Xiaomi phones record your web and phone use, claim researchers
The data from Xiaomi devices is being sent to remote servers hosted by Alibaba which were rented by Xiaomi, two cybersecurity reseachers have discovered
Gabi Cirlig called his new Xiaomi phone "a backdoor with phone functionality". And he wasn't really joking.
Cirlig was speaking to Forbes after discovering that "his Redmi Note 8 smartphone was watching much of what he was doing on the phone". This data was being sent to remote servers hosted by Alibaba which were rented by Xiaomi.
Cirlig is a seasoned cybersecurity researcher who found that "a worrying amount of his behavior was being tracked, whilst various kinds of device data were also being harvested". This left Cirlig amply spooked that "his identity and his private life was being exposed to the Chinese company"
While he was browsing the web on the smartphone's default Xiaomi browser, it recorded all the sites he visited, including search engine queries on both Google and DuckDuckGo and all items viewed on the news feed feature on Xiaomi. Cirlig was being recorded even when he was in incognito mode.
His smartphone was also recording "what folders he opened and to which screens he swiped, including the status bar and the settings page". And all of this data was being "packaged and sent to remote servers in Singapore and Russia, though the web domains they hosted were registered in Beijing".
At Forbes' request, another cybersecurity researcher Andrew Tierney investigated further and found that browsers shipped by Xioami on Google Play, the Mi Browser Pro and the Mint Browser, were collecting the same data. Both of these, together, have more than 15 million downloads according to Google Play statistics.
Think of the number of Xiaomi devices people are using across the world. Cirlig called it a serious privacy issue while Xiaomi "denied there was a problem". Currently, Xiaomi is one of the top four smartphone makers in the world as per market share coming in behind Apple, Samsung and Huawei.
The company's "big sell" is cheap devices that "have many of the same qualities as higher-end smartphones". For customers, however, the company might be charging a hefty price with their privacy.
According to Cirlig, the problem affects more models than the one he tested. He downloaded the firmware for other Xiaomi devices like the Xiaomi Mi 10, Redmi K20, Mi MIX 3 etc - and confirmed that they had the same browser code. This lead him to suspect that they had the same privacy issues.
There also is an issue with how "Xiaomi is transferring the data to its servers". Though Xiaomi claimed the "data was being encrypted when transferred in an attempt to protect user privacy, Cirlig found he was able to quickly see just what was being taken from his device by decoding a chunk of information that was hidden with a form of easily crackable encoding, known as base64". It took Cirlig just a few seconds to "change the garbled data into readable chunks of information".
"My main concern for privacy is that the data sent to their servers can be very easily correlated with a specific user," warned Cirlig.
What Xiaomi had to say
In response to these findings, Xiaomi said, "The research claims are untrue," and "Privacy and security is of top concern," adding that it "strictly follows and is fully compliant with local laws and regulations on user data privacy matters."
However, a spokesperson confirmed "it was collecting browsing data, claiming the information was anonymised so wasn't tied to any identity" and said that "users had consented to such tracking".
Cirlig and Tierney have both pointed out - "it wasn't just the website or web search that was sent to the server. Xiaomi was also collecting data about the phone, including unique numbers for identifying the specific device and Android version". According to Cirlig such "metadata" could easily be correlated with an actual human behind the screen".
The Xiaomi spokesperson also "denied that browsing data was being recorded under incognito mode". Both Cirlig and Tierney, however, "found in their independent tests that their web habits were sent off to remote servers regardless of what mode the browser was set to, providing both photos and videos as proof".
When Forbes provided the company with a video made by Cirlig showing "how his Google search for 'porn' and a visit to the site PornHub were sent to remote servers, even when in incognito mode", the spokesperson "continued to deny that the information was being recorded".
"This video shows the collection of anonymous browsing data, which is one of the most common solutions adopted by internet companies to improve the overall browser product experience through analysing non-personally identifiable information," they added.
Cirlig and Tierney pointed out that Xiaomi's behavior was "more invasive than other browsers like Google Chrome or Apple Safari".
"It's a lot worse than any of the mainstream browsers I have seen," Tierney said. "Many of them take analytics, but it's about usage and crashing. Taking browser behavior, including URLs, without explicit consent and in private browsing mode, is about as bad as it gets."
Cirlig also suspected that "his app use was being monitored by Xiaomi, as every time he opened an app, a chunk of information would be sent to a remote server". Forbes reports that another researcher who has tested Xiaomi devices, though was under an NDA to discuss the matter openly, said he'd seen the manufacturer's phone collect such data.
Xiaomi didn't respond to questions on that issue.
Xiaomi appears to have another reason for collecting the data, that is to better understand its users' behavior. The company is using the services of a behavioral analytics company called Sensors Analytics.
This Chinese startup, also known as Sensors Data, as described in Pitchbook, a tracker of company funding, Sensors Analytics is a "provider of an in-depth user behavior analysis platform and professional consulting services." Sensor Analytics' tools help clients explore "the hidden stories behind the indicators in exploring the key behaviors of different businesses".
Forbes reports that both Cirlig and Tierney found their Xiaomi apps were sending data to domains that appeared to reference Sensors Analytics, including the repeated use of SA. When you clicked on one of the domains, the page contained one sentence: "Sensors Analytics is ready to receive your data!"
There was an API called SensorDataAPI — an API (application programming interface) being the software that allows third parties access to app data. Xiaomi is also listed as a customer on the Sensors Data website.
Founder and CEO of Sensors Data, Sang Wenfeng, has a long history in tracking users, according to Forbes. At Chinese internet giant Baidu he "built a big data platform for Baidu user logs, according to his company bio".
Xiaomi's spokesperson confirmed the relationship with the startup and said - "While Sensors Analytics provides a data analysis solution for Xiaomi, the collected anonymous data are stored on Xiaomi's own servers and will not be shared with Sensors Analytics, or any other third-party companies".
This is the second time in two months that "a huge Chinese tech company has been seen watching over users' phone habits". Forbes reports that a security app with a "private" browser made by Cheetah Mobile, a public company listed on the New York Stock Exchange, was seen collecting information on web use, WiFi access point names and more granular data like how a user scrolled on visited web pages. Cheetah argued that "it needed to collect the information to protect users and improve their experience".
Late in his research, Cirlig also discovered that Xiaomi's music player app on his phone was collecting information on his listening habits: what songs were played and when. One message is clear - when you're listening, Xiaomi is listening, too.
Catch all the Latest Tech News, Mobile News, Laptop News, Gaming news, Wearables News , How To News, also keep up with us on Whatsapp channel,Twitter, Facebook, Google News, and Instagram. For our latest videos, subscribe to our YouTube channel.