Home News and Updates Xiaomi Data Theft: Security researcher claims of data harvesting, company denies claim [Update: Xiaomi Updates Browser]

Xiaomi Data Theft: Security researcher claims of data harvesting, company denies claim [Update: Xiaomi Updates Browser]

by John Bhatt
0 comment 60 views

Security researcher Gabi Cirlig has accused Xiaomi Data Theft. According to video proof shared, Xiaomi is found harvesting user data & browser history.

[Update] Xiaomi Updates Default Browser – 04 May 2020

After the Data Collecting article brought lots of criticism, Xiaomi has updated default browser on MIUI with data tracking protection in Incognito mode. Below screenshot is from POCO F1 running on Android 10 based MIUI 11 getting Browser Version V12.1.4-g with changelog mentioned as Privacy Protection Enhancement Update.

Further detail reads “Provide an option in incognito mode to switch on/off aggregated data collection”. This update is pushed on 3rd May 2020.

Xiaomi Mi Browser Update.

Xiaomi Data Theft: Data Harvesting from Browser

He even shared video proof showing that all search queries & browsing history to Xiaomi Servers.

In above video (age restriction on YouTube), researcher have searched on Mi Browser & recorded all the events fired by Operating System (MIUI).

Both Cirlig and Tierney found their Xiaomi apps were sending data to domains that appeared to reference Sensors Analytics, including the repeated use of SA. When clicking on one of the domains, the page contained one sentence: “Sensors Analytics is ready to receive your data!” There was an API called SensorDataAPI—an API (application programming interface) being the software that allows third parties access to app data. Xiaomi is also listed as a customer on Sensors Data’s website.

Forbes Article which initially published this story

Xiaomi Data Theft: Xiaomi’s Response

Xiaomi has denied the claim of involvement in any such practice. Xiaomi Data Theft raw generated by Forbes article has forced Xiaomi to issue a public post on their blog. They have denied any practice on being involved in Data Theft.

Xiaomi Data Theft - Code to collect browser data.

As per Xiaomi, all the data collected is consented by user already and they are just collecting this data to enhance user experience.

In return, Xiaomi shared some screenshot of code & security certificate of domain which is collecting data.

Xiaomi was disappointed to read the recent article from Forbes. We feel they have misunderstood what we communicated regarding our data privacy principles and policy. Our user’s privacy and internet security is of top priority at Xiaomi; we are confident that we strictly follow and are fully compliant with local laws and regulations. We have reached out to Forbes to offer clarity on this unfortunate misinterpretation.”

Xiaomi Blog Post

Well, this is not the first case where Xiaomi is being accused of data theft. They were even found recording every touch & swipe action to server. Suppose for now, Xiaomi is doing all this to enhance their services and provide better services but what happens when their intentions turn evil.

What can be catastrophic?

They are fourth largest Smartphone maker in the world and if they started harvesting data from their users, they can target anything they want. Every data collected has an anonymous device ID string with data. When you combine all the data collected, you can create a profile of user with that Device ID. Now all devices are tagged with MIUI ID and all basic details like DOB, Name & Address etc. are already entered at the time of profile creation.

This can be a catastrophic situation. Hope they reduce the data collection over the period and users read and check permission granted by them while using phone.

We wish to know you view on this sensitive topic. Please let us know via comments.

0 comment

Related Articles

Leave a Reply

Do NOT follow this link or you will be banned from the site!