Xiaomi has now appeared on the radar of the cybersecurity community as researchers found them breaching users’ privacy. Researchers have found Xiaomi tracking users’ private browsing sessions and gathering other data. The tech giant has refuted such claims, however.
Xiaomi Tracking Private Browsing And Spying On Users
Reportedly, Forbes has recently shared an exclusive report regarding Xiaomi’s purported spying on users. In the post, they revealed that a researcher Gabi Cirlig observed that his Redmi Note 8 smartphone spied on him. The phone kept sharing his data to servers hosted by Alibaba.
Briefly, the researchers noticed that the phone kept tracking all browsing details, including the private browsing sessions. He could see the search engine queries (both Google and DuckDuckGo) being recorded by the browser. Plus, the phone also recorded screen swipes, folders he browsers, settings page, and almost every other thing.
Besides Cirlig, another researcher Andrew Tierney also noticed similar behavior of Xiaomi browsers on Google Play Store as well. The Mint Browser and Mi Browser Pro, together boasting over 15 million downloads, also collect the same data.
Although, Xiaomi, in response to these claims, elaborated that the transmitted data was in encrypted form. However, Cirlig could easily decrypt the data which, he fears, could lead to individual tracking. As he told Forbes,
My main concern for privacy is that the data sent to their servers can be very easily correlated with a specific user.
Cirlig noticed that the device transmitted this data to servers in Singapore and Russia. Whereas, the web domains were registered in Beijing.
Xiaomi Refutes Spying Claims
After the reports of user tracking surfaced online, Xiaomi issued a response statement in a live post on their site. Initially, they refuted the claims of stealth data collection, deeming them “an unfortunate misinterpretation”. Instead, they emphasized on collecting synced data only when a user signed in to a Mi account.
However, Tierney demonstrated in his tweets that this was not the case.
Well, unsurprisingly, Xiaomi are saying that we're wrong that their browsers send all your data in Incognito mode.
So here's the evidence.
The app first downloaded was the "Mint Browser". It was obtained from the Play Store direct, yesterday.https://t.co/GJedDen5B1 pic.twitter.com/lYzQdCzAwX
— Cybergibbons (@cybergibbons) April 30, 2020
Moreover, Manu Kumar Jain, Xiaomi’s Global VP and Managing Director at Xiaomi India also emphasized that the data collected from Indian users stays on servers in India.
Mi Fans, I shot a video explaining false news regarding Mi Browser. Watch it: https://t.co/JJNqcXDCp2
I repeat, Mi Browser & all Mi internet products are 100% safe. Moreover all data of Indian users is stored locally in India!
Pls don’t believe incorrect news!#Xiaomi ❤️ (2/2) https://t.co/P93IxWSfjq
— Manu Kumar Jain (@manukumarjain) May 2, 2020
Eventually, in an update on May 3, 2020, Xiaomi has announced that they will shortly update Mint and Mi Browser software with an option to let users choose about data collection while browsing privately. As stated,
Our next Mint Browser and Mi Browser software update will include an option in incognito mode for all users of both browsers to switch on/off the aggregated data collection, in an effort to further strengthen the control we grant users over sharing their own data with Xiaomi.
Despite this rollout, the new ‘control feature’ would seemingly work for ‘incognito mode’ only. Yet, the users may experience themselves what and how their Xiaomi browsers collect their browsing data.
Let’s see how things unroll in the days to come.