think that if this were a list that exists to censor content that may go against the Chinese Communist Party, all mentions of “China” would not be censored online. Here are a few words and phrases that I have cherry-picked from the file:

  • zte
  • Infinix
  • China
  • xxx
  • samsung
  • oneplus
  • download videos
  • download bollywood song
  • Taiwan Solidarity Union
  • sony ericsson
  • mi
  • xiaomi mi5
  • mi mobile phone

Those are a select few phrases from the list, but it is by no means extensive. There are also numerous porn and sex-related terms, and most smartphone brands are represented. Interestingly, if this is a censorship list, note the last three entries that I have shown above: Why would Xiaomi be censoring mentions of itself online?

Advertisements, and how Xiaomi deals with them

As the NCSC notes, this code is not active in phones the company sells in the European Union. Take a look at the code snippet below, retrieved from the NCSC report.

Xiaomi codefragment that shows content filtering for advertisements

The researchers say the following about this particular functionality.

“It is believed that this functionality allows a Xiaomi device to perform an analysis of the target multimedia content entering the phone; to search for keywords based on the MiAdBlacklist list received from the server. Once the device determines that the content contains certain keywords, the device performs filtering of this content and the user cannot see it. […] It is important to emphasise that this functionality is activated remotely by the manufacturer. “

Given that I found the MiAdBlacklistConfig file in the Mi Video app, I extracted the APK from my device and disassembled it myself. I discovered that the researchers had possibly made a pretty big error; the code above filters an object called “INativeAd”. On disassembly of the Mi Video application, I found that INativeAd is a method in the Xiaomi Global Ad Software Development Kit (SDK). While I could not find the method itself, I found numerous references to it and the functionalities that it can perform.

Xiaomi iNativeAD

As can be seen above, “INativeAd” is specifically for displaying advertisements, and I can’t find the blacklist file referenced anywhere else. Some of the methods that INativeAd has are the following:

  • AdOnClickListener
  • OnBannerClosedListener
  • ImpressionListener
  • OnAdCompletedListener
  • OnAdRewardedListener
  • OnAdDismissedListener

I think it’s pretty clear that the filter is specifically used for filtering advertisements, and I also think that it’s pretty obvious why it’s needed. Take a look at both of the advertisements below. They were displayed on a Xiaomi Redmi Note 7 Pro in April of 2019.

Xiaomi has had major, major problems with the contents of advertisements in the past. In fact, the company pledged in 2019 to remove “vulgar” advertisements and prevent them from being shown to users. There are still occasional reports of vulgar and inappropriate advertisements getting through on Xiaomi devices, but it’s nowhere near as big of a problem as it once was. In fact, I think some of the entries in the list make complete sense when viewed in that context. Take a look at some others that I cherry-picked from the list:

  • 5 things every girls thinks in her first night of marriage
  • Checking of pregnancy by a home method
  • shooting- see photos

All three of those are incredibly specific — so much so, that I think that this filter was sometimes targeted at very specific advertisements. However, it also works pretty well as a catch-all — the word “hottest” is in the filter, which means that the above advertisement that says “the hottest Video for the season!” would, in theory, no longer be displayed.

What’s happening?

From my own analysis, the Mi Browser in the EU ROM on my Xiaomi Mi 11 Ultra and on my Xiaomi 11T Pro both do not reference this file. On my Xiaomi Mi 11 Ultra, the Mi Video app references it but uses it for advertisement filtering only. I also downloaded the latest available Mi Browser version from APKMirror, and again, found no references to the MiAdBlacklistConfig file.

Does that mean it can’t be used for censorship in the future? Admittedly no, but the point is that I can’t find any evidence that points towards it being used for censorship right now. To use a pretty clear example, given that the list contains the word “mi”, then if web content were being filtered, you wouldn’t even be able to visit Xiaomi’s own website in the official Mi Browser. Given that “AdBlacklist” is literally in the name, I think it’s pretty clear what the file is being used for.

In one of the decrypted data pieces shown by the researchers, they revealed that they were using version 12.4-g of the Mi Browser. The Xiaomi Mi 10T that’s used in the report is based on MIUI Global 12.0.10 and is running a European Economic Area build. EEA builds of MIUI do not contain advertisements, and I cannot find that file in the storage of the latest Mi Browser like I did in Mi Video. However, in version 12.4-g, I found references to MiAdBlacklistConfig, but not the file itself. I even downloaded the latest Chinese version of Mi Browser just to confirm, and I can’t find the file there, either. Furthermore, in the same decrypted data piece, the MIUI version that the researchers used is actually different from what is listed in the opening table. It says “‘V12.0.18.0.QJDEUXM”, when the researchers said they used “V12.0.10.0.QJDEUXM”

I took a look at some of the other claims by the researchers, and one jumped out at me in particular.

“Studies have shown that when a user chooses to use Xiaomi Cloud services, the user’s mobile phone number is registered on servers located in Singapore. This is done by the device sending an encrypted SMS message to a special phone number.”

No citation is given to point the reader towards the “studies” that have shown this behavior.

I have configured two Xiaomi smartphones in the past month — the Xiaomi Mi 11 Ultra and the Xiaomi 11T Pro. I checked with my carrier to make sure I hadn’t sent out any international SMS messages this month, and I had not. I have, however, logged into my Xiaomi Cloud account on both smartphones. I don’t know what the researchers did to have the Xiaomi Mi 10T send “an encrypted SMS message to a special phone number”, but that did not happen on either of the devices that I have set up this month.

I did not investigate any of the other claims in full.

Should you be worried?

From what I’ve seen, there’s not a whole lot of cause for concern here. Given that Xiaomi successfully argued for its removal from the U.S.’s list of “Communist Chinese military companies”, there’s not much to substantiate some of the more conspiratorial claims out there. While that may change in the future, I see no cause for concern right now. I can’t help but wonder how the researchers came to the conclusions that they came to, and how they managed to reproduce the behavior that I cannot on two Xiaomi devices.

While it’s true that my Mi 11 Ultra now runs a debloated custom ROM, I installed the latest official Xiaomi apps to test, and the behavior observed stayed the same on my Xiaomi 11T Pro. Furthermore, I factory reset the Mi 11 Ultra on stock MIUI before switching to a Xiaomi.eu ROM, and my carrier should have then identified an international SMS message being sent when I configured it. I checked to make sure that a text wasn’t sent to an Irish number, but all of the numbers that I had sent a text message to I recognized.

All of that is to say that I believe there is no problem currently with Xiaomi devices when it comes to security. Xiaomi gave the following statement to Reuters when reached for comment.

“Xiaomi has never and will never restrict or block any personal behaviours of our smartphone users, such as searching, calling, web browsing or the use of third-party communication software. Xiaomi fully respects and protects the legal rights of all users.”

We have reached out to the Lithuanian NCSC for clarification on the report and will update this article if we hear back.

About author

Adam Conway
Adam Conway

I'm a senior editor at XDA-Developers. I have a BSc in Computer Science from University College Dublin, and I'm a lover of smartphones, cybersecurity, and Counter-Strike. You can contact me at [email protected] My Twitter is @AdamConwayIE and my Instagram is adamc.99.