Hopefully, the units shipped for sale abroad are not affected/infected. People should take care about which versions they’re buying, and from whom, I guess. (If they choose to buy these brands.)
Does installing a custom ROM protect against this kind of thing, @Manoj (and other e.foundation staff, or anyone who would like to reply)?
From the above linked articles, data leaks from apps.
So yes, a custom ROM should protect against.
Probably alot but …"The pre-installed set of apps consists of Android AOSP packages,… " and vendor code
If alternatives are available I would like to minimize this possibility in closed source binary blobs
It’s not clear: what about same devices but sold for eg. in the EU and not bought in China?
Quickly skimming through the actual study shows they seem to mainly have looked at the packages installed on top of the Android system, but they also looked at the connections being made. Not sure which part of the study the reference to “vendor code” refers to.
For the most part it should. If you are a high-profile target (activist, journalist, whistle blower etc.), you shouldn’t be using /e/ anyway. Consult a security professional instead. As a normal user, you should be reasonably fine.
I can confirm a lot of their findings, though of course on a more superficial level. Installing NoRootFirewall or Blokada on Xiaomi devices with EU rom shows a lot of traffic, even if everything is configured in the most privacy friendly way possible and no accounts are created or logged in. Whenever you connect it to the internet, looking at the connection log is like looking at a fountain. I found the devices also had certain semi-random times when multiple apps and tasks suddenly became super chatty.
The EU roms also come with a lot of bloatware, some of it Chinese like Aliexpress and the default Office software, some of it from the US like Facebook or Google apps, Netflix etc. All of these launch at boot and most happily transmit data even though they have never ever been opened even once. Some of them can be uninstalled by the user, some can’t. It appears this is just worse by a magnitude of 3 to 4 times in the Chinese version of the ROMs.
The system itself has a lot of components that cannot be uninstalled or deactivated by the casual user that constantly chat with Xiaomi servers. All activities in the default browser trigger connections. A lot of the system traffic also seems to be related to advertising.
For EU and India ROMs, the target servers appear to be located in Singapore and operated by Alibaba Cloud.
However, while the extent of this is certainly staggering, western companies do this, too. You can’t use most non-Chinese Android phones either without sending crazy amounts of data to Google as well as the device manufacturer. The majority of common commercial apps that are pre-installed on western Android systems also connect to things like Facebook, Google Firebase Analytics and app-measurement.com on every startup without asking for consent or option to opt-out, some even constantly transmit data without ever having been launched.
Apple also seems to verify certificates on every app launch (on both iOS and macOS), which in turn theoretically allows them to track which apps are opened and when.
Chinese companies are certainly more aggressive in this regard and the state is certainly more oppressive and the integration between companies and the state is tighter, but the problem itself is not a uniquely Chinese one.
Installing /e/ on Xiaomi devices stops those transmissions as far as I can tell (except for those inevitable ones to Google that are documented by /e/), so for the casual user, they seem to be more than safe enough once the manufacturer ROM is gone. All phones include US-, Korean-, Japanese- and Chinese-made components with their own firmware and security vulnerabilites, so no phone can really be considered 100% safe.
The Chinese state also has other means to track cellphone users, such as access to the provider communications through network operators on small islands, by manipulating routing tables to route cellphone traffic through China, access to millions of consumer internet routers, apps like TikTok and more. These days, we can also add flying balloons that can intercept radio communication to that list.
As long as US and EU regulations block secure end-to-end encrypted standards for mobile communication and old systems stay in place which assume that every network provider is trustworthy, we have to live with the fact that our communication over these networks and to an extent also our location will remain exposed to malicious actors.
In short, based on what we know so far, I’d say using a Chinese phone with /e/ is less problematic than using a western phone with stock ROM. But I’m happy to revise my stance if there are new findings.
It’s just that the potential consequences are not so dire (usually). 
Still, trackers from western companies absolutely need to be blocked, too, and we need more effective legislation to block such behavior in the first place, as you point out. Even:
Yes. I was very happy to discover tracker blockers like Blokada and TrackerControl. I have several public block-lists loaded and it has been very satisfying to deny suspicious background connections from apps on my Sonys. With /e/ installed, and running mostly apps from F-Droid, I don’t get many of those, but on LineageOS (with or without microG), there are more. I don’t ever see any trackers going to Sony, though.
Thanks for reporting your experience with the Chinese variants. 
This topic will automatically close in a month.
My request to the @moderators would be to mark this topic as persistent… I think by disabling the auto-close timer in the Discourse options for this thread?
This topic has been and will be a long-term issue and it would help the community for information to accumulate here: to make it more easily found & extended from Internet and forum search, and to keep it from getting fragmented into a number of topics.
To start, let me quote Gaël…’’ /e/OS is neither into ideological postures nor into hardened security that could be useful to targeted people, but rather into a pragmatic approach to offer a usable mobile OS while protecting (normal) user’s personal data collection from Google & commercial apps publishers.’’
We definitely do not recommend /e/OS for users who are targeted by their Governments or any secret agencies.
/e/OS takes care of the protecting the average user from the data pilfering by Big Tech. Stock ROM be it from any particular country or any popular vendor, all have multiple applications that leak your information. How that information is used is not in your control. Your information, is extracted under the pretext of ‘optimizing your user / device experience’.In short, when it comes to stock ROM’s there are no saints.
We ensure the default set of applications that come with /e/OS are not sending data out. Users would also need to ensure that they do not randomly install applications from various repositories. Be aware what you are installing and be cautious of what permission you give.
Thanks. I think we all understand that. I guess I was curious to know if any vendor-embedded spyware could persist in sub-strata (not in the visible, installed apps), or if a custom ROM would completely wipe that out. Admittedly, I don’t know much about these things. 
I am an average user and it has been a steep learning curve about privacy issues. Reading these posts have been very educating. How much less I’m now pilfered and what is my role in it is still a bit mystery to me. I remember reading articles over ten years ago how internet servers were found to have not fully documented components of hardware, backdoors, etc.
/e/OS migh not be ‘deus ex machina’ here, but what else an average user has? I guess custom ROMs usage isn’t even near of the use of linuxes (which are much easier to install). Linux is only on 5% of desktop and laptop computers. I keep on donating to e.foundation (…whenever i can afford to…). Thank you for your efforts!
Just to clarify, my experiences were primarily with international ROMs. I only got a quick enough look at the Chinese ROM so far to see that there was more bloatware.
I’d really be interested how Xiao Ai (voice assistant) behaves and if any components transmit data from sensors like the fingerprint reader, the microphones, or the cameras. Unfortunately, the study linked in the OP doesn’t seem to go into that.
Sinophobia reached the /e/ community… that’s sad… yeah multiple companies around the around the world are trying to make money from you, what’s new? Targeting a group of people as being evil is so last century. I really hope /e/ can protect diversity.
These articles make it sound like what these apps are doing it’s different and in reality they are just praying on people’s emotions… fear etc.
Where, specifically, do you see sinophobia?
The articles cited a methodical study from multinational researchers at educational institutions.
I reported the existence of the study.
The comments mentioning well-documented authoritarianism by the state apparatus of the PRC are not denigrating the Chinese people.
If anything, pointing these things out is a humanitarian service to citizens of the PRC, if they’re able to reach this site or others reporting the study.
The article is not targeting a group of people at all. It is merely describing behaviour of phones sold in a specific market.
Besides, equating criticism of the Chinese government with criticism of its people or even racism is a common strategy in CCP influence campaigns both inside and outside of China. Let’s please not fall for it.
But is it surely only software related?
This topic was automatically closed after 30 days. New replies are no longer allowed.