Last Updated on October 6, 2022 by Ubaid Ur Rehman
Data collection of the users has become an important aspect in today’s businesses. By monitoring the user’s online movements, companies track and display the ads and products accordingly. But Xiaomi has gone a step ahead with the insane amount of data collection. Devices of Xiaomi have been found guilty of recording and tracking data that would be trackable to one user.
Back Door Channel in Xiaomi Phones
Gabi Cirlig, a cybersecurity researcher, identified this back door, and was spooked by how all the private data is being collected by Xiaomi tracking and recording algorithms. Cirlig says that Xiaomi collects much or almost all the information i.e. which webpage they open, how much did a user spends on one page, etc. related to the user of the phone, and then it sends it to the remote server.
These remote servers are also hosted by the Chinese company Alibaba, which has been borrowed by Xiaomi. The Cirlig has also confirmed the same activity on other phones of Xiaomi that are Mi MIX 3, Redmi K20, and Mi 10.
Tracking in Private Mode
While digging deep into the matter Cirlig also found out that the Xiaomi devices track the user’s activity even in the private mode of the browsers i.e. incognito mode. It also records the information, including the search queries on Google and the privacy-focused browser DuckDuckGo. On the phone it saves data about which folders users have opened, the swiping of screens, the status bar, and the settings page. Then this data has been sent to the web domains registered in Beijing.
Track a User
Cirlig cautioned that his chief concern is for privacy, i.e. data being sent to their servers can easily be connected to an explicit user. He said the information tracked in the browser also collects the metadata of the phone which would be easily tracked back to identify the person.
As per Xiaomi’s statement the data is perfectly encrypted and does not threaten the user’s privacy but Cirlig found out that data and information are easily decodable. The information uses easily crack-able base64 for encoding.
Role of Sensors Analytics
Sensors Analytics is a benefactor of an exhaustive user behavior inspection platform and provides specialized consulting services.
The researchers found out that the data was being transferred to the sensor analytics, for instance they found out the repeated use of SA, use of SensorDataAPI and while opening domains the page contains the sentence repeatedly: “Sensors Analytics is ready to receive your data!”. This API is a software that allows third-party access to data.
Xiaomi Defense:
Xiaomi said the research results are false, privacy is the top priority of the company and it follows all the laws and regulations related.
They accepted the fact that the browser data was being collected but was anonymized, i.e. it could not track back to the specific person at all. But according to the researchers, the metadata could easily help to track the person.
Xiaomi also rejects the claims of a collection of data in the private mode of the browser, but the researchers prove it by videos and photos of the data being sent to remote servers.
According to Xiaomi they collect like all the giants do for behavioral analytics e.g. google and safari but the Crilig claims that it is much worse than all.
Recently Xiaomi posted an article in which they demarcated the boundary when the data will be collected in phones and also, they announced an update that will allow the user to have control over their data being sent to the servers including control in incognito mode.