May 01, 2020 14:00:00

Xiaomi phones secretly transmit the actions of tens of millions of users to Alibaba's servers

Security researcher Gabriel Cirlig has discovered that Xiaomi's smartphone,

the Xiaomi Redmi Note 8 , records most of the user's actions on the device and sends them to Alibaba 's servers.

Report: Xiaomi Phones Scooping Up Tons of Web Browsing Data, Even in Incognito Mode
https://uk.pcmag.com/smartphones/126774/report-xiaomi-phones-scooping-up-tons-of-web-browsing-data-even-in-incognito-mode

According to Cirlig, when using Xiaomi's default browser installed on the Redmi Note 8, every website visited, including search engines, and every item displayed in the news feed feature of the Xiaomi app are recorded. The researchers believe this tracking is happening even if the user is using the more private 'incognito' mode.

The Redmi Note 8 also recorded which folders users opened, which screens they swiped, and the contents of their status bars and settings pages, and sent all of this information in a bundle to servers in Singapore and Russia, Cirlig said. The servers were hosted by Alibaba, and the domain was registered as Beijing.

Cirlig describes Xiaomi's smartphones as 'backdoors with phone functionality.'

After hearing Cirlig's story, Forbes asked security researcher Andrew Tierney to investigate further and found that Xiaomi's Mi Browser Pro and Mint Browser , both of which are available on Google Play, were also collecting similar data. These two apps have been downloaded more than 15 million times in total.

Cirlig also downloaded firmware from three other devices, the Xiaomi Mi Note 10 , the Xiaomi Redmi K20 , and the Xiaomi Mi MIX 3 , and confirmed that the browsers on those devices use the same code, meaning that the same security issues may exist in those browsers.

Xiaomi denied the allegations in the study, saying, 'The claims in the study are not true' and 'Privacy and security are our biggest concerns.' However, a spokesperson acknowledged that the browser collects data, saying, 'The information is anonymized and cannot be linked to individuals,' and explained that the data is collected with the user's consent.

On the other hand, Cirlig and Tierney report that data was collected, including information about websites and web searches, as well as numbers to identify the device and Android version. Cirlig says that such data makes it easy to link the information to the user. Xiaomi also denies that it collects information through incognito mode, which also contradicts the researchers' opinion.

Cirlig suggested that app usage may also be monitored, since a series of information was sent to a remote server every time the app was opened, but Xiaomi did not comment on this.