Xiaomi's default web browser allegedly records users' browsing habits
Chinese OEMs such as Xiaomi, OnePlus, Huawei, etc. are no strangers to allegations of spying on their users. Very often, most of these allegations are false or exaggerated, but sometimes, they turn out to be true. Now, some independent security researchers have found some Xiaomi phones to be engaging in some somewhat shady behavior.
According to a report by Forbes, the Redmi Note 8 was found to be sending copious amounts of user data to Chinese-owned servers located in Singapore and Russia. Xiaomi's default web browser broadcasted the researcher's browsing history and search engine queries in a encrypted format. However, it was relatively easy to decrypt the data and reduce it to a more readable form. Even switching to a more anonymous 'incognito mode' didn't make a difference. The researcher then downloaded the firmware of other popular Xiaomi releases such as the MI 10, Redmi K20, Mi MIX 3, and found that the problem persisted on those devices too.
To make matters worse, the phone also recorded a lot of seemingly mundane activities such as the number of swipes, the exact screens to which he swiped, the folders that he accessed, and so on. OnePlus was caught engaging in similar behavior back in 2017 with its controversial Clipboard application, so it is a bit surprising (and alarming) to see Xiaomi go down the same path. The attached video gives us a glimpse into how the tracking works.
Forbes reached out to Xiaomi for a statement. A company spokesperson denied any wrongdoing and stated that this was standard practice across all OEMs "to improve the overall browser product experience through analyzing non-personally identifiable information". The problem with that statement is that the metadata collected was far from anonymous, as it also included information such as the device ID and IMEI number, which could then be used to identify an individual.