Join us at TNW Conference 2021 for insights into the future of tech →

The heart of tech

This article was published on May 1, 2020


Xiaomi is collecting browser data even in incognito mode, researchers say

WTF Xiaomi

Xiaomi is collecting browser data even in incognito mode, researchers say
Mix
Story by

Mix

Former TNW Writer

Mix is a tech writer based in Amsterdam that loves cinema and probably hates the movies that you like. Tell him everything you despise about Mix is a tech writer based in Amsterdam that loves cinema and probably hates the movies that you like. Tell him everything you despise about his work on Twitter.

You might want to stay away from Xiaomi‘s browsers if you care about your privacy.

The Chinese company has been caught recording a concerning amount of user activity in its Mi Browser Pro and Mint Browser apps, Forbes reports. Researchers found the two apps — which have collectively amassed over 15 million downloads on Google Play — gathered immense amounts of data about any website a user visits, even in incognito mode.

Among other things, the browsers, which ship with Xiaomi handsets by default, recorded search engine queries from Google and privacy-oriented services like DuckDuckGo, and news items viewed on Xiaomi‘s news feed feature. The device also gleaned data about what folders users open and to which screens they swipe, including the status bar and the settings menu.

The data was then packaged and sent to remote servers in Singapore and Russia, though the web domains they hosted were registered in Beijing. The researchers also found some of the data was sent to servers Xiaomi rented from fellow Chinese tech giant, Alibaba.

Researcher Gabi Cirlig first discovered the issue on his Redmi Note 8, but after reviewing the firmware of other Xiaomi devices — including the Xiaomi MI 10, Xiaomi Redmi K20, and Xiaomi Mi MIX 3 — he suspects the issue likely affects many more handsets, considering he found the same code in all these phones.

Pressed about the issue, Xiaomi denied any wrongdoing to Forbes, arguing all data transferred is encrypted and anonymized. Still, Cirlig was able to easily decrypt the data into readable chunks of information which could be tied back to an individual.

Provided with video and photos as proof, Xiaomi continued to insist the research claims are “untrue.”

“Privacy and security is of top concern,” the company said, adding it “strictly follows and is fully compliant with local laws and regulations on user data privacy matters.”

Forbes notes ones of the reasons Xiaomi collects such data is to better understand its users. Indeed, this is a practice adopted by many other tech giants, including Google and Apple. The worrying bit is Xiaomi’s seemingly clandestine approach to data collection.

Just two months ago, another Chinese company, Cheetah Mobile, was caught sniffing data on web use, wi-fi access point names, and other activity like how a user swipes. Cheetah defended its actions by saying it needs this information to improve its products.

Huawei, too, has been accused of building back doors in its devices to snatch data in the past, though there has been little evidence to back up such claims. Unlike Huawei, though, there’s plenty of proof Xiaomi is snooping on its users.

Also tagged with