Xiaomi phones are sending an uncomfortable amount of user data to remote servers belonging to outsourced Chinese partners, according to a report by Forbes. The issue appears intrinsic to Xiaomi’s own apps, such as its default browser or the Mi Music app that make up Xiaomi’s proprietary MIUI interface. The type of data collected include a user’s browsing history and accessed services, app usage behaviour and even music listening preferences. The data set also includes unique device identification numbers, all in a traceable package that can be decrypted while transmitting to the remote servers. Hence, these can be used by malicious attackers to breach user identities, leading to acts of cyber espionage, blackmailing, data and identity theft, and more.
The biggest issue here is the lacklustre encryption standard of the data being transmitted, as well as the fact that the data is not particularly anonymised. According to the Forbes report, cyber security researchers Gabi Cirlig and Andrew Tierney both verified that Xiaomi’s in-house web browsers, which are also available for download by non-Xiaomi users through the Google Play Store, were sending a startling amount of user data to company-backed remote servers, even when the browsers were set to incognito mode. The issue was spotted on popular Xiaomi devices such as the Redmi Note 8, Redmi K20, Mi 10 and others. A company spokesperson that Forbes spoke to has denied such a claim.
The remote servers in question are said to be owned by Chinese internet operations giant Alibaba, and are leased by Xiaomi. The user data that is being collected is reportedly used to generate user behaviour patterns, presumably to sell more in-house Xiaomi products by showing targeted ads. But, while this is a common practice, it so appears that Xiaomi is seeding the sensitive user data to a third party service, Sensors Analytics. However, Xiaomi has claimed that it does not store any data with Sensors Analytics, and only seeds them anonymised user data in order to gain analytical inputs. The latter is now a standard practice among practically all technology companies.
Another cause of concern is the lack of a stringent encryption standard in the data that is sent. According to Forbes, Xiaomi’s relaying of user data is done using the very rudimentary base64 encoding, which can be intercepted and cracked by malicious users into plain, readable text format. This can seemingly allow attackers to cash in on a sizeable pool of data, and target Xiaomi users with frauds and scams.
Xiaomi is India’s largest smartphone vendor by market share, shipping over 10 million units in the first three months of 2020. With its steady popularity in the country, such privacy gaffes can really hurt the company in its long term ambitions to hold on to its lead in one of the largest smartphone markets in the world. News18 has independently reached out to Xiaomi India for their inputs on the matter. The company was yet to issue an official response acknowledging or denying the issues, at the time of publishing of the report.