Xiaomi is currently the leading smartphone maker in India
Xiaomi is allegedly send browsing data even when using “incognito” mode
The company is also reportedly recording user patterns and behaviour
Xiaomi has a history of having security and privacy concerns
Xiaomi once again faces allegations that it is silently sending user data to remote servers. Security researchers claim that the Chinese company, which leads the smartphone market in India and is amongst the top-five smartphone makers globally, has provided loopholes on its phones to transmit data to remote servers hosted by Alibaba. Amongst other preloaded apps, the default Web browser on Xiaomi's Redmi and Mi series phones were found recording Web history of users even when switched to “incognito” mode. Xiaomi has denied the claims, and added that while it tracks some anonymous browsing data, it does not share this with third-parties.
Security researchers Gabi Cirlig and Andrew Tierney were able to spot various backdoors in Xiaomi phones that help the company obtain user data, without getting any consent from its users, reported Forbes. Cirlig discovered that his Redmi Note 8 was “watching much of what he was doing on his phone” and was sending all that data to remote servers hosted by Alibaba.
The researcher said that his identity and his private life were being exposed through the loopholes that Xiaomi seems to have intentionally added to the software available on the Redmi phone. Further, he was able to find that the company was recording details even when he was browsing the Web on his phone using the incognito mode. In addition to the browsing data, Cirlig's Redmi Note 8 was allegedly recording what folders he opened and which screens he swiped. This includes the status bar and the settings page. All that data is said to have been transported to remote servers located in Singapore and Russia, hosted by the Web domains registered in Beijing, where Xiaomi has its headquarters.
Issues aren't limited to a particular model Cirlig found that the security flaws weren't limited to his Redmi Note 8 and according to him, exist across various Xiaomi phones. He was able to confirm their existence by downloading the firmware for the Mi 10, Redmi K20, and Mi Mix 3. Like Cirlig, Tierney also found Xiaomi's that browsers available for down on Google Play — Mi Browser Pro and Mi Browser — were collecting the same user data. Both browsers have over 15 million downloads, as per the stats on Google Play.
Xiaomi appears to use the data it acquires from users to understand their behaviour. The company has already partnered with behavioural analytics startup Sensors Analytics that could help understand how people are using smartphones. Both Cirlig and Tierney found Xiaomi apps were sending user data to domains that apparently have references to Sensor Analytics.
Xiaomi has denied the issues raised by the security researcher. Responding to Forbes, Xiaomi said, “The research claims are untrue.” It also stated that privacy and security are of “top concern.” Further, the company said that it doesn't collect information in the incognito mode, though it did mention that it records “anonymous browsing data” to improve the user experience. A Xiaomi spokesperson also confirmed to Forbes the relationship with Sensor Analytics for using a data analysis solution to collect “anonymous data stored on Xiaomi's own servers.” However, the company claims that the data isn't shared with the startup or any other third parties.
“Xiaomi was disappointed to read the recent article from Forbes. We feel they have misunderstood what we communicated regarding our data privacy principles and policy. Our user's privacy and internet security is of top priority at Xiaomi; we are confident that we strictly follow and are fully compliant with local laws and regulations. We have reached out to Forbes to offer clarity on this unfortunate misinterpretation.”
Will OnePlus 8 series be able to take on iPhone SE (2020), Samsung Galaxy S20 in India? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts or RSS, download the episode, or just hit the play button below.
Jagmeet Singh writes about consumer technology for Gadgets 360, out of New Delhi. Jagmeet is a principal correspondent for Gadgets 360, and has frequently written about apps, computer security, Internet services, and telecom developments. Jagmeet is available on Twitter at @JagmeetS13 or Email at email@example.com. Please send in your leads and tips.