Xiaomi, one of the top smartphone maker in the world, has been accused of collecting private data from millions of users who use its smartphone and web browsing Android apps.
Two days ago, global media company, Forbes raised concerns that the Chinese phone maker is collecting private data on the websites users visit as well as tracking about apps used and files/folders opened on their smartphone.
Security researcher, Gabi Cirlig said when he used his Redmi Note 8’s default Xiaomi browser, it recorded all the websites he visited, including search engine queries whether with Google or the privacy-focused DuckDuckGo. That tracking appeared to be happening even if he used the supposedly private “incognito” mode.
Meanwhile, another cybersecurity researcher Andrew Tierney investigated further, at Forbes’ request. He also found browsers shipped by Xiaomi on Google Play—Mi Browser Pro and the Mint Browser—were collecting private user data. Together, they have more than 15 million downloads, according to Google Play statistics.
All the user private data was being sent to servers in Singapore and Russia, owned by China-based Alibaba and rented by Xiaomi.
The privacy issue was also found on other Xiaomi smartphones: Xiaomi Mi 10, Xiaomi Redmi K20 and Xiaomi Mi MIX 3 devices.
While the smartphone maker says that the data is encrypted, researchers say that the form of encryption was weak and could therefore be easily be traced back to specific users.
According to Forbes, it took researchers just a few seconds to decode the “encrypted” data, which was encoded by a method called base64.
Both Cirlig and Tierney said Xiaomi’s behavior was more invasive than other browsers like Google Chrome or Apple Safari. “It’s a lot worse than any of the mainstream browsers I have seen,” Tierney said. “Many of them take analytics, but it’s about usage and crashing. Taking browser behavior, including URLs, without explicit consent and in private browsing mode, is about as bad as it gets.”
Xiaomi has denied claims by the cybersecurity researchers, telling Forbes in a statement posted on its blog.
The denial from Xiaomi persisted even despite a video sent by the researchers showing the device recording and transmitting browsing information to remote services. In a video demonstration, researchers queried the word ‘porn‘ using incognito mode and found that it was still transmitted to the Xiaomi servers.
Xiaomi said that “Our user’s privacy and internet security is of top priority at Xiaomi; we are confident that we strictly follow and are fully compliant with local laws and regulations”. However it is unclear on which local law is Xiaomi referring to. Xiaomi is based in China.
The smartphone maker added that it collects aggregated usage statistics on things like responsiveness and performance that can’t be used to identify individuals. The company also said it syncs web browsing history if people have the feature turned on in their settings. It denied any wrongdoing and said Forbes misunderstood its data privacy principles and policy.
The controversies with Xiaomi isn’t new. In 2018, the company admitted to placing advertisements on its Android smartphones running MI User Interface (MIUI) 10 and making it difficult for users to disable it. Later the company made it easier for users to disable those advertisements. In the third quarter of 2018, Xiaomi’s advertising revenue grew by 109.8 percent year-on-year, reaching 3.2 billion yuan (estimated $477 million). This growth was driven almost entirely by improved and highly targeted optimization of the ad recommendation algorithm used on user’s smartphones.
Late in his research, Cirlig also discovered that Xiaomi’s music player app on his phone was collecting information on his listening habits: what songs were played and when.
Forbes wrote: “One message was clear to the researcher: when you’re listening, Xiaomi is listening, too.”
