Xiaomi, India's largest smartphone maker by market share, has yet again come under the lens for privacy scare. Security researchers claim that the Chinese company has provided loopholes on its phones to transmit data to remote servers hosted by Alibaba, reported Forbes.
Amongst other preloaded apps, the default Web browser on Xiaomi's Redmi and Mi series phones were found recording Web history of users even when switched to “incognito” mode. However, Xiaomi has denied the claims, adding that while it tracks some anonymous browsing data, it does not share this with third-parties.
According to the Forbes report, surfing the net via Xiaomi's default browser records all the websites visited, including search engine queries whether with Google or the privacy-focused DuckDuckGo, and every item viewed on a news feed feature of the Xiaomi software. That tracking appeared to be happening even if one uses the supposedly private “incognito” mode.
The device was also recording what folders are being opened by a user and the screens swiped, including the status bar and the settings page. All of the data was being packaged up and sent to remote servers in Singapore and Russia, though the Web domains they hosted were registered in Beijing.
Further, browsers shipped by Xiaomi on Google Play—Mi Browser Pro and the Mint Browser—were collecting the same data. According to cybersecurity researchers Gabi Cirlig and Andrew Tierney, millions are likely to be affected by what Cirlig described as a serious privacy issue, though Xiaomi denied there was a problem.
The researchers said that his identity and his private life were being exposed through the loopholes that Xiaomi seems to have intentionally added to the software available on the Redmi phone.
Cirlig found that the security flaws weren't limited to his Redmi Note 8 and according to him, exist across various Xiaomi phones. He was able to confirm their existence by downloading the firmware for the Mi 10, Redmi K20, and Mi Mix 3. Like Cirlig, Tierney also found Xiaomi's that browsers available for down on Google Play — Mi Browser Pro and Mi Browser — were collecting the same user data. Both browsers have over 15 million downloads, as per the stats on Google Play.
In response to the findings, Xiaomi said, “The research claims are untrue,” and “Privacy and security is of top concern,” adding that it “strictly follows and is fully compliant with local laws and regulations on user data privacy matters.” But a spokesperson confirmed it was collecting browsing data, claiming the information was anonymized so wasn’t tied to any identity. They said that users had consented to such tracking.
However, the researchers pointed out that Xiaomi was also collecting data about the phone, including unique numbers for identifying the specific device and Android version. Cirlig said such “metadata” could “easily be correlated with an actual human behind the screen.”