When Gabi Circlig joked about his new Xiaomi phone as a backdoor equipped with a phone’s function, he was actually half-joking. It seems like he does have proof and insights that he shared with Forbes which identified Xiaomi phones as potential privacy invaders.
Cirlig first made this discovery on his own Redmi Note 8 which was monitoring his phone activities. The data gathered from these activities are being sent to Xiaomi’s rented server in Alibaba, another well-known Chinese tech company.
Cirlig then furthered his investigations by checking out the web on the phone’s default browser. Surprisingly, there was a record of all the websites he had visited which includes search engine look-ups including Google, and a more privacy-oriented browser DuckDuckGo.
Unnerving still is how there were online activity records even during incognito mode. This, of course, leads Cirlig to assume that his identity and private life were being exposed to Xiaomi.
Where does all these data go?
According to the report, they are being sent over to remote servers located in Singapore and Russia on domains originally registered in Beijing.
Andrew Tierney, a cybersecurity investigator, was called to do additional research on the matter. This led to further results that apps developed by Xiaomi — which includes Mi Browser Pro and Mint Browser — were collecting similar data.
In depth investigations led Tierney to download firmware for various Xiaomi phones — the Mi 10, Redmi K20, as well as Xiaomi Mi MiX 3. They were all verified to contain the same browser codes which leads to suspicions that they were all breaching the same privacy issues.
Xiaomi denies the data privacy issue
Xiaomi said that the data was being encrypted when transferred in order to protect user privacy. Using a form of simple encryption known as base64, Cirlig was able to decode bits of hidden information. He notes that it can be further traced back to the actual user.
The Chinese company proceeds to defend that these claims are untrue; that privacy and security were always a top priority for them. However, a spokesperson actually confirmed that it was collecting browsing data, but insisted that anonymity was being maintained. He also added that it’s done with consent as users have opted-in to get tracked. Meanwhile, Xiaomi denied that they were able to ‘spy’ through incognito mode.
On top of tracking web browsing activities even on incognito mode, Cirlig has also discovered that Xiaomi’s Music app records the songs he’s playing and the time he listens to it.
To Cirglig and Tierney, this kind of behavior showcased by Xiaomi seems much more invasive than browsers like Google Chrome or Apple Safari.
Why does Xiaomi collect data?
Then again, Xiaomi has another excuse for collecting data: to better understand their customers’ behavior. This is done through the service of Sensor Analytics, a behavioral analytics company.
True enough, Cirglig and Tierney were able to find apps that were transferring data towards domains which seem to pertain to SA. The frequent appearance of the SensorDataAPI was also found.
This is the second time — within two months — that one of the biggest technological names in China were spotted to have been spying on users’ phone activities.
However you want to believe it, it only goes to say that one must be wary of how they use their phone and its applications. Again, extra precautions when protecting one’s identity and personal information must be practiced at all times — not just by those who are using the Xiaomi products.