“Xiaomi Smartphones Send Sensitive Data to China,” Says IT Security Experts

“It’s a data vacuum cleaner that you can use to make phone calls,” quips IT security expert Gabriel Cîrlig on his Xiaomi smartphone when talking to Forbes.

Previously, he had proven that the Chinese manufacturer’s standard browser records every website they visit, including all entries in the search engine, and sends it to a server hosted by Alibaba in China.

Even information about offline activities such as opening folders and apps on the smartphone, the music played including the time stamp, and even swiping on the screen would be forwarded to the manufacturer.

At the same time, according to Cîrlig’s research, information on the smartphone, the Android version, and a constant user ID are transmitted. With this metadata, every user can be clearly identified, the expert fears.

The data transfer may even take place in the browser’s incognito mode.

dir=”ltr”>A bit more context on this. That's the song I just DOWNLOADED and clicked into their Mi Player app. pic.twitter.com/DHNzPkz53o

— Gabriel Cîrlig (@hookgab) May 4, 2020

Cîrlig’s research is based on the Redmi Note 8 model, but he fears that at least the Mi 10, Redmi K20 and Mi MIX 30 models are also affected. They all use the same browser code. Millions of users worldwide could be affected by the data leak.

IT specialist Andrew Tierney also checked disclosures for Forbes Cîrlig. He found that two other Xiaomi browser apps from Google’s Play Store – Mi Browser Pro and Mint Browser – also have a similar problem. Together, they are said to have been downloaded over 15 million times.

Both Cirlig and Tierney said Xiaomi’s behavior was more invasive than other browsers like Google Chrome or Apple Safari. “It’s a lot worse than any of the mainstream browsers I have seen,” Tierney said. “Many of them take analytics, but it’s about usage and crashing. Taking browser behavior, including URLs, without explicit consent and in private browsing mode, is about as bad as it gets.”

Xiaomi defends itself in a statement against Forbes and initially denies the allegations: privacy is very important for the company and it adheres to all legal provisions.

Valued at $50 billion, Xiaomi is one of the top four smartphone makers in the world by market share, behind Apple, Samsung and Huawei.

However, a company spokesman confirmed at the same time that data had been collected – but anonymized and after the users had given their consent. In incognito mode, no data was ever transmitted.

Xiaomi claimed that the data transfer only took place with the express consent of the user and the browser URL was only recorded in order to identify slow-loading websites. In addition, the data is anonymized and the user identification generated randomly.

The company ignored Cîrlig’s evidence that it was constant, however, and thus made it possible to identify the users.