In order to use the app, a Xiaomi account or a supported social login is required. At the time of writing, the login options were Google, Facebook, Mi Account and WeChat. The app provides no option to be used without an account, even to view data from the smart devices on the phone. The social login options were not tested, so I do not know the list of external account data that can be accessed by Xiaomi.
Devices supported by Mi Fit use Bluetooth for communication. As such, the app requires permissions for Bluetooth and Location. The products that interface with this app include Mi Band (a fitness/sleep tracker/digital watch) and Mi Scale (a digital scale that can measure body fat).
The application stores various pieces of health data. The amount and precision of this data depends on which devices are used. Below is a sample.
- Mi Band
- Heart rate, including any indicators of cardiac arrhythmia
- Movement and activity levels
- Sleep cycles
- Mi Scale
- Body fat ratio
Assuming there are no privacy and security problems with the actual devices (which is a big assumption), the official app is where the raw data gets processed and merged with user IDs. Due to the sensitive nature of this information, special care needs to be taken to ensure it stays private.
As far as I could tell, the app does not end-to-end encrypt2 this data before transmitting it to servers. This means the employees of the company, and any government entities that has power over the company, has full access to this data.
Below is a brief analysis of the information transmitted by this application.
The app mainly contacts two services, huami.com and Facebook Analytics.
huami.com is the main domain for the app. Huami is a Chinese company that provides cloud-based healthcare services. Aside from providing cloud services for Xiaomi, they are also the parent company of Amazfit watches.
The application uses Facebook’s marketing and analytics service. The domain used for this data transfer is
graph.facebook.com. Here’s the Facebook app-ID used to transmit this information:
fb370547106731052. A quick internet search for these values will indicate that this App ID has been used for a while.
Every time the app is opened, multiple pings are sent to Facebook’s analytics service. Some of the data included in the analytics requests include:
- Where you installed the Mi Fit app from (Play Store, Aurora Store, Browser, etc.)
- Your phone model and Android Version
- Time zone
- IP address and approximate location
- Advertiser ID, Session ID and Anonymous ID. All as UUIDs.
In the brief time I have tested the application, not much else was transmitted.
Alternatives to Mi Fit
Depends on which Xiaomi device you want to use it with, there are various alternatives. Below is a (short) list.