Xiaomi smartphones are tracking usage habits and browsing data of their owners

[zanderthunder]

 

Security researcher Gabi Cirlig has discovered that his Redmi Note 8 usage habits were being tracked and sent to servers hosted by Alibaba in Singapore and Russia that have been rented by Xiaomi. This included the folders he opened on his phone, the screens he swiped to including the status bar and the settings menu. As if that was not enough, Xiaomi was even tracking what music Cirlig was listening to using the default music player on his Redmi phone.

 

The security researcher also found that whenever he browsed the web using Xiaomi's default browser app, it kept a record of all the websites he visited, search engine queries, and the items viewed on the browser's newsfeed. More worryingly, the behavior continued even when using the incognito mode in the browser. The security researcher found the same tracking code in other Xiaomi phones as well including premium models like the Redmi K20, Mi 10, and Mi Mix 3.

 

Another security researcher Andrew Tierney discovered the same behavior in Xiaomi's Mi Browser Pro and Mint Browser, both of which are available on the Google Play Store and have over 15 million downloads combined. What's even more worrying is that despite Xiaomi's claims that the data was being encrypted for security reasons, Cirlig found that he was easily able to decode and find readable information from it.

 

 

When reached out by Forbes, Xiaomi did confirm that it was collecting users' browsing data, though it was anonymizing them for privacy reasons. It also claimed that users consented to have their browsing history tracked. The company, however, denied that it was tracking data when incognito mode was used in the browser.

 

Quote

When Forbes provided Xiaomi with a video made by Cirlig showing how his Google search for “porn” and a visit to the site PornHub were sent to remote servers, even when in incognito mode, the company spokesperson continued to deny that the information was being recorded. “This video shows the collection of anonymous browsing data, which is one of the most common solutions adopted by internet companies to improve the overall browser product experience through analyzing non-personally identifiable information,” they added.

 

Xiaomi is seemingly collecting the data to understand users' behavior. The company has partnered with Chinese startup Sensors Analytics which provides "an in-depth user behavior analysis platform and professional consulting services." Xiaomi confirmed its relationship with Sensor Analytics, though it noted that all the collected data are stored on its own servers and not shared with any third-party company.

 

Source: Xiaomi smartphones are tracking usage habits and browsing data of their owners (via Neowin)

[meohmy]

No different to Apple or Google really. If you install a good firewall on any smart phone and block everything by default, then allow to connect only those services you want to connect, you will be shocked at how many services are looking to try and connect.

 

[Alanon]

Wait a minute, a "security researcher" left a largely unreviewed MIUI OS to run amok on his phone, the same OS that started serving ads to users a while back? Xiaomi phones offer terrific hardware for the price, but it's blindingly obvious that data collection is the end goal.

[mclaren85]

On 5/1/2020 at 2:07 PM, meohmy said:

No different to Apple or Google really. If you install a good firewall on any smart phone and block everything by default, then allow to connect only those services you want to connect, you will be shocked at how many services are looking to try and connect.

 

Which firewall do you consider good enough?

[meohmy]

Well you could try 'No Root Firewall' v4 by Grey Shirts which blocks everything by default, then allow what you want to connect, its free in the playstore. You will have a shock at just how many services are still trying to connect even if you disable them in Android settings. That's my favorite.

Or you can try NetGuard No Root firewall for which there is a small charge..........unless you get an 'educational' version.

It's not what I consider to be good enough, it's what I have found by playing with a spare phone, if you are asking me which of those 2 I prefer, then it is definitely 'No Root Firewall' v4 by Grey Shirts but be prepared to spend a little time to configure it.

[mp68terr]

1 hour ago, meohmy said:

'No Root Firewall' v4 by Grey Shirts

Noted, thanks for the recommendation.

However, how to be sure that all the connections are going through the FW? Can't the maker of the OS bypass the FW?