New research claims that China-based Xiaomi is tracking sensitive information and sending it to their servers if you use the Mi browser, which is bundled with all Redmi and Mi phones.
In a report by Forbes, security research Gabi Cirlig states that Xiaomi’s Mi Browser app sends your internet searches, including incognito mode sessions, to Xiaomi servers in Singapore and Russia.
Even more concerning is that Cirlig states that the data being set can easily be associated with a particular user allowing the company to single out users they wish to track.
“My main concern for privacy is that the data sent to their servers can be very easily correlated with a specific user,” Cirlig told Forbes.
While all of this data is uploaded to remote servers in Singapore and Russia, the domains themselves are registered to an organization in Beijing.
Additionally, the researcher noticed that Xiaomi phones record the folders a user opens, the screens a user views, and configured settings.
Xiaomi’s music player app was also recording what and when the user played songs.
Xiaomi’s Mint Browser is also recording data
At Forbes’ request, cybersecurity researcher Andrew Tierney also investigated the findings, and he reportedly found that the Mi Browser Pro and the Mint Browser collected the same data.
As seen below, when visiting a site, the browser will send the URL being visited back to a remote host. This URL is not obfuscated in any way.
According to the Play Store, the browser has more than 15 million downloads.
Xiaomi refuted these claims
In response to these claims, China-based Xiaomi published a lengthy blog post and stated, “the research claims are untrue” and that it “strictly follows and is fully compliant with local laws and regulations on user data privacy matters.”
“Xiaomi was disappointed to read the recent article from Forbes. We feel they have misunderstood what we communicated regarding our data privacy principles and policy. Our user’s privacy and internet security is of top priority at Xiaomi; we are confident that we strictly follow and are fully compliant with local laws and regulations. We have reached out to Forbes to offer clarity on this unfortunate misinterpretation.”
Xiaomi said that the collected data is anonymized and the company’s spokesperson denied that Mi Browser records browsing data while users are in incognito mode.
Xiaomi’s statement was shown not to be the case after security researcher Cirlig created a video proving that Mi Browser search results are sent to remote servers even when the browser is in “incognito” mode.
Forbes provided Xiaomi with that video, but the company defended its privacy protocols.
Xiaomi doesn’t think its users should feel worried as the video “shows the collection of anonymous browsing data” and that it “is one of the most common solutions adopted by internet companies.”
Manu Kumar Jain, Vice President of Xiaomi India and Managing Director, also responded to the security allegations in a video.
Xiaomi India head noted that privacy and security are their top priority:
“A news report claims that Mi Browser collects unnecessary information while browsing and sends the user data to other countries. This is incorrect and not true,” Manu Jain, Vice President and Managing Director, Xiaomi India, said in a statement.
In a Twitter post, Tierney showed how he and others could prove for themselves that the Mint browser upload usage data to Xiaomi’s servers.
Well, unsurprisingly, Xiaomi are saying that we’re wrong that their browsers send all your data in Incognito mode.
So here’s the evidence.
The app first downloaded was the “Mint Browser”. It was obtained from the Play Store direct, yesterday.https://t.co/GJedDen5B1 pic.twitter.com/lYzQdCzAwX
— Cybergibbons (@cybergibbons) April 30, 2020
Xiaomi has not responded to the latest information posted on Twitter.