Xiaomi is said to have a system that transports user data to remote servers hosted by Web domains registered in Beijing.
Xiaomi once again faces allegations that it is silently sending user data to remove servers. Security researchers claim that the Chinese company, which leads the smartphone market in India and is amongst the top-five smartphone makers globally, has provided loopholes on its phones to transmit data to remote servers hosted by Alibaba. Amongst other preloaded apps, the default Web browser on Xiaomi’s Redmi and Mi series phones were found recording Web history of users even when switched to “incognito” mode. Xiaomi has denied the claims, and added that while it tracks some anonymous browsing data, it does not share this with third-parties.
Security researchers Gabi Cirlig and Andrew Tierney were able to spot various backdoors in Xiaomi phones that help the company obtain user data, without getting any consent from its users, reported Forbes. Cirlig discovered that his Redmi Note 8 was “watching much of what he was doing on his phone” and was sending all that data to remote servers hosted by Alibaba.
The researcher said that his identity and his private life were being exposed through the loopholes that Xiaomi seems to have intentionally added to the software available on the Redmi phone. Further, he was able to find that the company was recording details even when he was browsing the Web on his phone using the incognito mode. In addition to the browsing data, Cirlig’s Redmi Note 8 was allegedly recording what folders he opened and which screens he swiped. This includes the status bar and the settings page. All that data is said to have been transported to remote servers located in Singapore and Russia, hosted by the Web domains registered in Beijing, where Xiaomi has its headquarters.
Issues aren’t limited to a particular model
Cirlig found that the security flaws weren’t limited to his Redmi Note 8 and according to him, exist across various Xiaomi phones. He was able to confirm their existence by downloading the firmware for the Mi 10, Redmi K20, and Mi Mix 3. Like Cirlig, Tierney also found Xiaomi’s that browsers available for down on Google Play — Mi Browser Pro and Mi Browser — were collecting the same user data. Both browsers have over 15 million downloads, as per the stats on Google Play.
Xiaomi appears to use the data it acquires from users to understand their behaviour. The company has already partnered with behavioural analytics startup Sensors Analytics that could help understand how people are using smartphones. Both Cirlig and Tierney found Xiaomi apps were sending user data to domains that apparently have references to Sensor Analytics.
Xiaomi has denied the issues raised by the security researcher. Responding to Forbes, Xiaomi said, “The research claims are untrue.” It also stated that privacy and security are of “top concern.” Further, the company said that it doesn’t collect information in the incognito mode, though it did mention that it records “anonymous browsing data” to improve the user experience. A Xiaomi spokesperson also confirmed to Forbes the relationship with Sensor Analytics for using a data analysis solution to collect “anonymous data stored on Xiaomi’s own servers.” However, the company claims that the data isn’t shared with the startup or any other third parties.
This isn’t the first time when Xiaomi was found to have backdoors to acquire user data without explicit permission. The company has faced many allegations of sending users’ personal information back to its servers. Some security concerns were even raised by authorities such the Indian Air Force back in 2014. It did offer some updates to its software to address some of those concerns and resolve some serious issues.