Xiaomi MI Incognito Mode Privacy Issues Found in 2020

Xiaomi smartphones have earned the most popular tag for their insane hardware in mid-range price value. Especially at the lower end of the smartphone, Xiaomi delivers a lot of facilities that attract the people most, than other mid-range smartphones.

In recent, security researchers have figured out privacy issues in Xiaomi MI Browser. The various web browser of Xiaomi MI is sending data such as a history of visited websites including URLs and search engine queries directly to the remote server. Even data is collecting from Incognito Mode that means it stole the private information.

Xiaomi smartphone users and security researchers were not happy with the issue of collecting data while Incognito Mode is on. The purpose of using Incognito Mode is purely going in vain. Xiaomi states that in Incognito Mode, it is obtaining only usage statistics from users and data was kept unknown. Also, Xiaomi was disappointed by misrepresented article and misunderstood the data privacy and policy. Data tracking remains enabled by default, and users have to allow the ‘Enhanced Incognito Mode’ to disable it when Incognito Mode will be turned on.

What Cyber-security researcher states on this issue?

Cyber-security researchers discovered that MI phone browser track every data continuously, even private mode, i.e. ‘Incognito mode’ may set or not. They also said an anonymous ID is using by MI Browser Pro and MI Mint Browser that linked with individual people which didn’t change over time. Xiaomi collects information based on a unique identifying number that also identifies the Android version.

Incognito Mode

Which Apps are suspected?

Xiaomi handset provides some default MI browsing apps such as MI Browser, MI Browser Pro, and MI Mint Browser. Researchers have found all the sent data by Xiaomi is encrypted in base64. It can easily decode in a trivial manner. Also, Xiaomi browsers were pinging domains connected through sensor analytics. Sensor Data is a start-up by a Chinese group, and it provides behavioural analytic service. Privacy issues do appear by functioning this Browser.

This privacy issues discovered in Redmi Note 8 by the researchers first while reviewing firmware. They also suspect Xiaomi MI 10, Xiaomi Redmi K20 and Xiaomi MI MIX 3 handset models can be affected by these issues.

In which way data have been stolen and transferred

All the collected or stolen data was directly sent to a remote server. These servers are situated in Singapore and Russia. Through the web domain, data has transferred from this remote server to the registered host in Beijing. Data collection from Incognito Mode is an example of Dark-Pattern that is an intrusive privacy setting.

Xiaomi’s response against this issue

Xiaomi MI confirms that they collect data such as system information, user interface usage, memory usage, preferences and crash reports to understand and improve the performance. Xiaomi also confirmed that they collect URLs, but it is done to recognize the web pages that load slowly. So they can improve browsing performance.

Xiaomi MI states that individual browsing data history will be synced when a user is signed in MI Account when the data sync function kept ‘On’. Then only browsing data saved. They totally deny that system will sync browsing data in incognito mode. Their statement is that during the Incognito Mode, private browsing data history will be synced if the user enables the option from setting.

In the global market, Xiaomi MI is officially present to offer the best possible user experience, compatibility and protecting user privacy. All the collected data is based on the user’s permission and consent. These collected data are used to analyze the internal system. They also said other browsers such as Google Chrome and Apple Safari also collect more or fewer data.

‘Privacy and security is a top concern’, stated by Xiaomi MI. They collect data to better understand the user. They want to improve the performance by analyzing, and so they collect data just like Google and Apple. They strictly follow local laws and regulations over the data privacy matters of the user.

Also, Xiaomi told about their several inaccuracies and misinterpretation processes for collecting Browser data, and it is not only used to identify any individual.

What changes occurred for improvement?

The new privacy setting allows MI Browser not to collect data while in Incognito Mode. But Xiaomi MI bears that this privacy issue was disabled by default previously.

The option can be accessed from the setting option in Browser > go to Incognito Mode setting > disable the ‘Enhanced Incognito Mode’.

Incognito Mode

Opt-out or Opt-in

Pushing towards the update, Xiaomi MI seems not to stop working with altogether. In a simple way, we can say, unless users cannot take steps against it, Xiaomi will collect data continuously while it is in the normal mode or in Incognito Mode.

Xiaomi MI will continue collecting data from normal mode, and there is no way to disable it. Xiaomi gives the commitment to keep users privacy by maintaining data in a non-identifiable form, including demonstrations and legal requirements. Choosing privacy-friendly Xiaomi MI always provides opt-out never opt-in.


Xiaomi MI conclude this matter by providing an update over MI Browser Pro and MI Mint Browser. They said that they would include an option in incognito mode to switch off the data collection. A software update will be submitted to Google Play store for implementing this feature.

Chinese company ‘Cheetah Mobile’ was caught in red hand while stealing data from web, Wi-Fi access point name etc. It happened just two months ago. Here also, Cheetah tries to defend that collection of data will improve and enhance the performance and user experience.

Leave a Comment