Friday, May 1, 2020

Researchers accuse Xiaomi web browsers of collecting browsing data – even in Incognito mode

Xiaomi smartphones are unanimously agreed to be one of the best value purchases available in the market at any point in time. Packing some insane hardware at some very lucrative price points, especially at the lower end of the smartphone market, these phones make an offer that a lot of people just can’t refuse. Xiaomi has also been receptive to the needs of the developer community, with decisions such as allowing bootloader unlocking without sacrificing the manufacturer’s warranty — a combination that a lot of other popular OEMs discard, as well as vastly improving upon their kernel source releases. These reasons make them one of the most popular devices in our forums, and they have rightfully earned that spot of popularity.

However, recent reports from security researchers point towards a worrying privacy issue observed on Xiaomi’s web browsers. Forbes’ cybersecurity contributor and associate editor Thomas Brewster, along with cybersecurity researchers Gabriel Cirlig and Andrew Tierney recently concluded in a report that Xiaomi’s various web browsers were sending data to remote servers. They allege that the data being sent included a history of all websites visited, including the URLs, all search engine queries, and all the items viewed on Xiaomi’s news feed, along with device metadata. What’s even worrying about this data collection allegation is that this data is being collected even if you seemingly browse with “incognito mode” enabled.

This data collection seemingly occurs on the pre-installed stock browser on MIUI, as well as Mi Browser Pro and Mint Browser, both of which are available for download through the Google Play Store. Together, these browsers have over 15 million downloads on the Play Store, while the stock browser is preloaded on all Xiaomi devices. The devices tested include the Xiaomi Redmi Note 8, Xiaomi Mi A1, Xiaomi Mi 10, Xiaomi Redmi K20, and the Xiaomi Mi Mix 3. There wasn’t a distinction between Xiaomi’s Android One or MIUI devices, as the collection code was found in the default browser anyway. As such, this issue does not appear to be MIUI-centric but depends on whether you use any of these three browsers on your device, irrespective of the underlying OS. Other browsers, like Google Chrome and Apple Safari collect far less data, restricting themselves to usage and crash analytics.

Xiaomi responded by seemingly confirming that the browsing data it was collecting was fully compliant with local laws and regulations on user data privacy matters. The collected information was user-consented and anonymized. However, the company denied the claims in the research.

The researchers, however, found this claim of anonymity to be dubious. The data that Xiaomi was sending was admittedly “encrypted”, but it was encoded in base64, which can easily be decoded. Since the browsing data can be decoded in a rather trivial manner, and since the collected data also contained device metadata, this browsing data could seemingly be correlated to the actions by individual users without significant effort.

Further, the researchers found that the Xiaomi browsers were pinging domains related to Sensors Analytics, a Chinese startup also known as Sensors Data, known for providing behavioral analytics services. The browsers also contained an API called SensorDataAPI. Xiaomi is also listed as a customer on the Sensors Data website.

Xiaomi has responded to the report from Forbes with denial on several aspects:

While Sensors Analytics provides a data analysis solution for Xiaomi, the collected anonymous data are stored on Xiaomi’s own servers and will not be shared with Sensors Analytics, or any other third-party companies.

The researchers responded against Xiaomi’s denial with further proof of their data collection practice

With the information available at hand, there does appear to be a worrying privacy issue in the way these browsers function. We’ve reached out to Xiaomi for further comment on these claims.

No comments:

Post a Comment

BYD DM-i full tank 2400km mileage

What kind of technology is this? 2400KM is that possible? by BYD DM-i