Researchers at Citizen Lab have analyzed the popular mobile web browser UC Browser and discovered that it’s plagued by some serious security and privacy issues.
Citizen Lab is an interdisciplinary laboratory based at the University of Toronto that focuses on studying information and communication technologies (ICT), human rights, and global security matters. The laboratory decided to conduct an analysis of UC Browser after being contacted by media organizations for comments on a 2012 document from Canada’s Communications Security Establishment (CSE). The document, leaked by former NSA contractor Edward Snowden, reveals the existence of vulnerabilities in UC Browser.
UC Browser is developed by Alibaba-owned UCWeb and it’s one of the most popular mobile browsers in China and India. The application is said to have more than 500 million users worldwide. Citizen Lab has analyzed the English and Chinese language editions of UC Browser for Android and found that both, particularly the Chinese version, leak information.
Researchers have analyzed the cellular network data and Wi-Fi traffic of UC Browser, and the application’s data retention practices. In their tests, experts first analyzed the traffic to and from the device while the application was left idle for 270 seconds.
In the case of the Chinese version, when it’s connected to the Internet via the phone’s mobile data connection, the browser’s AMAP component, an Alibaba mapping tool, sends user and device identifiers (IMSI, IMEI) and location data (cell tower data) to a remote server. Umeng, an Alibaba analytics tool, also sends device identifiers (IMSI, IMEI, Android ID) to a remote location.
According to Citizen Lab, the AMAP data is sent to the server using easily circumvented encryption, while the Umeng data is sent without any sort of encryption.
When the device is connected to the Web using Wi-Fi, the same data and additional Wi-Fi-related data is collected and sent with weak or no encryption. The Wi-Fi details include the phone’s MAC address, the SSID, and the MAC address of the Wi-Fi access point.
After conducting idle tests, researchers verified the browser’s behavior when search queries are performed. By default, the Chinese version of UC Browser uses the mobile search service Shenma, while the English edition uses Google and Yahoo India.
Researchers determined that in the Chinese version, search queries made via the dedicated search bar are sent to Shenma without being encrypted.
Another problem identified by experts in the Chinese edition is that private data is not properly deleted when users clear the cache, cookies, login records, input history and browser history from UC Browser’s settings menu. Citizen Lab found that while most of the data was deleted properly, a record of the application’s DNS lookups remained on the device.
“This DNS data was stored in the cache as a serialized LinkedHashMap, and persisted even after all other data in the cache had been cleared using the application’s feature to clear private browsing data,” Citizen Lab noted in its report. “There was sufficient plaintext remaining that the records could be read using a simple text editor. In other words, even if a user attempts to clear browsing records their personal data remains available for scrutiny and can be trivially accessed.”
As for the English version of UC Browser for Android, researchers said they haven’t found any data being transmitted while the device was idle, and they haven’t identified any issues with data storage. The only problem was that search queries were sent to Google and Yahoo India without being encrypted.
These security and privacy issues were reported to UCWeb and Alibaba on April 15. Alibaba told Citizen Lab on April 19 that its security engineers were investigating the issues, but researchers haven’t heard from the company ever since.
On May 19, two days before publishing its report, Citizen Lab downloaded the latest version of the Chinese edition of UC Browser, 10.4.1-576, and tested it once again. Researchers found that the developer addressed the issue related to location data being sent insecurely to AMAP, but the rest of the weaknesses still exist.
“We take security very seriously and we do everything possible to protect our users. Recently we were alerted to a potential concern with a third party component used by the browser and we moved swiftly to investigate this concern,” an Alibaba Group spokesperson told SecurityWeek. “We have no evidence that any user information has been taken. However, to address these potential concerns, UCWeb has already proactively asked UC Browser users to update their browsers to the latest version.”
“In many political jurisdictions (including China and India) it is common for authorities to require telecommunications companies, cellular providers, and Internet cafes to share the data they collect with security agencies as a condition of obtaining an operating license. By leaking a large volume of fine-grained data points to multiple network operators, the UC Browser app is increasing the risks to its users that such data may be used against them by authorities, criminals, or other third parties,” Citizen Lab said in its report.
“The data leakages we outline are particularly problematic for individuals who use their devices to engage in sensitive communications or for whom disclosing their physical location could place them at increased risk. Similarly, individuals concerned with protecting sensitive activities related to their work while traveling or communicating should be concerned about the potential for industrial espionage,” it added.
*Updated with statement from Alibaba