World’s youngest company to reach Fortune 500 — Xiaomi is again facing allegations that the company silently sends user data to remote servers located in Singapore and Russia, hosted by the Web domains registered in Beijing, China.
New research by Security researchers Gabi Cirlig and Andrew Tierney claims that the company has provided loopholes and backdoors on its devices to transmit data to unknown servers hosted by Alibaba located in China. The research also finds that the pre-loaded apps on Xiaomi and Redmi devices including the default web browser were found recording web history of users even when switched to “incognito” mode.
Update: Xiaomi has updated its browser products including, preloaded Mi Browser, Mi Browser Pro on Google Play, and Mint Browser on Google Play. These software updates include an option in incognito mode for all users of both browsers to switch on/off the aggregated data collection.
More details here
Gabi Cirlig said that the loopholes in the devices are added intentionally to capture users’ data. He found that his Redmi Note 8 was allegedly recording what folders he opened and which screens he swiped, this includes the status bar and the settings page.
He also found that this security flaw is not limited to Redmi Note 8 and according to him this flaw exists on other Xiaomi devices. He was able to confirm their existence by downloading the firmware for the Mi 10, Redmi K20, and Mi Mix 3.
Xiaomi resembles to use the data it collects from the users to understand their behavior, the company has already partnered with behavioral analytics company Sensor Analytics that helps understand how people uses their devices.
In their research both Cirlig and Tierney found pre-loaded apps in Xiaomi phones were sending user data to domains that apparently have references to Sensor Analytics.
Xiaomi has denied the claims made by the security researchers and responding to Forbes, Xiaomi said, “The research claims are untrue.” It also stated that privacy and security are of “top concern.” Further, the company said that it doesn’t collect information in the incognito mode, though it did mention that it records “anonymous browsing data” to improve the user experience. A Xiaomi spokesperson also confirmed to Forbes the relationship with Sensor Analytics for using a data analysis solution to collect “anonymous data stored on Xiaomi’s own servers.” However, the company claims that the data isn’t shared with the startup or any other third parties.
This is not the first time when Xiaomi has been reported for creating loopholes to collect user data with the consent of users. The company has faced many allegations for sending user data to remote servers but has overcome these issues with some updates.
Indian Air Force back in 2014 raised issues about Xiaomi sharing user data to servers in China, now the company leads most brands in sales in the country from more than a year with about 30% market share.