Xiaomi Phones Caught Harvesting User Data Via Web Browser, Even Incognito Mode

According to a report from Forbes, Xiaomi has come under fire due to its misbehavior when illegally collecting personal data from Xiaomi users. This finding was publicized after a collaboration between Forbes and the security researcher Gabriel Cirlig.

The Chinese brand has been accused of using its homegrown browser that every Xiaomi smartphone has come equipped with by default. To your surprise, this happened even when the user chose to go into the Incognito Mode or use a privacy-conscious web service like DuckDuckGo.

In particular, Gabriel Cirlig once used a Redmi Note 8 to conduct one of his experiments for people’s concerns. As it turned out, the phone kept almost everything recorded after Cirlig interacted with it. Data includes different types that might be a little far from what you might think, including different settings you changed, the song you played, folders you opened, and more.

The system then sent them to storage servers in Russia and Singapore – but the domain addresses are located in Beijing, China. It’s not something too hard for the security researcher to break apart encrypted data into plain texts because the data itself only got packed with a simple encoding format called base64.

Additionally, Cirlig also found similar flaws in several Xiaomi phones, including Mi Mix 3, Xiaomi Mi 10, and Redmi K20. As reported by Andrew Tierney, another security expert, such suspicious behaviors were caught taking place in the company’s Mint Browser and Mi Browser Pro.

Xiaomi already made a rush to judgment by declaring that all findings mentioned above are “misleading and untrue”. A spokesperson said the recorded data is used for improving user experience – and no specific user is subject to privacy threats. Gabriel Cirlig later sent Xiaomi a video to show how these browsers gave away data to “unknown” servers, even in incognito mode.