[ad_1]
“If you have a Xiaomi phone or use one of their browsers, the company is tracking your use of the web and much more.” That’s how blunt the Forbes cybersecurity editor was Thomas Brewster on his Twitter profile after publishing a report, which explains how the Beijing company would have been collecting and sending user data to servers hosted in China, when they used one of their web browsers, either the one integrated in the brand’s mobiles, or the Mint Browser application, available on Google Play for download at other firms’ terminals.
In collaboration with several researchers specialized in the field of cybersecurity, it was concluded that these applications were sending data packets that contained information such as the history of visited web pages and URLs, the elements visited through the feed Xiaomi news, as well as data from the device. The most worrying thing is that this data seemed to be being sent even when using “incognito mode”.
Incognito mode not so private
The collection and sending of this data seemed to take place in each and every one of the three web browsers that Xiaomi offers in its mobiles: both the one integrated in MIUI, as in My Browser Pro and Mint Browser. The latter are available on Google Play for download on other devices beyond those of the firm, and together they combine a total of more than 15 million downloads. Furthermore, it was discovered that the data was collected both in terminals with the MIUI operating system, as in those based on the platform Android One.
To demonstrate the performance of this data collection technique, the researchers published a video in which you can see how the information is being registered for subsequent sending as the user browses the Internet. Before such accusations, Xiaomi explained in a statement that “The research data is not true” and that “privacy and security are your main concerns“
In addition to that, they allege that the video only shows anonymous data collection, which, in the words of the brand, “it is one of the most common solutions adopted by internet companies to improve the overall browser product experience through analysis of non-personally identifiable information.“
But the researchers don’t seem to be entirely convinced by Xiaomi’s words. Above all, because although the data sent to the servers hosted in China – and belonging to the Internet giant Alibaba – remained encrypted, the encryption method used was base64, easily decipherable. In addition to that, in the logs Browser “pings” were found for domains related to the Chinese analytical services company Sensors Data. As if that were not enough, the researchers pointed out that, since between the shared information were identifying data of each deviceit wouldn’t be too difficult “Relate the metadata to the human behind the screen”.
The parameter data_list is the one I am interested in.
URL decode.
base64 decode.
Gunzip.
JSON data.
I don’t think that should be there. pic.twitter.com/5CYH5FU9E4
– Cybergibbons (@cybergibbons) April 30, 2020
Xiaomi responds and already allows you to disable the sending of data in incognito mode
Shortly after the publication of this report, Xiaomi He decided to respond to the allegations through a post on his official blog. On May 2, an initial version of this publication exposed the operation of the URL collection and submission system, reiterating that the data was anonymised before it was sent, and therefore was not related to the user of the device in any way.
On the other hand, Xiaomi claims that the browsing history is synchronized, but only if the user is logged in to their My account and the option has been activated from the browser settings. However, they deny that the data is shared when using the incognito mode of the browser.
Later, on May 3, the brand assured that a future update for Mi Browser and Mint Browser would offer users the ability to enable or disable the data aggregation system in incognito mode. That update arrived on May 4, and is now available to download through Google Play. In announcing this feature, the company indicated that its arrival, coupled with the brand’s intention to keep the data shared entirely anonymous, demonstrate the company’s commitment to user privacy.
Follow Andro4all
[ad_2]
