Hello @XiaomiIndia and @Xiaomi how are you ? Remember me ? I am that strange guy tha constantly look at your requests... So you know what is going to happen right ? A Saturday thread about you Mi pay indian app.

The application has the same issue that your browser had back in March and @cybergibbons reported it, but it's a little bit worse. Would definitely want to see your opinion of this "non issue" again

The application is still sending a gazillion of "metrics" to a hong kong server (more on this later) as we can see while using the application. Here are 2 screenshots of two example requests. The first and MAJOR issue that I have is that this is transmitted over HTTP.

Yeap there is no S in there. Its plain old http. That alone is a huge issue on itself but stay with me its getting worse. When using cyberchef you can see actual Json data. Lets see what we can see in there! That's my phone. My actual phone number is transmitted over HTTP

That's also my name. Yeap I know I am also using it as a twitter handle but I never consented that it should be sent to a Hong Kong Server. And here is also a transaction list (empty on my app as I cannot really open a bank account in India unfortunately)

It seems that whatever I click or view is submitted after 20 seconds to this telemetrics server, complete with the click and the text of the button or the View that was clicked / viewed. The problem in here is really obvious. This is a back app. A lot of info is really sensitive

ALL of the info is transmitted over HTTP, easily interceptible by anyone on the same network with you. It seems that xiaomi took the decision to log everything with a global logger and send them over. Even if this was transmitted over HTTPS I would be uncomfortable.

The metrics included but are not limited to :
Full Name
Phone number
UPI id
Bank account number
Transactions
Bank account Balance
Any Send or request money you submit to the app.
Whoever decided to log everything for "performance optimization" clearly has no idea what he is doing

Whoever decided to make the telemetrics platform available over HTTP and thought that it would be a good idea to connect to it from a BANKING apps should not be writing bank applications.

I am not going to touch the "All info stays in India" which is clearly a lie. The server is in Singapore (sorry not HongKong) as you can see from the screenshot. Also the excessive logging was reported back before the pandemic crazyness and Xiaomi stated that it is not excessive

So if you need some "performance" reccomendations, dont log all the thing in the world, and definitely NO SENSITIVE info. Use TLS and when you say that data stays in a country keep your promise. Oh I also really like your roborock :)