Comments
Xiaomi is allegedly recording and sending user data to remote servers according to a recent report by Forbes.
In an interview with Forbes, cybersecurity researcher Gabi Cirlig had noticed that his Redmi Note 8 smartphone was collecting a significant amount of metadata based on his activities on the phone, including browsing activities. That data was then being sent to remote servers rented by Xiaomi and hosted by the Chinese tech giant, Alibaba, the report said
Cirlig was able to spot a backdoor in his device where he noticed that the device’s default Xiaomi browser had recorded all the websites that he had visited, his search engine queries on Google as well as platforms such as privacy-focused DuckDuckGo along with all the items that he had viewed a news feed feature of the Xiaomi software.
The phone was recording his browsing activities even if it was carried out in an incognito mode.
The device had also recorded the folders that he had opened as well as the screens that he had swiped on the phone, including the status bar and the settings page.
The data was being packaged and sent to remote servers in Singapore and Russia. However, the registered web domains showed that the servers were registered in Beijing.
Forbes had further reeled in cybersecurity researcher Andrew Tierney to investigate. Tierney’s analysis concluded that browsers shipped by Xiaomi on Google Play—Mi Browser Pro and the Mint Browser—were collecting similar data.
To test whether other Xiaomi devices had a similar flaw, Cirlig downloaded the firmware for the phone including the Xiaomi MI 10, Xiaomi Redmi K20 and Xiaomi Mi MIX 3 devices.
The devices had the same code that led to these issues in Crilig’s Redmi phone. Furthermore, despite the company’s claim of data being encrypted, the cybersecurity researcher was quickly able to decode a chunk of information form data being sent to the servers. The information was hidden with a form of easily crackable encoding called base64, the report said.
Xiaomi denied the report stating that it wasn’t collecting or sending user data to remote servers without user’s permission. Furthermore, in an additional clarification to Forbes, it had said that some amount of data was being collected for analyzing user behaviour on the device.
This is not the first instance where the Chinese smartphone maker has faced allegations of breaching privacy. Back in 2014, the Indian Air Force had sent a circular to its personnel warning them against the use of the device after a security firm had reported that the devices were pre-loaded with software to spy on users, the New Indian Express had reported. Furthermore, the same year, the company was criticized for sending user data to remote servers in China. The data was being collected and sent to the servers as soon as a user booted up their device.
The company had later said that it had since fixed the issue by seeking users' permission before sending data over encrypted connections according to a Reuters report.
Xiaomi last month had said that its Redmi brand has sold over 110 million units worldwide since its launch. In India, the Chinese smartphone maker held a 31 per cent market share selling 10.3 million phones in the first quarter of 2020, according to a report by Canalys.
Comments
COMMENT NOW
Comments
Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.
We have migrated to a new commenting platform. If you are already a registered user of TheHindu Businessline and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.