Xiaomi and Redmi smartphones monitor users

Xiaomi is collecting user data too intensively. Moreover, this data is protected through the sleeves. This is the conclusion of several security researchers whose names are mentioned by Forbes.

What happened

Security researcher Gaby Kirlig acquired Redmi Note 8, one of Xiaomi’s budget employees. He decided to study how this smartphone behaves with user data. And the result obtained did not greatly please him.

It turned out that all the data received by the smartphone goes to Alibaba servers, allegedly rented by Xiaomi. These servers are physically based in Singapore and Russia but are registered in Beijing.

What kind of data is collected?

  • Personalized smartphone data: unique device identification numbers, Android version;
  • User location data
  • Web browsing data in the Mi Browser built-in browser. They even assembled in incognito mode;
  • Data on opening applications and folders by the user on the smartphone screen;
  • Data from the status bar and settings menu;
  • Listened to music data.

With some of this data, according to Kirlig, the user can be identified.

But this is not the main problem. The fact is that Xiaomi, sending this data to the servers, claims that it is encrypted. And this is so. However, there is a small problem.

Xiaomi uses standard base64 encoding. She, according to Gabi Kirlig, is easy to crack. According to his statement, it took him just a few seconds to decrypt some of the data.

Data sent to their servers is very easily correlated with a specific user.

Gabi Kirlig

Security researcher

Kirlig also suspects that Xiaomi is tracking how users use applications. This is evidenced by the information sent to the server while using the smartphone. Forbes anonymous interlocutor, who previously tested the company’s smartphones, confirmed this information.

What does Xiaomi say?

That everything is within the law, and the information collected is anonymous and is necessary only to study user habits.

The company also said that data on pages viewed in “Incognito” mode is not recorded, but there is evidence that this is not so.

After this text was published, representatives of the Russian division of Xiaomi sent us an official appeal:

Xiaomi was disappointed at a recent Forbes article. The material has a misunderstanding of our position related to the principles of security and protection of personal data. The data security of our users and the safety of using the Internet are among the main priorities for Xiaomi. We are convinced that we strictly observe and comply with all requirements of local laws and regulations. We already turned to Forbes and gave our explanations regarding the unfortunate misunderstanding that arose.


Share article: