Chinese phone manufacturer caught using a backdoor but it's not Huawei or ZTE
Last year, Xiaomi was the fourth-largest smartphone manufacturer in the world after shipping approximately 125.5 million units. The company has done an amazing job in India, the world's second-largest smartphone market. That's because Xiaomi produces handsets priced appropriately for the developing country; using a value for money retail strategy, Xiaomi has done very well in India.
Xiaomi's browsers have been sending user data to servers registered in Beijing
For years now, we have been waiting for Xiaomi to invade America, but year after year such a move has never come. And outside of OnePlus, Chinese phone manufacturers aren't exactly being greeted in the U.S. with open arms. Even ZTE, which was the fourth-largest smartphone shipper in the states in 2018, dropped out of the top five after being banned from accessing its U.S. supply chain. And no Chinese smartphone manufacturer wants to get the same treatment that the U.S. has given Huawei.
While Xiaomi has always tried to give the impression that it was "China's Apple" and above the fray, the company has now found itself accused of using a backdoor to send user information to a server. According to Forbes, a cybersecurity expert named Gabi Cirlig discovered some strange behavior on his Xiaomi Redmi Note 8. He found that Xiaomi's default browser was recording all of the websites he visited. Even searches made with the privacy-first search engine DuckDuck Go and websites he visited while in incognito mode were being tracked by the browser. Even worse, all of this data was being sent to servers in Singapore and Russia that used web domains registered in Beijing. These servers are being used by Xiaomi according to Cirlig.
Other researchers discovered that Xiaomi's browsers on the Google Play Store, the Mi Browser Pro, and the Mint Browser, were guilty of the same behaviors. Together, both browsers have been installed over 15 million times. And Cirlig found the same browser code on other Xiaomi handsets including the Xiaomi Mi 10, Xiaomi Redmi K20, and Xiaomi Mi MIX 3; that leads him to believe that these phones have the same privacy issues as his Redmi Note 8.
Xiaomi has responded by saying that the data it was sending to the servers was encrypted. But Cirlig said that he was able to crack the code in seconds. The cybersecurity expert also said, "My main concern for privacy is that the data sent to their servers can be very easily correlated with a specific user." That's because the data being sent to the servers included metadata associated with a specific device including its unique ID number and the Android version that it runs. Cirlig says that this data can "easily be correlated with an actual human behind the screen."
The manufacturer contradicted itself saying that the research claims weren't true and that the company "strictly follows and is fully compliant with local laws and regulations on user data privacy matters." But a spokesman for Xiaomi admitted that it was collecting data which was anonymized to prevent it from being tied to specific individuals. When Forbes showed Xiaomi a video that confirmed the behavior of the browser claimed by Cirlig, the company responded by saying, "This video shows the collection of anonymous browsing data, which is one of the most common solutions adopted by internet companies to improve the overall browser product experience through analyzing non-personally identifiable information."
Yesterday Xiaomi published a blog post in which it said that it collects the data to check the compatibility between the operating system and apps. Xiaomi claims that the information is harvested by permission and consent from its users and is anonymous and encrypted. "The collection of aggregated usage statistics data is used for internal analysis, and we do not link any personally identifiable information to any of this data."
Today, the company wrote that it will send out an update to its browsers that will prevent a user's internet travels from being sent through Xiaomi's servers. There also will be an option in incognito mode to toggle on or toggle off data collection. Xiaomi said, "We believe this functionality, in combination with our approach of maintaining aggregated data in non-identifiable form, goes beyond any legal requirements and demonstrates our company’s commitment to user privacy."
Things that are NOT allowed: