A security researcher working with Forbes claims that Xiaomi smartphones have been collecting browsing data from those who surfed the web with the built-in browser. It gets even worse – The browser does so even when you navigate in incognito mode or when you use the DuckDuckGo web browser, which is known for its privacy-conscious protocols.
The security researcher, named Gabriel Cirlig, is using a Redmi Note 8 as a daily device and observed that it records everything he does on the phone and then redirects the data to servers in Singapore and Rusia, even though the host of the domains is located somewhere in Beijing.
The stolen data includes screens, opened folders, settings, visited websites, music played on the app, and others.
After the data got collected, it was poorly encrypted with the base64 format, which made it easy for the researcher to decrypt and discover what was going on.
Cirlig then Downloaded ROMs for Xiaomi Mi 10, Redmi K20 and the Mi Mix 3, and noticed the same issue on all of them.
Andrew Tierney, another researcher, discovered the abnormal behavior on the Mi Browser Pro and the Mint Browser alike.
Xiaomi commented that the Forbes findings are fake and misleading. An official stated that Xiaomi complies with all local laws and regulations regarding user privacy, and all of the collected data has been anonymized.
The firm is supposedly collecting the data to improve the browsing experience of the user, and that is the conventional procedure. Also, the data can’t be tracked to the initial user/sender.
Still, Cirlig sent a video to Xiaomi that showed how the browser sends the browsing history to specific servers, even when incognito mode is toggled on.
Chances are it might all be a campaign against Xiaomi, but abnormalities are still present, which might be a bit concerning for some users.