Academic researchers have found security and privacy holes in China and India’s most popular mobile web browser, UC Browser, including unencrypted transmission of personally identifiable information and user search queries that may have been used by spy agencies to collect information.
Originally launched in 2004 by UCWeb and later bought by Alibaba, UC Browser is used by more than 500 million people worldwide and available on Android, IOS, Windows Phone, and other platforms. There are Chinese and English versions of the browser, however, the most security issues are present on the Chinese version.
According to the report (PDF) released Thursday by the University of Toronto’s Citizen Lab research group, there are a series of major security and privacy issues in UC Browser for Android.
This analysis was prompted by a top-secret slide presentation (leaked by Edward Snowden) that was prepared in 2012 by a Canadian intelligence agency, and noted the existence of security vulnerabilities in the UC Browser application. Apparently, the UC Browser app was being used as a communication channel for spies to identify foreign “covert activities”.
In the Chinese language version, IMSI, IMEI, Android ID, and Wi-Fi MAC addresses are sent to Alibaba analytics tool Umeng, geolocation data are sent to Alibaba mapping tool AMAP, and user search queries are sent to the search engine Shenma all without encryption.
“The transmission of personally identifiable information, geolocation data and search queries without encryption represents a privacy risk for users because it allows anyone with access to the data traffic to identify users and their devices, and collect their private search data,” the Citizen Lab report states.
The Chinese version also permanently retains users’ DNS query history even after the user attempts to clear the application cache. Citizen Lab notes, “The cached record of DNS lookup data would allow for a third party with access to the device to identify the websites that a user visited.”
The English version of UC Browser didn’t have most of these vulnerabilities, nor did it store DNS lookup data as part of the private browsing data. The English version, however, did not encrypt search queries to Yahoo! India or to Google.
“Modifying the Chinese version to match the encryption used in its English counterpart could be an important step in increasing user security, as would encrypting queries to Google and Yahoo! India in the English version,” the report states.
Citizen Lab notes, however, that encryption doesn’t solve all the problems of surveillance.
“[E]ven if all data were strongly encrypted, this step would simply simply make it more difficult for unauthorized parties to read the contents of data transmissions,” they write. “Encrypting sensitive user data can limit the number of actors who can access the data but does not prevent the inappropriate collection, retention, and analysis of the data by application developers and their commercial partners. Put bluntly: increases in transport security do not necessarily improve corporate data handling practices.”
In keeping with the security industry practice of informing software vendors of security flaws before the public, Citizen Lab disclosed its findings to Alibaba and UCWeb on April 15, 2015. Alibaba responded saying their security engineers were investigating the issue, but didn’t hear back after repeated efforts to communicate with them.