Security researcher Gabriel Cirlig has discovered that Xiaomi smartphones collect from its owners pretty much all the activity data. The researcher told Forbes that personal data are being collected through the built-in browser of the phone and are being sent to remote servers.
Cirlig used a Redmi Note 8 as his regular driver, and
he found that the phone reported pretty much everything he did.
Xiaomi’s built-in web browser registered the websites he visited, the settings he
modified, the screens he swipped through, the music he was watching, and more.
Even in the supposedly private “Incognito Mode” the personal data is monitored Those data were sent to remote servers in Russia and Singapore but the Chinese tech giant Alibaba had hosted their network domains in China. Both of these were reportedly rented out by Xiaomi.
Cirlig is of the opinion that this security problem also plagues numerous other Xiaomi apps. He downloaded the Xiaomi Mi 10, Mi Mix 3, and the Redmi K20 firmware and noticed that they all had the same browser code.
At Forbes’ request the case was further investigated by another security researcher, Andrew Tierney. He discovered that several other internet browsers on the Google Play Store provided by Xiaomi, including Mi Browser Pro, Mint Browser, etc., were also harvesting data. Those devices have over 15 million Play Store downloads.
Originally, Xiaomi denied the discovery of the researchers and said
privacy and protection were the top priority for the company.
Earlier, a company spokesman confirmed the phones were gathering
data but said it was all encrypted and anonymised.
It took Cirlig, however, just a few seconds of easily crackable encoding to turn the garbled data into readable information. He said the data could be easily compared to a specific person.
Xiaomi had also denied that in Incognito Mode the browser was gathering data but this was also a false assertion.