Why does Xiaomi.eu rom track me without my agreement (it sends data to your private servers)?!


4 Oct 2019
6
5
Guys,

Please explain to me one thing - why does your rom spy me every day without my knowledge? Every day, my phone sends a requests to zdunex25.e398mod.com. It is very interesting since ZduneX25 is an administrator of MIUIPolska.pl site (https://miuipolska.pl/forum/profile/1167-zdunex25/) and probably he is a one of the creator this rom. I'm on xiaomi.eu_multi_POCOF1_V10.3.8.0.PEJMIXM_v10-9 version. This is quite funny, because I'm writing an article about privacy-protecting on Xiaomi devices, so I set up a phone with Xiaomi.eu rom only, without any additional apps and so on in order to collect all domains to which the phone sends requests. If I don't receive any response, I will describe the whole case on Reddit. I'm very interested in what the law says about such a case because I didn't make an agreement to send any data to your private servers. This is a bunch of logs from my Pi-hole instance in my network:

26427
 
Last edited:
I have a clean Xiaomi.eu rom. Without any additional apps and so on. Did you read my first post? This is a clean installation, flashed in order to track my phone's network behaviors.
 
It's OTA checking request. You write article and doesn't have a minimum technical knowledge about it? Good to know.

Wysłane z mojego MI 8 przy użyciu Tapatalka
 
  • Like
Reactions: Don415 and LOLO9393
i dont know what to say but i will never trust in xiaomi.eu roms ... i felt they are like a spy mans but i will stay with stock+root+own debloat .

Just curious, why are here if you're not using xiaomi.eu rom?

I see you joined yesterday ...
 
It's OTA checking request. You write article and doesn't have a minimum technical knowledge about it? Good to know.

Wysłane z mojego MI 8 przy użyciu Tapatalka
First of all, why do you attack me? You have to be "a great" and serious developer if you implement that kind of mechanism on your private domains instead of using an official one. Yes, I don't have any minimum technical knowledge, besides I'm a long-time developer. I would never done checking updates in that way. You have to be very skilled guys, especially you are using unencrypted connections to implement that kind of functionality (zdunex25.e398mod.com doesn't have an SSL certificate) ;) You create a product offered on Xiaomi.eu/Miuipolska.pl domain, so all requests should hook up to these domains (or their subdomains). If you don't understand such a simple thing, it would be better for all of us if you don't work in commercial projects. You are unprofessional.

And one thing, let's return to that sentence:
You write article and doesn't have a minimum technical knowledge about it? Good to know.
How the hell do I know that the address is used to check for OTA updates? Do I look fairy? Let's change it to the-best-porn-in-town.xyz.com - it says the same as the current address. Normal developer (that one who would not attack the people from the community) would use the normal address for his API like updates.xiaomi.eu or updates.miuipolska.pl, but you've chosen zdunex25.e398mod.com, without the SSL. Perfect.
 
Last edited:
  • Like
Reactions: dangernite
first of all i completely agree that you should not be attacked for trying to understand a suspicious behavior on your phone after having installed a rom. the developers should check matters like that seriously. that said you didn't approach the forum respectfully, you could have rephrased your self nicely, no one here is your bitch. to the matter in hand, the first one is OTA and to my understanding the other one looks like some kind of harmless theme updater that should not share any info besides the theme you have, and doesn't have permission to do anything else ssl or not. none the less, i am confident the the devlopers will look into it.
good day
 
First of all, why do you attack me? You have to be "a great" and serious developer if you implement that kind of mechanism on your private domains instead of using an official one. Yes, I don't have any minimum technical knowledge, besides I'm a long-time developer. I would never done checking updates in that way. You have to be very skilled guys, especially you are using unencrypted connections to implement that kind of functionality (zdunex25.e398mod.com doesn't have an SSL certificate) ;) You create a product offered on Xiaomi.eu/Miuipolska.pl domain, so all requests should hook up to these domains (or their subdomains). If you don't understand such a simple thing, it would be better for all of us if you don't work in commercial projects. You are unprofessional.

And one thing, let's return to that sentence:

How the hell do I know that the address is used to check for OTA updates? Do I look fairy? Let's change it to the-best-porn-in-town.xyz.com - it says the same as the current address. Normal developer (that one who would not attack the people from the community) would use the normal address for his API like updates.xiaomi.eu or updates.miuipolska.pl, but you've chosen zdunex25.e398mod.com, without the SSL. Perfect.
Who the hell do you think you are, waltzing in and flaming the development team as if you're a stinking shareholder in our non-existent "company".
Before things are explained to you, first you calm the hell down - either that or the discussion is over and you can replace the ROM with something else, something more "official".
Now for my comment on the subject: we're using whichever resources we got to provide you with the free products (ROMs) and services (OTA updates, support) that you are enjoying. Whichever domains we use, is what we can spare for your sake. You want a single domain for all of our traffic? BUY US a high-end server that can handle all of that traffic without dying shortly after and that uses only encrypted connections. Don't want to buy it? Then keep it zipped, or move out.
"it would be better for all of us if you don't work in commercial projects"? Oh, but we don't! There's absolutely nothing "commercial" about what we're doing.
"You are unprofessional"? Before using the word, look up the definition of professional: "engaged in a specified activity as one's main paid occupation rather than as a pastime." Are we getting paid for this? You bet we don't. In fact, this is clearly a waste of our time for ungrateful little punks like yourself.
Finally, you're not in the position to be telling us where to store our ROMs, how to go about OTA checks, which domains to use so it looks "pretty" to you. You are a nobody around here.
Go on ahead, describe your paranoiac nonsense on Reddit, make a fool of yourself.
 
Мужики, никогда уважающий себя человек так писать не будет. Если же вы сами себя не уважаете, то кто же тогда должен вас уважать? Очень неприятно читать эти посты.
С уважением (пока еще). vs.
Please speak in english and stop escalating an issue that is not your.
 
Who the hell do you think you are, waltzing in and flaming the development team as if you're a stinking shareholder in our non-existent "company".
Before things are explained to you, first you calm the hell down - either that or the discussion is over and you can replace the ROM with something else, something more "official".
Now for my comment on the subject: we're using whichever resources we got to provide you with the free products (ROMs) and services (OTA updates, support) that you are enjoying. Whichever domains we use, is what we can spare for your sake. You want a single domain for all of our traffic? BUY US a high-end server that can handle all of that traffic without dying shortly after and that uses only encrypted connections. Don't want to buy it? Then keep it zipped, or move out.
"it would be better for all of us if you don't work in commercial projects"? Oh, but we don't! There's absolutely nothing "commercial" about what we're doing.
"You are unprofessional"? Before using the word, look up the definition of professional: "engaged in a specified activity as one's main paid occupation rather than as a pastime." Are we getting paid for this? You bet we don't. In fact, this is clearly a waste of our time for ungrateful little punks like yourself.
Finally, you're not in the position to be telling us where to store our ROMs, how to go about OTA checks, which domains to use so it looks "pretty" to you. You are a nobody around here.
Go on ahead, describe your paranoiac nonsense on Reddit, make a fool of yourself.
Guys, a self-respecting person will never write like that. If you yourself do not respect, then who should respect you? It is very unpleasant to read these posts.
Regards (for now). vvs.
 
Guys, a self-respecting person will never write like that. If you yourself do not respect, then who should respect you? It is very unpleasant to read these posts.
Regards (for now). vvs.
I repeat:
stop escalating an issue that is not your .
 
  • Like
Reactions: Don415
Too bad this problem is yours. it is not only me who sees it. Good luck and patience.
 
Guys, a self-respecting person will never write like that. If you yourself do not respect, then who should respect you? It is very unpleasant to read these posts.
Regards (for now). vvs.
I don't see why you believe you're holding the moral high ground with blank statements like these. I'm not a kid and you're not my father. Stay out of my business and don't think that you're in a position to "educate" me about self-respect. If turning the other cheek is in your culture, then it surely isn't in mine.
 
This is in no way an appropriate response to a legitimate question.
Many among us don't understand ROM development but I assure you nobody likes to be spied on. Rather than addressing the specific question, legitimate or not, you went on to insult the one asking the question.
Don't get me wrong. I appreciate the hard work you put into this project, but having a free project doesn't mean people aren't supposed to ask any questions regarding security and privacy and it sure as hell doesn't entitle you to insult other members.
Adressing the specific concerns the user had would have been 10x more useful for the other users who might question the credibility of your project.
 
BUY US a high-end server that can handle all of that traffic without dying shortly after and that uses only encrypted connections.
Defined a "high-end server". How many users per second are trying to connect with your server? I would offer a VPS with Intel Xeon E5 (8 cores, 16GB ram, polish datacenter) but as far as I know, I'm the troll and paranoic.

He's not an user, he's a self-entitled troll who came here to please his ego by blackmailing the devs. He was treated like he treated them.
Thank you, I'm a troll now because I saw very suspicious traffic on my phone. Well, guys, thanks for your work - I used to flash my phones with your work for 3 years. Now I have to move to something better, where developers don't have such an ego.

Yeah, well, how about not starting asking questions with "Please explain to me one f**** thing" ?...
Yeah, and that is why you had to answer me "You write article and doesn't have a minimum technical knowledge". Excuse me, but what could I thought when I saw unexpected connections to domain with one of your guys in its name? Imagine you're installing a bank application and you see that it is trying to connect with zdunex25.blabla.com. Would you not be angry? YOU ARE RELEASING AN OPERATION SYSTEM, guys. And maybe you are not aware of it but you have to be transparent because people run their software on your piece of work and they have to trust you. How they can do that when you calling them "trolls" and treat like a Russian agent? Are you serious?
 
Last edited:
@5USHpUutdgFmxQdF
You can even test the app Blokada.!
A lot of requests in this ROM.
Over 50000 in a month.!
Then I changed to another ROM and have had less than 2000. Same apps and same using.
I will never use this ROM.
 
  • Like
Reactions: 00raq00
This is in no way an appropriate response to a legitimate question.
Many among us don't understand ROM development but I assure you nobody likes to be spied on. Rather than addressing the specific question, legitimate or not, you went on to insult the one asking the question.
Don't get me wrong. I appreciate the hard work you put into this project, but having a free project doesn't mean people aren't supposed to ask any questions regarding security and privacy and it sure as hell doesn't entitle you to insult other members.
Adressing the specific concerns the user had would have been 10x more useful for the other users who might question the credibility of your project.
You're trolling, right? Did you read the OP? I can barely see the actual question! All I see is a psychotic-outbreak-style intro ("Please explain to me one f**** thing"), then a bunch of conspiracy theories and a failed background check (no, ZduneX25 is not the creator of this ROM, he's the head of Polish translation and the guy who worked his ass off to bring you the Updater app, along with the OTA delivery mechanism, and he used whichever domains and servers that he had in his disposal that could deliver the OTAs in as consistent and stable way possible), and if that's not enough, he then went for a threat! ("If I don't receive any response, I will describe the whole case on Reddit.")
How can you call this "a legitimate question"? The responses he got were 100% appropriate to the attitude and content of his post. He could just ask something like "what are those URLs my device occasionally connects to?" and he would've got a super calm and informative answer.

Yeah, well, how about not starting asking questions with "Please explain to me one f**** thing" ?...


He's not an user, he's a self-entitled troll who came here to please his ego by blackmailing the devs. He was treated like he treated them (and since this is a "free project" and nobody forced him to use it - nobody owes him anything).
Exactly my point, and I'm not obligated to give a cheery peaceful answer to an offensive post containing inflammatory language and attitude towards the developers.