Xiaomi Is Recording Everything About Your Private Phone Usage: Searches, Screens, Folders, Websites!

Gabi Cirlig told Forbes that his new Redmi Note 8 smartphone was spying on him by watching much of what he was doing on the phone. 

Read to find out more…

The Story That Will Shake All the Xiaomi Users To the Core!

Gabi Cirlig, a cybersecurity researcher jokingly told Forbes, “It’s a backdoor with phone functionality.”  

The collected data was then being sent to remote servers hosted by another Chinese tech giant, Alibaba, which were apparently rented by Xiaomi. 

Cirlig found a massive amount of his behavior was being tracked, while various kinds of device data was also being sent. Unnerved Cirlig discovered that his identity and his private life was being exposed to the Chinese company.

When he searched the internet on the device’s default Xiaomi browser, it recorded all the websites he visited, including search engine queries whether with Google or the privacy-focused DuckDuckGo, and every item viewed on a news feed feature of the Xiaomi software. 

The creepiest part is that the  tracking appeared to be happening even if he used the private ‘incognito’ mode.

His smartphone was also recording what folders he opened and to which screens he swiped, including the status bar and the settings page. All of the data was being packaged up and sent to remote servers in Singapore and Russia, though the Web domains they hosted were registered in Beijing.

When another cybersecurity researcher, Andrew Tierney investigated, he also found browsers shipped by Xiaomi on Google Play—Mi Browser Pro and the Mint Browser— were collecting the same data. According to Google Play statistics, together they have more than 15 million downloads.

Cirlig describes this as a serious privacy issue and that many more millions are likely to be affected. Cirlig thinks that the problems affect many more models than the one he tested. 

He downloaded firmware for other Xiaomi phones—including the Xiaomi MI 10, Xiaomi Redmi K20 and Xiaomi Mi MIX 3 devices. He then confirmed they had the same browser code, leading him to suspect they had the same privacy issues as well.

The Chinese company claims the data was being encrypted when transferred in an attempt to protect user privacy. However, Cirlig found he was able to quickly see just what was being taken from his device by decoding a chunk of information that was hidden with a form of easily crackable encoding, known as base64. Hence it can be assumed that there are issues with how Xiaomi is transferring the data to its servers. It took Cirlig just a few seconds to change the garbled data into readable chunks of information.

Cirlig warned, “My main concern for privacy is that the data sent to their servers can be very easily correlated with a specific user.”

Cirlig also discovered that Xiaomi’s music player app on his phone was collecting information on his listening habits: what songs were played and when.

One message was clear to the researcher: when you’re listening, Xiaomi is listening, too.

Xiaomi’s claim-to fame is its cheap devices that have many of the same qualities as higher-end smartphones. But for customers, that low cost could come with a hefty price: their privacy.

What Does Xiaomi Have to Say?

Xiaomi is one of the top four smartphone makers in the world by market share, behind Apple, Samsung and Huawei valued at $50 billion. 

Xiaomi responded to the findings by saying, ‘The research claims are untrue,’ and ‘Privacy and security is of top concern,’ adding that it ‘strictly follows and is fully compliant with local laws and regulations on user data privacy matters.’ 

However a company spokesperson confirmed it was collecting browsing data, claiming the information was anonymized so wasn’t tied to any identity. They said that users had authorized such tracking. 

As highlighted by Cirlig and Tierney, it wasn’t just the website or Web search that was sent to the server but collection of the data about the phone, including unique numbers for identifying the specific device and Android version. Cirlig said such metadata could ‘easily be correlated with an actual human behind the screen.’

Xiaomi’s spokesperson also denied that browsing data was being recorded under incognito mode though both Cirlig and Tierney did find in their independent tests that their web habits were sent off to remote servers regardless of what mode the browser was set to, providing both photos and videos as proof.

Forbes presented their proof to Xiaomi with a video made by Cirlig showing how his Google search for ‘porn’ and a visit to the site PornHub were sent to remote servers, even when in incognito mode, the company spokesperson continued to deny that the information was being recorded. “This video shows the collection of anonymous browsing data, which is one of the most common solutions adopted by internet companies to improve the overall browser product experience through analyzing non-personally identifiable information,” they added.

The cybersecurity researchers said Xiaomi’s behavior was more ‘prying’ in nature than other browsers like Google Chrome or Apple Safari. Tierney said,  “It’s a lot worse than any of the mainstream browsers I have seen. Many of them take analytics, but it’s about usage and crashing. Taking browser behavior, including URLs, without explicit consent and in private browsing mode, is about as bad as it gets.”

Cirlig also suspected that his app use was being monitored by Xiaomi, as every time he opened an app, a chunk of information would be sent to a remote server. 

Another researcher who’d tested Xiaomi devices, under an NDA, said he’d seen the manufacturer’s phone collect such data. 

Xiaomi Searching for Reasons to Cover Their Snooping?

Xiaomi has justified their ‘surveillance’ with another reason: to better understand its users’ behavior. 

The company is using the services of a behavioral analytics company called Sensors Analytics. As described in Pitchbook, a tracker of company funding, Sensors Analytics is a ‘provider of an in-depth user behavior analysis platform and professional consulting services.’ Its tools help its clients in ‘exploring the hidden stories behind the indicators in exploring the key behaviors of different businesses.’ Xiaomi is also listed as a customer on Sensors Data’s website.

The founder and CEO of Sensors Data, Sang Wenfeng, has a long history in tracking users. According to his company bio, at Chinese internet giant Baidu he built a big data platform for Baidu user logs.

Both Cirlig and Tierney found their Xiaomi apps were sending data to domains that appeared to reference Sensors Analytics, including the repeated use of SA. When they clicked on one of the domains, the page displayed one sentence: “Sensors Analytics is ready to receive your data!”  There was an API called SensorDataAPI—an API (application programming interface) being the software that allows third parties access to app data. 

Xiaomi’s spokesperson confirmed its business with Sensors Analytics saying, “While Sensors Analytics provides a data analysis solution for Xiaomi, the collected anonymous data are stored on Xiaomi’s own servers and will not be shared with Sensors Analytics, or any other third-party companies.”

Are Many Other Chinese Tech Companies Spying like Xiaomi?

This is the 2nd time in the past 2 months that a huge Chinese tech company has been seen watching over users’ phone habits. 

A security app with a ‘private’ browser made by Cheetah Mobile, a public company listed on the New York Stock Exchange, was seen collecting information on Web use, Wi-Fi access point names and more granular data like how a user scrolled on visited Web pages. Cheetah argued it needed to collect the information to protect users and improve their experience.