Xiaomi Data Leak Controversy

The allegations: White Ops researchers Gabi Cirlig and Andrew Tierney accused
Xiaomi of infringing on the privacy of its phone users by recording their ‘private’ web
and phone use habits.1

Tracking:
 Cirlig noted that the default Xiaomi browser on the device recorded all the
websites that were visited in addition to capturing all search engine queries, even
when he used Google or the privacy-focused DuckDuckGo search engines, and
everything that was shown on the news feed. This tracking continued even when
the Incognito mode was switched on. The device was also recording what folders
he opened and to which screens he swiped, including the status bar and the settings
page.2
 That data was then being sent to remote servers hosted by another Chinese tech
giant, Alibaba, which were leased by Xiaomi. All of the data was being packaged
up and sent to remote servers in Singapore and Russia, though the Web domains
they hosted were registered in Beijing.3
 The issue was investigated further (Forbes reached out to Andrew Tierney, a
leading cybersecurity researcher) and it was found that browsers shipped by
Xiaomi on Google Play—Mi Browser Pro and the Mint Browser—were collecting
the same data. Together, they have more than 15 million downloads, according to
Google Play statistics.
 Both Cirlig and Tierney, however, found in their independent tests that their web
habits were sent off to remote servers regardless of what mode the browser was set
to, and that user data was being collected.4

Researcher’s findings and conclusions:

1
https://www.republicworld.com/technology-news/mobile/xiaomi-data-leak-controversy-is-xiaomi-
sending-user-data-to-china.html
2
https://www.forbes.com/sites/thomasbrewster/2020/04/30/exclusive-warning-over-chinese-mobile-
giant-xiaomi-recording-millions-of-peoples-private-web-and-phone-use/#126536661b2a
3
https://www.forbes.com/sites/thomasbrewster/2020/04/30/exclusive-warning-over-chinese-mobile-
giant-xiaomi-recording-millions-of-peoples-private-web-and-phone-use/#126536661b2a
4
https://www.forbes.com/sites/thomasbrewster/2020/04/30/exclusive-warning-over-chinese-mobile-
giant-xiaomi-recording-millions-of-peoples-private-web-and-phone-use/#126536661b2a

1
 Data collection isn’t unusual for such companies, however it isn’t done without
user’s permission, which wasn’t the case with Xiaomi
 The data is supposed to be anonymised to protect the user’s identity. Though
Xiaomi claims that the data was being encrypted when transferred, Cirlig found a
problem with the way Xiaomi transfers data to remote servers. It was found that
the information taken from a user’s device was hidden hidden with a form of easily
crackable encoding, known as base64. Since the data is easy to decode, it is feared
that Xiaomi would know what each user is watching on their phone.
 The problem is not particular to just one model. Firmware for other Xiaomi phones
—including the Xiaomi MI 10, Xiaomi Redmi K20 and Xiaomi Mi MIX 3 devices
was also tested and it was confirmed they had the same browser code, which
means that these phones could also be recording the private web and phone use
habits of users.

Implications:
 Behavior analytics: Xiaomi attempted to map its users behaviours. It was
found that Xiaomi apps were sending data to domains that appeared to
reference Sensors Analytics, a behavior analytics startup company based in
China.5
 Large scale threat to privacy: Since this problem multiple Xiaomi models,
millions of users are likely to be affected.
 Third party attacks: As per Forbes, there is a lack of a stringent encryption
standard in the data as Xiaomi's relaying of user data is done using the very
rudimentary base64 encoding, which can be intercepted and cracked by
malicious users into plain, readable text format. This would leave users
susceptible to frauds and scams from attackers.
 The type of data collected includes a user's browsing history and accessed
services, app usage behaviour and even music listening preferences. The data
set also includes unique device identification numbers, all in a traceable
package that can be decrypted while transmitting to the remote servers. Hence,

5
https://www.forbes.com/sites/thomasbrewster/2020/04/30/exclusive-warning-over-chinese-mobile-
giant-xiaomi-recording-millions-of-peoples-private-web-and-phone-use/#126536661b2a

2
 these can be used by malicious attackers to breach user identities, leading to
acts of cyber espionage, blackmailing, data and identity theft, and more.6

Most recent development:

May 4 - Xiaomi has roundly refuted all claims in an official statement7 stating that the
only data that is collected:
 is collected with user consent
 is completely anonymised and only used for analytical purposes
 passes through servers compliant with local law
 secured by third-party certified, industry standard security practices.

6
https://www.news18.com/news/tech/xiaomi-users-beware-your-data-is-being-read-by-chinese-
servers-2600767.html
7
https://blog.mi.com/en/2020/05/02/live-post-evidence-and-statement-in-response-to-media-coverage-
on-our-privacy-policy/