Xiaomi Mi Smart Band 4 & Privacy
A review of Xiaomi's Mi Smart Band 4 fitness tracker with special focus on Privacy implications
I'm a Data Hoarder so it comes naturally that I also like to collect my Health data, most importantly my sleep data and heart rate history. I've been tracking both for years using various Apps where for heart rate measuring you have to place your finger on your iPhones camera and flash to get a reading. For sleep tracking I've been using Sleep Cycle where you either place your iPhone on your mattress or grant microphone access and place it on your nightstand to measure how you sleep. As an iPhone user I've long wanted the Apple Watch for those and other tasks but I just can't justify spending that much for what essentially is just a fitness tracker to me. I never bothered looking up all those fitness trackers that have gained popularity in recent years. I was aware of things like Fitbit of course but never gave it a closer look. That was until a friend told me about Xiaomi's Mi Smart Band 4 that was just released. I found an offer for roughly 26€ (~US$29) including shipping and went for it. After waiting for it to make it's way to me from China for two and a half weeks it finally arrived and I had some time to give it a test.
Features & SpecsImages from Xiaomi's Website © 2019 Xiaomi
In case you didn't know about Xiaomi's Mi Smart Band 4, commonly called the Mi Band 4, let me introduce you. The Mi Band 4 is a tiny fitness tracker that weighs only 22.1g. It's water resistant up to 50 meters. It has a beautiful 0.95" capacitive touch AMOLED display with a resolution of 120 x 240 pixel that is able to produce 400 nits at maximum brightness. The screen is glass not some plastic which feels much nicer. Sensor wise it's equipped with a 3-axis accelerometer plus 3-axis gyroscope, a PPG heart rate sensor and a Capacitive proximity sensor. It communicates via Bluetooth 5.0 LE and has a battery capacity of 135mAh which according to Xiaomi's website will last you for 20 days. It has 6 workout modes: Treadmill, exercise, outdoor running, cycling, walking and pool swimming for which it count steps, distance, and calories burned. You can automatically track your sleep and of course your heart rate with it. It can also display notifications from your iPhone, supports custom watch faces, has a built in timer & stopwatch and a weather forecast and you can control music playback on your iPhone through it.
I've been using the Mi Band 4 for about a week now and I'm pretty happy with it. The value you get for the price is unbeatable. The battery was at 45% when I received it and it's still running on that initial charge which is impressive considering I set it up to check my heart rate every single minute, use it for sleep monitoring and sync it with my iPhone between five to ten times a day. Initially I made the mistake of tightening the band a little bit to much which made wearing it for longer times uncomfortable. I now have it secured in the fourth position and only tighten it to the third when I'm exercising, running or whatever. I don't notice it much anymore, it's comfortable to wear. The ability to use customizable watch faces is awesome! There are hundreds of watch faces available for free. I have to admit most are ugly as fuck but there's a watch face for everyone I guess. when I find some time I absolutely plan to create some custom watch faces that are a bit friendlier UI/UX wise. I love that I just have raise my wrist, the display automatically turns on, and I know my heart rate. I also love the built in timer. I often cook and it's quicker to use the Mi Band 4 for timers than my iPhone. The Mi Band 4 will vibrate once the timer has run out which you can't miss even if you listen to loud music like I often do while cooking. No more interupting your music playback with alarm sounds for timers, yay! Also the ability to control music playback has come in handy many times. Just swipe up to unlock the Mi Band 4 (if you use Screen Lock) and then a quick swipe to the left and you can adjust the volume, change tracks and pause playback easily. Many people have criticized the sleep monitoring but I did not experience any problems with it whatsoever. Likewise the heart rate sensor is very accurate and seldom makes mistakes. All in all I'd reccomend the Mi Smart Band 4 to anyone interested in keeping track of their health data.
If you know me you're probably already aware that I'm very outspoken about privacy by design and by default. Privacy to me is a fundamental human right and of course health data in particular should warrant additional caution. I found a way to use the Mi Smart Band 4 without having to compromise my privacy too much. To do that let's take a look at the Apps used to synchronize your health data to Apple Health.
And in their own words:
We may also process and disclose personal information to our affiliated companies (which are in the communications, social media, technology and cloud businesses) and to Third Party Service Providers
There's no practical way to Opt-Out of anything. For consumers within the EU this very clearly goes against the General Data Protection Regulation (GDPR) which demands a not pre-ticked Opt-In process. But since Huami is a Chinese company they probably dont really fear repercussions from the EU, It's not their main market after all.
If you would like to opt out of the Technologies we employ on our websites, services, applications, or tools, you may do so by blocking, deleting, or disabling them as your browser or device permits.
I translated the above quote to plain English for your convenience: We don't give a fuck about you, if you dont like it don't use our products and services.
Adding friends in the App
Information from Friends: Amazfit allows you to add your friends through the friends functionality. After receiving permission from your friends, we may collect the connecting relationship with your friends, and the activity and sleep records of your friends.
What this means is that if you add a friends via the App (again it's the same for MiFit) that friend will then upload your sleep data for you even if you've followed ever step I outlined in this article. So my strong suggestion is to not add any friends. It might be tempting to have an easy way to compare your health stats with your buddies but in my opinion it's not worth it. You can still compare it in person if you want to though!
Inspecting the domains the Apps connect to
I wanted to know where the App is sending data to so I fired up Adguard's DNS Request Log. The first thing the App's doing once you start is connecting to Facebook's API via
graph.facebook.com and after that it check's Xiaomi's push server. Then it connects to QQ's Fusion Api. QQ is an instant messenger and web portal that provide online social games, music, shopping, microblogging, movies, and group and voice chat software according to Wikipedia. I imagine it's similar to Facebook.
Here's a rundown on which domains the two Apps connect to. The domains I blocked are highlighted in red, the single one I allow is marked in green. The paragraph after that explains how to block domains on an iOS device.
This is Facebook's API, obviously I do not want that at all
Another facebook domain
This is Xiaomi's Push service. If you block this domain your Mi Smart Band 4 will no longer receive data like notifications for software updates, weather updates and such. I tried finding some sort of documentation on what this API is capable of but since most information was only available in Chinese, which I do not speak, I was not successful. Please let me know should you find something in English! You can of course block this domain if you don't use your Mi Band 4 to look up the weather and such. You will have to check for software updates manually if you block it
This seems to be Tencent's QQ Fusion API, in my limited understanding this is similiar to the Facebook SDK. I do not use QQ (can't imagine many English speaking consumers do) so safe to block this as well
Another QQ domain
I have not tested this but I imagine you will need to unblock this to log in or create an account the first time you open the App. I did not notice any limitation of the App's function after blocking this. Once logged in you can block it
Same as above
No idea what this domain is used for, I blocked it and everything still works. I suspect that I will have to temporarily unblock this domain to download firmware updates
Horia Constantin made the effort to set up mitmproxy to take a closer look at the requests going out from a Mi Band 3, the previous version. According to his findings, this domain is the only one where a lot of data gets transferred to. In the payload of a request to this domain, Horia was able to find a key called data_json that contains all the recent band data. The subdomain "api-mifit-de" suggests that this API is country-specific as I am located in Germany and DE is the German abbreviation for Germany so it is possible that if you're in France for example an API call would be made to "api-mifit-fr" instead of to "api-mifit-de". Seeing as this is the domain used for transferring your personal health data to Huami I'd highly advise you to block this one
Same as above
Same as above, if you don't use Google you can block it
This is a Chinese version of Google Maps called AutoNavi which belongs to the Alibaba Group. (Second Asian company to break US$500 billion valuation after Tencent). For me the App uses Apple Maps so this is an easy decision; on to the blocklist
Another domain used by AutoNavi
How to block domains on an iPhone
There are some ways to block domains on an iPhone. One could use software like Pi-hole on a router that supports it or on something like a Raspberry Pi. But Pi-hole has it's limitations as it's only meant for filtering data like ads on a network level basis. It's great nonetheless but it'll only protect you while you're using the network that you've set it up for like your WiFi at home. You could of course set up a Virtual Private Network (VPN) so that your iPhone always tunnels all your data through your home network even when your not at home or using mobile data. While it's a good solution if you're capable to set that up for yourself (there are easy to follow step-by-step instructions available online) it will take some time setting it all up. Another alternative would be to use a commercial VPN that allows you to block domains but from a privacy perspective this isn't really a good choice (there are some exceptions) since I don't wan't to trust a third party with all my web traffic. The best solution I've found so far is a still somewhat brand new App called Lockdown, a firewall that works on your device.
Lockdown is an Open Source (GPL License) and free firewall for your iOS device. Lockdown was developed by Duet Display CEO Rahul Dewan and former iCloud engineer Johnny Lin. The open source firewall allows users to block connections to any website between its default setting and custom options. They "built the product to help protect users from app developers and analytics companies that are monetizing user data without consent or transparency.". The app operates solely on device and there's no third parties involved at all. Even Lockdown can't see what you're doing with their App. The code for Lockdown has been shared on GitHub.
They provide some filter lists under 'Recommended by Lockdown' and allow manual entry of additional domains you'd like to block. I asked Lockdown if they could implement a way for power users like me to import complete custom lists - entering domains one at a time can get cumbersome pretty fast - and they replied that they are already working on it! Also dark mode is coming which, as you can probably see on this site, I'm a big fan of!
I think the usage of the App is self explanatory, install it, follow the easy instructions to set it up and then you can enable/disable the already included lists or just add domains one by one. The App will rarely nudge you towards using their VPN but it's easily ignored.
So now that we’ve been taking care of preventing the leakage of your health data through the MiFit/AmazFit App you might be asking if it’s a good idea to use that data with Apple Health. The short answer is: You’re probably good if you’ve set up your iPhone correctly and use an up-to-date iOS version. You need at least iOS 12 and have two-factor authentication enabled. Otherwise, your data is still encrypted in storage and transmission but is not encrypted end-to-end. After you turn on two-factor authentication and update to iOS 12, your Health data is migrated to end-to-end encryption which means even Apple can’t access it.
With iOS 13 Apple added some more features for security and privacy enhancements. The location permissions for example are more granular; you can now set it to “Ask Next Time” and the next time that App wants to use your location you can decide wether to grant it that access once. It‘ll ask every time it wants to use your location again.
I reached out to both Xiaomi and Huami for comments on why domains from Facebook, QQ or AutoNavi are necessary. I also inquired about what kind of data is being stored or transmitted to servers in China/outside of the EU. I haven’t received a reply yet but will update this article if they reply.
Additional Linksmi.com - Mi Smart Band 4
mi.com - Mi Smart Band 4 - Specs
Horia Constantin - Xiaomi MiBand3 and privacy… not much
I submitted this article to Reddit's /r/miband here and to /r/privacy here where some people have commented on it.
If you want to be notified when I release a new article you can subscribe to my RSS feed.