Xiaomi is collecting user data too intensively. Moreover, this data is protected through the sleeves. This is the conclusion of several security researchers whose names are mentioned by Forbes.
Security researcher Gaby Kirlig acquired Redmi Note 8, one of Xiaomi's budget employees. He decided to study how this smartphone behaves with user data. And the result obtained did not greatly please him.
It turned out that all the data received by the smartphone goes to Alibaba servers, allegedly rented by Xiaomi. These servers are physically based in Singapore and Russia, but are registered in Beijing.
Media: your anonymous data is easy to deanonymize
December 20, 2019
What kind of data is collected?
Personalized smartphone data: unique device identification numbers, Android version;
User location data
Web browsing data in the Mi Browser built-in browser. They even assembled in incognito mode;
Data on opening applications and folders by the user on the smartphone screen;
Data from the status bar and settings menu;
Listened music data.
With some of this data, according to Kirlig, the user can be identified.
But this is not the main problem. The fact is that Xiaomi, sending this data to the servers, claims that it is encrypted. And this is actually so. However, there is a small problem.
Xiaomi uses standard base64 encoding. She, according to Gabi Kirlig, is easy to crack. According to his statement, it took him just a few seconds to decrypt some of the data.
Data sent to their servers is very easily correlated with a specific user.
Kirlig also suspects that Xiaomi is tracking how users use applications. This is evidenced by the information sent to the server while using the smartphone. Forbes anonymous interlocutor, who previously tested the company's smartphones, confirmed this information.
What does Xiaomi say?
That everything is within the law, and the information collected is anonymous and is necessary only for the study of user habits.
The company also said that data on pages viewed in “Incognito” mode is not recorded, but there is evidence that this is not so.
After this text was published, representatives of the Russian division of Xiaomi sent us an official appeal:
Xiaomi was disappointed at a recent Forbes article. The material has a misunderstanding of our position related to the principles of security and protection of personal data. The data security of our users and the safety of using the Internet are among the main priorities for Xiaomi. We are convinced that we strictly observe and comply with all requirements of local laws and regulations. We already turned to Forbes and gave our explanations regarding the unfortunate misunderstanding that arose.
Apparently, all the data received is processed by the Chinese company Sensors Analytics. This is evidenced by SensorDataAPI, as well as a link leading to the company's website.
According to PitchBook, this startup provides "a platform for in-depth analysis of user behavior and professional consulting services." All this helps to “explore the stories behind indicators, as well as study the behavior patterns of various enterprises.”
But Sensors Analytics, according to a Xiaomi representative, is only supplying a platform for analysis, and all received data is stored on the company's servers.
Probably, many users are willing to pay for the low price of smartphones with their personal data, believing that they have nothing to hide. However, each person has secrets. And no matter what they are expressed in – a secret passion for the album “Rise above the vanity” of Alla Pugacheva in 1980 or for some certain types of porn.
For you, this data may not cost anything. But they will be very dear to third parties. They can engage in personalized advertising. And they can predict your behavior pattern in response to certain actions.
Almost any anonymous data can be easily deanonymized if you know what to look for. Therefore, surveillance of a smartphone – the most personal device for a person – can lead to fatal results.
UPD: added appeal of the Russian representative office of Xiaomi.