Xiaomi phones, and the default browser installed on them, are reportedly recording every website a user visits — including those made in “incognito” mode or using the privacy-focused DuckDuckGo web browser — according to Forbes.
Gabriel Cirlig, a security researcher for White Ops who worked with Forbes, found that his Redmi Note 8 smartphone recorded the folders he opened, the screens he viewed, and settings he changed. Though domains were hosted in Beijing, that data was sent to servers in Russia and Singapore.
Data was encrypted, but Cirlig decoded the information as it was in an easily crackable format called base64, meaning he could change it into readable information. “My main concern for privacy is that the data sent to their servers can be very easily correlated with a specific user,” Cirlig told Forbes.
Cirlig downloaded the firmware for other popular Xiaomi phones such as the Xiaomi MI 10, Xiaomi Redmi K20 and Xiaomi Mi MIX 3. Since these phones have the same browser code, Cirlig suggests that they will have the same security issues as his own Xiaomi Redmi Note 8. It was also found that Xiaomi’s music player app was collecting information on what songs were played and when they were played.
Cybersecurity researcher Andrew Tierney reportedly found that the Mi Browser Pro and the Mint Browser — which have more than 15 million downloads through Google’s Play Store — collected the same data.
In response, Xiaomi said “the research claims are untrue,” that “privacy and security is of top concern,” and that it “strictly follows and is fully compliant with local laws and regulations on user data privacy matters.” The company said that while it was collecting browsing data, that data was anonymized.
Xiaomi’s spokesperson denied that browsing data was being recorded while users were in “incognito” mode. Forbes provided Xiaomi with a video made by Cirlig showing information about a search result being sent to remote servers in “incognito” mode, but Xiaomi said it "shows the collection of anonymous browsing data, which is one of the most common solutions adopted by internet companies to improve the overall browser product experience through analyzing non-personally identifiable information."
“Many [other browsers] take analytics, but it's about usage and crashing. Taking browser behavior, including URLs, without explicit consent and in private browsing mode, is about as bad as it gets,” Tierney told Forbes.
Xiaomi is purportedly collecting this data to better understand its users’ behavior, and sending it to the behavioral analytics company Sensors Analytics. Xiaomi confirmed that "Sensors Analytics provides a data analysis solution for Xiaomi," but said "the collected anonymous data are stored on Xiaomi's own servers and will not be shared with Sensors Analytics, or any other third-party companies."
Further Reading
- Blue Wireless Shutting Down After Selling Spectrum to Verizon
- AT&T, Comcast, T-Mobile, Verizon Extend Customer Support During COVID-19
- iPhone SE Doesn't Support Haptic Touch for Notifications
- What Kind of Screen Protector Should I Get for My Phone?
- More in Mobile Phones