Security researcher Gabi Cirlig has discovered that his Redmi Note 8 usage habits were being tracked and sent to servers hosted by Alibaba in Singapore and Russia that have been rented by Xiaomi. This included the folders he opened on his phone, the screens he swiped to including the status bar and the settings menu. As if that was not enough, Xiaomi was even tracking what music Cirlig was listening to using the default music player on his Redmi phone.
The security researcher also found that whenever he browsed the web using Xiaomi's default browser app, it kept a record of all the websites he visited, search engine queries, and the items viewed on the browser's newsfeed. More worryingly, the behavior continued even when using the incognito mode in the browser. The security researcher found the same tracking code in other Xiaomi phones as well including premium models like the Redmi K20, Mi 10, and Mi Mix 3.
Another security researcher Andrew Tierney discovered the same behavior in Xiaomi's Mi Browser Pro and Mint Browser, both of which are available on the Google Play Store and have over 15 million downloads combined. What's even more worrying is that despite Xiaomi's claims that the data was being encrypted for security reasons, Cirlig found that he was easily able to decode and find readable information from it.
When reached out by
Forbes, Xiaomi did confirm that it was collecting users' browsing data, though it was anonymizing them for privacy reasons. It also claimed that users consented to have their browsing history tracked. The company, however, denied that it was tracking data when incognito mode was used in the browser.
When Forbes provided Xiaomi with a video made by Cirlig showing how his Google search for “porn” and a visit to the site PornHub were sent to remote servers, even when in incognito mode, the company spokesperson continued to deny that the information was being recorded. “This video shows the collection of anonymous browsing data, which is one of the most common solutions adopted by internet companies to improve the overall browser product experience through analyzing non-personally identifiable information,” they added
www.neowin.net
