Xiaomi Devices Found Tracking And Recording Browsing Data Of Millions

Marko :)

Level 20
Thread author
Verified
Top Poster
Well-known
Aug 12, 2015
954
Xiaomi Devices Found Tracking And Recording Browsing Data Of Millions
The tracking extends to browser's Incognito mode as well
——————————————————————————————
By Charanjeet Singh May 1, 2020
——————————————————————————————

Xiaomi has been tracking and recording an insane amount of private data, from user’s phone habits to queries in the Xiaomi’s default browsers.

According to a cybersecurity researcher, Cirlig, Xiaomi records all the search queries and items viewed on its default browser (Mi Browser Pro) as well as on the Mint browser. The tracking extends to Incognito mode as well.

The researcher was able to confirm the same pattern on other Xiaomi phones, including Mi 10, Redmi K20, and Mi MIX 3.

Xiaomi, in response, confirmed that it collects browsing data. However, the company says the data sent is anonymized, and users have consented to the data tracking. Meanwhile, it denied claims of information being monitored in Incognito mode.

The researcher, however, was able to prove that Xiaomi is recording Incognito mode data as well. In a video, he showcases how the information of him visiting a porn website in incognito mode is being sent to the servers.



When shown with proof, Xiaomi said, “collection of anonymous browsing data, is one of the most common solutions adopted by internet companies.”

Is it really anonymous?
When the information tracked in browsers is compiled with phone’s “metadata” collected by Xiaomi, Cirlig says the company can easily identify a single person.

My main concern for privacy is that the data sent to their servers can be very easily correlated with a specific user
Other than the browser data, Cirlig also noticed monitoring in Xiaomi apps and his touches on every screen. For instance, he observed the Xiaomi default music player app collecting information on his listening habits.

Upon much digging, the researcher was able to connect the app’s data monitoring with SensorDataAPI, which enables third-party access to app data. In the case of Xiaomi, the third-party was Sensors Analytics, a startup known for tracking users.

While Xiaomi validated the findings, it claimed that the data collected by Sensors Analytics remains anonymous and is stored on Xiaomi’s personal servers.


Source: Xiaomi Devices Found Tracking And Recording Browsing Data Of Millions
 
Last edited:

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
I use a Xiaomi device but it's an Android One device, so free from all the Xiaomi crap. But still I see that everyday multiple times, at least 10 times in an hour it makes two request to
Code:
sdkconfig.ad.intl.xiaomi.com
Is it ad related, data collection or what I don't know but this is weird. I use either NextDNS as the Private DNS feature or the personalDNSfilter app so it's set to block these and all other ads and trackers related domains.
 

Freki123

Level 15
Verified
Top Poster
Aug 10, 2013
737
The amount of "show recommendation" buttons they got in tons of menus is fun. It like Easter try and find it to disable it. When you look at an adguard firewall log: tracking.intl.miui.com, api.ad.intl.xiaomi.com are there also.
To be fair the amount of google icons popping up in the log are also to much for my liking :D
 
Last edited:

scorpionv

Level 2
Apr 20, 2020
87
It could be just Xiaomi spying on their users, but I don't think so. Chinese companies can be forced to spy for the government, and they basically do it all, forced or not. China wants the worlds information, just like every government does. Knowledge is power, waiting to be used at a convenient moment.

This story is a lot like the Huawei 5G spying on us story. https://www.newsmax.com/newsfront/huawei-it-artificial-intelligence-5g/2020/04/30/id/965535/
 

Marko :)

Level 20
Thread author
Verified
Top Poster
Well-known
Aug 12, 2015
954
What a pain privacy is becoming more and more a problem everyone wants to know your business what your doing and where your going:(
You have to expect privacy issues when using chinese apps and devices.
That's the reason why I'm not buying cheap chinese phones or using any chinese software.
I use a Xiaomi device but it's an Android One device, so free from all the Xiaomi crap. But still I see that everyday multiple times, at least 10 times in an hour it makes two request to
Code:
sdkconfig.ad.intl.xiaomi.com
Is it ad related, data collection or what I don't know but this is weird. I use either NextDNS as the Private DNS feature or the personalDNSfilter app so it's set to block these and all other ads and trackers related domains.
When I was looking for a new phone, I was thinking about buying Xiaomi Android One phone. I'm happy I didn't.

Meanwhile, my Xperia is dead silent and I never saw it connect to Sony's servers except to check for updates.
According to Fossbytes, you can uninstall a lot of bloatware, including Mi Browser: How to Remove Bloatware From Android Devices?

@SeriousHoax:
I assume that will not help with with the dialing back to sdkconfig.ad.intl.xiaomi.com, unless there still is some hidden program running in the background.
Actually, this isn't the first time researchers found something regarding Xiaomi browsers.

It could be just Xiaomi spying on their users, but I don't think so. Chinese companies can be forced to spy for the government, and they basically do it all, forced or not. China wants the worlds information, just like every government does. Knowledge is power, waiting to be used at a convenient moment.

This story is a lot like the Huawei 5G spying on us story. https://www.newsmax.com/newsfront/huawei-it-artificial-intelligence-5g/2020/04/30/id/965535/
None of the chinese apps have end-to-end encryption enabled, and the ones that do (from the USA and EU for example) are blocked in China for obvious reasons. That says it all...
 

Vitali Ortzi

Level 22
Verified
Top Poster
Well-known
Dec 12, 2016
1,147
I use a Xiaomi device but it's an Android One device, so free from all the Xiaomi crap. But still I see that everyday multiple times, at least 10 times in an hour it makes two request to
Code:
sdkconfig.ad.intl.xiaomi.com
Is it ad related, data collection or what I don't know but this is weird. I use either NextDNS as the Private DNS feature or the personalDNSfilter app so it's set to block these and all other ads and trackers related domains.
Don't buy the android one version it usually has less value .
As you can install aosp , lineage anyway
 

scorpionv

Level 2
Apr 20, 2020
87
Hmm I can't directly stop dialing back to this domain but the dns requests to this server is blocked.

It could have IP addresses hardcoded in it, alongside the hostname. Gives the software the flexibility of DNS, but if DNS is blocked, it can just use the IP.

A standalone firewall can obviously block a lot more, if it can distinguish the bad traffic from the normal traffic.
 

Marko :)

Level 20
Thread author
Verified
Top Poster
Well-known
Aug 12, 2015
954
The amount of "show recommendation" buttons they got in tons of menus is fun. It like Easter try and find it to disable it. When you look at an adguard firewall log: tracking.intl.miui.com, api.ad.intl.xiaomi.com are there also.
To be fair the amount of google icons popping up in the log are also to much for my liking :D
If you see any app connecting to Google's servers (including Google apps) consider that normal. A lot of apps use Google API to work with Google Play Services so they can offer ability to purchase apps through Google Play, have in-app purchases and such...

In fact, I don't mind apps connecting to Google. I know they collect data, why, what they use it for and with whom they share it. Everything is nicely and easy-to-understand written in their privacy policy. Unlike that's the case with Xiaomi or any other chinese company. Google even regularly publishes transparency report showing who asked for user data, when and what their response was. I've actually read somewhere on their site that they sometimes receive fake court orders so they are verifying them before complying to them.
Don't buy the android one version it usually has less value .
As you can install aosp , lineage anyway
Majority of people do not know how to do that and there are chances you could brick the device. Ending up without money and functional the device.

I rather won't buy chinese device and have it working without any issues insead of buying chinese device and potentially ruining it, if I don't know how to do it.
 

silversurfer

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Xiaomi has rolled out an update for its pre-loaded Mi Browser along with the Mi Browser Pro and Mint Browser on Google Play that will allow users to turn on/off aggregated data collection in incognito mode.
 

Stopspying

Level 19
Verified
Top Poster
Well-known
Jan 21, 2018
814
Another article about this -

 

nikcave

New Member
May 8, 2020
6
can't get it - why do they need to know about me browsing for some local delivery services or messaging my family all those birthday wishes...
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top