Last year, Google had blocked an app called Quick Apps developed by Xiaomi, which was found collecting data that could be used to track users. Xiaomi has come under fire yet again, this time for collecting user data through its browsers, even in incognito mode.
An exclusive report by Forbes has found loopholes in various Xiaomi smartphones, which collect user data via the Mi Browser, Mi Browser Pro and Mint Browser, and send this back to its own servers in China. The report cites security researchers Gabi Cirlig and Andrew Tierney, who were able to find backdoors in multiple Xiaomi devices.
Xiaomi browsers found sharing user data in incognito mode
According to Cirlig, the default browser on his his Redmi Note 8 (Mint Browser) was recording all of his activity on the web and sending it back to remote servers in Singapore and Russia, hosted by web domains registered in Beijing, where Xiaomi is headquartered. What’s more surprising is that the browser was recording the data even in incognito mode.
I don't think this is enough.https://t.co/nujd2nT8DA
— Cybergibbons (@cybergibbons) May 3, 2020
The security researcher claimed that Xiaomi was also tracking what he was doing on his phone, including what folders he opened, and which screens he swiped, including the status bar and the settings page. At Forbes‘ behest, cybersecurity researcher Andrew Tierney found that the issues mentioned were not limited to the Redmi Note 8. Tierney also found the same data being collected by the Mi Browser and Mi Browser Pro, which are found on devices like the Xiaomi Mi 10, Redmi K20 and Mi Mix 3.
The grave concern pointed out by researchers is that while Xiaomi claimed that the data is being encrypted while being transferred, it’s not the case. Cirlig was easily able to decrypt the package and see exactly what data was being transferred in a matter of a few seconds. He claims that this particular data can easily be correlated to a specific user.
Xiaomi updates browsers with option to turn off data collection
Xiaomi has since issued several statements on the matter. The company claims that Forbes “misrepresented” data. However, it did mention that its browsers do collect aggregated usage statistics data, even in incognito mode.
The company has confirmed that it has updated the apps in question, the Mi Browser, Mi Browser Pro and Mint Browser, which will now come with a toggle in incognito mode to turn off aggregated data collection.