This article was published on May 1, 2020

Xiaomi is collecting browser data even in incognito mode, researchers say

WTF Xiaomi


Xiaomi is collecting browser data even in incognito mode, researchers say

You might want to stay away from Xiaomi’s browsers if you care about your privacy.

The Chinese company has been caught recording a concerning amount of user activity in its Mi Browser Pro and Mint Browser apps, Forbes reports. Researchers found the two apps — which have collectively amassed over 15 million downloads on Google Play — gathered immense amounts of data about any website a user visits, even in incognito mode.

Among other things, the browsers, which ship with Xiaomi handsets by default, recorded search engine queries from Google and privacy-oriented services like DuckDuckGo, and news items viewed on Xiaomi’s news feed feature. The device also gleaned data about what folders users open and to which screens they swipe, including the status bar and the settings menu.

The data was then packaged and sent to remote servers in Singapore and Russia, though the web domains they hosted were registered in Beijing. The researchers also found some of the data was sent to servers Xiaomi rented from fellow Chinese tech giant, Alibaba.

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

Researcher Gabi Cirlig first discovered the issue on his Redmi Note 8, but after reviewing the firmware of other Xiaomi devices — including the Xiaomi MI 10, Xiaomi Redmi K20, and Xiaomi Mi MIX 3 — he suspects the issue likely affects many more handsets, considering he found the same code in all these phones.

Pressed about the issue, Xiaomi denied any wrongdoing to Forbes, arguing all data transferred is encrypted and anonymized. Still, Cirlig was able to easily decrypt the data into readable chunks of information which could be tied back to an individual.

Provided with video and photos as proof, Xiaomi continued to insist the research claims are “untrue.”

“Privacy and security is of top concern,” the company said, adding it “strictly follows and is fully compliant with local laws and regulations on user data privacy matters.”

Forbes notes ones of the reasons Xiaomi collects such data is to better understand its users. Indeed, this is a practice adopted by many other tech giants, including Google and Apple. The worrying bit is Xiaomi’s seemingly clandestine approach to data collection.

Just two months ago, another Chinese company, Cheetah Mobile, was caught sniffing data on web use, wi-fi access point names, and other activity like how a user swipes. Cheetah defended its actions by saying it needs this information to improve its products.

Huawei, too, has been accused of building back doors in its devices to snatch data in the past, though there has been little evidence to back up such claims. Unlike Huawei, though, there’s plenty of proof Xiaomi is snooping on its users.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with