The IT Nerd

Last week I posted a story that talked about Chinese phone maker Xiaomi and their apparent spying activities on users of their products. It now seems that after saying there’s nothing to see here, or that security researchers were misunderstanding what they had discovered, the company has decided to release updates to their browser to address this issue. This popped up in a blog post:

By 01:30, May 4, GMT+8 in Beijing, the software updates had been available for our browser products including, preloaded Mi Browser, Mi Browser Pro on Google Play, and Mint Browser on Google Play.

The latest versions are: Mi Browser/Mi Browser Pro (v12.1.4), and Mint Browser (v3.4.3).

These software updates include an option in incognito mode for all users of both browsers to switch on/off the aggregated data collection. 

We thank you all for your attention, suggestions and dedication during the past few days to further improving the overall user experience of our products and services.

Sorry Xiaomi, this isn’t good enough.

If Xiaomi really wants this to go away, they need to open themselves up to third party auditing. Just like Zoom did when they went through their security issues not too long ago. By doing so they would regain the trust of their users, and it would shut people like me up as I would have very little to criticize. But I don’t see Xiaomi taking the Zoom approach to deal with this. Thus I would suggest that if you need a new Android phone, you should Xiaomi phones until they prove beyond any doubt that they can be trusted.

According to an exclusive report from Forbes, cybersecurity researcher Gabi Cirlig discovered that his Xiaomi Redmi Note 8 smartphone was watching much of what he was doing and sending that data to remote servers hosted by Chinese tech giant Alibaba, which were ostensibly rented by Xiaomi:

The seasoned cybersecurity researcher found a worrying amount of his behavior was being tracked, whilst various kinds of device data were also being harvested, leaving Cirlig spooked that his identity and his private life was being exposed to the Chinese company. When he looked around the Web on the device’s default Xiaomi browser, it recorded all the websites he visited, including search engine queries whether with Google or the privacy-focused DuckDuckGo, and every item viewed on a news feed feature of the Xiaomi software. That tracking appeared to be happening even if he used the supposedly private “incognito” mode. 

The device was also recording what folders he opened and to which screens he swiped, including the status bar and the settings page. All of the data was being packaged up and sent to remote servers in Singapore and Russia, though the Web domains they hosted were registered in Beijing. Meanwhile, at Forbes’ request, cybersecurity researcher Andrew Tierney investigated further. He also found browsers shipped by Xiaomi on Google Play — Mi Browser Pro and the Mint Browser — were collecting the same data. Together, they have more than 15 million downloads, according to Google Play statistics. Cirlig thinks that the problems affect many more models than the one he tested.

Xiaomi shot back very quickly denying this….. Though the evidence is pretty black and white:

In response to the findings, Xiaomi said, “The research claims are untrue,” and “Privacy and security is of top concern,” adding that it “strictly follows and is fully compliant with local laws and regulations on user data privacy matters.” But a spokesperson confirmed it was collecting browsing data, claiming the information was anonymized so wasn’t tied to any identity. They said that users had consented to such tracking. 

But, as pointed out by Cirlig and Tierney, it wasn’t just the website or Web search that was sent to the server. Xiaomi was also collecting data about the phone, including unique numbers for identifying the specific device and Android version. Cirlig said such “metadata” could “easily be correlated with an actual human behind the screen.”

Xiaomi’s spokesperson also denied that browsing data was being recorded under incognito mode. Both Cirlig and Tierney, however, found in their independent tests that their web habits were sent off to remote servers regardless of what mode the browser was set to, providing both photos and videos as proof.

When Forbes provided Xiaomi with a video made by Cirlig showing how his Google search for “porn” and a visit to the site PornHub were sent to remote servers, even when in incognito mode, the company spokesperson continued to deny that the information was being recorded. “This video shows the collection of anonymous browsing data, which is one of the most common solutions adopted by internet companies to improve the overall browser product experience through analyzing non-personally identifiable information,” they added.

Sorry, I really don’t buy this response from Xaiomi for the following reasons:

• Xiaomi says that “Privacy and security is of top concern,”. This is also said by Facebook and nobody says that Facebook has a great history of protecting your privacy and ensuring your security on the platform.
• When presented with evidence, Xiaomi denied and put some spin on it.

The fact is that this looks shady as hell. Which means that if anyone asks me if they should buy a Xiaomi phone, I will say that if they value their privacy, they may want to take a hard pass on that brand of phone. Privacy and security is important, and any company that doesn’t value that and decides to harvest information from your phone doesn’t deserve your money.