Chinese smartphone maker Xiaomi has been accused of tracking users' private data through its web browser and sending the information to its remote servers.
The company, which is currently valued at $50 billion, is among the top four smartphone manufacturers in the world by market share.
According to Forbes, security researcher Gabi Cirlig recently noticed that his Xiaomi Redmi Note 8 was tracking all of his activities on the smartphone's default web browser and sending the data to remote servers hosted in Russia and Singapore.
Cirlig states that these servers are hosted by Chinese firm Alibaba and supposedly rented by Xiaomi.
What is even more worrying is that the data being sent can be easily linked with a particular user, enabling the firm to identify all the individuals they want to track.
Cirlig says Xiaomi's default browser on the Redmi Note 8 device tracked all the websites he accessed, and also recorded the search queries that he made using Google or even through the privacy-focused DuckDuckGo search engine. The tracking continued even when he switched to private Incognito mode.
The phone also recorded the details on folders he accessed and screens he swiped.
And Xiaomi's music player app was found to be recording what songs the user played and at what time.
Cirlig suspects that the same type of data harvesting is also happening on other smartphone models, including MI 10, Mi MIX 3 and Redmi K20.
At Forbes' request, another cyber security researcher Andrew Tierney also probed the findings and confirmed that Xiaomi browsers on Google Play - Mi Browser Pro and the Mint Browser - were harvesting the same data.
So @Xiaomi have updated their blog, with more irrelevance.
I'm not backing down on this.— Andrew Tierney (@cybergibbons) May 02, 2020
The two browsers have been downloaded more than 15 million times, as per Google Play statistics.
In a blog post, Xiaomi described the claims as untrue, stressing that the company strictly follows all local laws and guidelines on user data privacy.
"We feel they have misunderstood what we communicated regarding our data privacy principles and policy," the company said.
"Our user's privacy and internet security is of top priority at Xiaomi; we are confident that we strictly follow and are fully compliant with local laws and regulations. We have reached out to Forbes to offer clarity on this unfortunate misinterpretation."
/e/OS is a 'de-Googled' fork of Android with trackers removed
Covid-19 contact tracing app based on Apple-Google API could be vulnerable to data harvesting, EEF warns
Accurately estimating the distance between two devices is also a significant challenge
A letter signed by over a hundred privacy experts and academics following a meeting of the Parliamentary Science and Technology Committee as they debate the app, has been published with almost 200 signatories
Priviacy centric app uses a simple green-amber-red signal to show risk of coronavirus infection