[al_chemist]

That's interesting, because when I've got my Xiaomi Mi3 I've compared it with my Samsung Galaxy Tab. Mi3 was rooted, had almost no crapware and allowed me to pick what permissions app gets. On the other hand Tab required Samsung Account and rooting it voided guarantee.

Mi Band vibrates on incoming connection, sms and apps so maybe that's why it requires permissions to phone, sms and notifications.

[cptskippy]

Take a look at the permissions required by the official "Mi Fit" app (https://play.google.com/store/apps/details?id=com.xiaomi.hm....) vs the indie "Tools & Mi Band" app (https://play.google.com/store/apps/details?id=cz.zdenekhorak...).

The official app has more features admittedly, but nothing that justifies the level of permissions it asks for. At most it should need access to the camera/photos to allow you to set a profile photo, and full network access to create/sync your account data to the "cloud".

Nothing that the official app does justifies the following permissions it asks for:

  Device & app history

    retrieve running apps
    read sensitive log data

  Identity

    find accounts on the device

  Location

    approximate location (network-based)
    precise location (GPS and network-based)

  SMS

    receive text messages (SMS)

  Phone

    directly call phone numbers

  Photos/Media/Files

    access USB storage filesystem

  Wi-Fi connection information

    view Wi-Fi connections

  Other

    view network connections
    connect and disconnect from Wi-Fi
    read Google service configuration
    draw over other apps
    control flashlight
    reorder running apps
    modify system settings

[keverets]

Even better is Gadgetbridge (available on F-droid): https://github.com/Freeyourgadget/Gadgetbridge

It's not as slick as the official app, but requires much less in the way of permissions and is more flexible.