May 01, 2020 14:00:00

Xiaomi's smartphone secretly sends the actions of tens of millions of users to Alibaba's server

Security researcher Gabriel Cirlig discovered that Xiaomi's smartphone, the

Xiaomi Redmi Note 8 , records most of the user's actions on the device and sends them to Alibaba's servers.

Report: Xiaomi Phones Scooping Up Tons of Web Browsing Data, Even in Incognito Mode
https://uk.pcmag.com/smartphones/126774/report-xiaomi-phones-scooping-up-tons-of-web-browsing-data-even-in-incognito-mode

According to Cirlig, the Xiaomi default browser installed on Redmi Note 8 records all visited websites, including search engines, and all items displayed by the Xiaomi app's news feed feature. And that. Researchers believe that such tracking is done even when the user is using a more private 'secret mode'.

Cirlig also said that Redmi Note 8 also recorded the contents of user-opened folders, swiped screens, status bars and settings pages, and sent them all together to servers in Singapore and Russia. I am. In addition, this server is hosted by Alibaba, and the domain was registered as Beijing.

Cirlig describes Xiaomi's smartphone as a 'backdoor with phone functionality.'

Forbes, who spoke with Cirlig, asked security researcher Andrew Tierney to do further research, and found that the Xiaomi browsers Mi Browser Pro and Mint Browser , which are available on Google Play, are similar. It turns out that we are collecting data. Together, these two apps have been downloaded more than 15 million times.

Mr. Cirlig also downloaded the firmware from three terminals, 'Xiaomi Mi Note 10 ', ' Xiaomi Redmi K20 ', and ' Xiaomi Mi MIX 3 ', and confirmed that the same code was used in the browser. In other words, similar security issues may exist for these browsers.

Regarding the investigation, Xiaomi denied the problem, commenting that 'the claims in the study are not true' and 'privacy and security are our greatest concerns.' On the other hand, a spokesperson admitted that the browser is collecting data, saying, 'The information is anonymized so it will not be tied to an individual,' and collected with the consent of the user. I explained that there is.

Meanwhile, Cirlig and Tierney reported that data was being collected, including information about websites and web searches, as well as numbers to identify devices and Android versions. With such data, it's easy to connect information to users, Cirlig said. Xiaomi also denies collecting information in secret mode, which is also in conflict with the opinions of researchers.

Cirlig suggested that app usage might also be monitored, as a set of information was sent to the remote server each time the app was opened, but Xiaomi didn't mention this.