Xiaomi is collecting a slew of browsing data from its unsuspecting users.
Xiaomi is being accused of recording users’ interactions with its phones and sending the data to servers hosted by Alibaba in Singapore and Russia that have been rented by the Chinese phone giant, reads a new report from Forbes. While Xiaomi’s default browser appears to log every website a user visits, the Chinese smartphone maker says it’s not doing anything unusual.
While examining the Mi Browser on the Redmi Note 8, cybersecurity researchers Gabi Cirlig and Andrew Tierney found it was tracking a lot of user behavior, even when set to private or “incognito” mode. Collected data includes websites visited, items viewed on Xiaomi’s news feed and search engine queries, according to Cirlig. Even searches on the privacy-focused Google alternative DuckDuckGo were being sent to China.
The phone also sent data about what folders were opened and interactions with the home screen, along with unique device numbers and Android versions.
Tierney discovered that in addition to the pre-installed stock browser on MIUI, Xiaomi’s Android-based OS, the company’s Mi Browser Pro, and the Mint Browser — both available on Google Play with a combined 15 million+ downloads — were also collecting user data.
Cirlig found the same browser tracking code was present in the firmware code of other Xiaomi phones, including the Xiaomi MI 10, Xiaomi Redmi K20, and Xiaomi Mi MIX 3 devices.
Xiaomi said what the researcher found just shows “the collection of anonymous browsing data, which is one of the most common solutions adopted by internet companies to improve the overall browser product experience.” The company denied violating user privacy and recording information on website visits, according to the report.
The researchers said Xiaomi’s behavior was more invasive than other browsers like Google Chrome or Apple’s Safari. And Cirlig says recorded metadata about the phone, including device numbers and Android versions, could be used to identify specific users. The researcher also said information was being sent using the base64 encoding, which can be easily decoded using common tools.
In a separate statement, Xiaomi said the researchers “misunderstood what we communicated regarding our data privacy principles and policy.” It added, “User’s privacy and internet security is of top priority at Xiaomi.” The company didn’t specify what was misinterpreted.