Mi Fit is the Android app for xiaomi health products. The app is closed-source and available from the Play Store1.

In order to use the app, a Xiaomi account or a supported social login is required. At the time of writing, the login options were Google, Facebook, Mi Account and WeChat. The app provides no option to be used without an account, even to view data from the smart devices on the phone. The social login options were not tested, so I do not know the list of external account data that can be accessed by Xiaomi.

Devices supported by Mi Fit use Bluetooth for communication. As such, the app requires permissions for Bluetooth and Location. The products that interface with this app include Mi Band (a fitness/sleep tracker/digital watch) and Mi Scale (a digital scale that can measure body fat).

Health data

The application stores various pieces of health data. The amount and precision of this data depends on which devices are used. Below is a sample.

  • Mi Band
    • Heart rate, including any indicators of cardiac arrhythmia
    • Movement and activity levels
    • Sleep cycles
  • Mi Scale
    • Weight
    • Body fat ratio

Privacy

Assuming there are no privacy and security problems with the actual devices (which is a big assumption), the official app is where the raw data gets processed and merged with user IDs. Due to the sensitive nature of this information, special care needs to be taken to ensure it stays private.

As far as I could tell, the app does not end-to-end encrypt2 this data before transmitting it to servers. This means the employees of the company, and any government entities that has power over the company, has full access to this data.

Below is a brief analysis of the information transmitted by this application.

The app mainly contacts two services, huami.com and Facebook Analytics.

Huami

huami.com is the main domain for the app. Huami is a Chinese company that provides cloud-based healthcare services. Aside from providing cloud services for Xiaomi, they are also the parent company of Amazfit watches.

Facebook Analytics

The application uses Facebook’s marketing and analytics service. The domain used for this data transfer is graph.facebook.com. Here’s the Facebook app-ID used to transmit this information: 370547106731052 or fb370547106731052. A quick internet search for these values will indicate that this App ID has been used for a while.

Every time the app is opened, multiple pings are sent to Facebook’s analytics service. Some of the data included in the analytics requests include:

  • Where you installed the Mi Fit app from (Play Store, Aurora Store, Browser, etc.)
  • Your phone model and Android Version
  • Time zone
  • IP address and approximate location
  • Advertiser ID, Session ID and Anonymous ID. All as UUIDs.

In the brief time I have tested the application, not much else was transmitted.

Alternatives to Mi Fit

Depends on which Xiaomi device you want to use it with, there are various alternatives. Below is a (short) list.

  • Fitness watches like the Mi Band can use Gadgetbridge. Gadgetbridge is an open source app to integrate with smart health tracker devices. You can download Gadgetbridge on F-Droid.

  • The OpenScale app on F-Droid works well with the Mi Scale. It is able to connect through Bluetooth and fetch all the data.

  1. Application ID com.xiaomi.hm.health 

  2. End-to-end encryption in this case would mean your data is only ever decrypted on your local device (both ends are you)