UC Browser leaks sensitive data, shows study

UC Browser, one of the most popular mobile web browsers in India and China, contains multiple security and privacy issues in both the English and Chinese versions of its Android app, according to a study by a Canadian technology research group Citizen Lab.
 

UC Browser, with more than 500 million registered users, is owned by Alibaba. 
 

Researchers have found that both versions of UC Browser (Chinese and English) leak information to third parties but that privacy and security concerns for the Chinese language UC Browser are much better. The leakage of the IMSI, IMEI, and geo-location information can identify a cellular subscriber, the device they are using, and their specific location. As a result of weak encryption used by the browser, any party with access to data traffic — either real-time or historical — can link specific devices to specific places at specific times. And, if the decrypting party has a large volume of data, it can track subscribers vis-a-vis their mobile devices as they move around the world.
 

In many political jurisdictions (including China and India) it is common for authorities to require telecommunication companies, cellular providers, and internet cafes to share the collected data with security agencies as a condition of obtaining an operating licence. By leaking a large volume of fine-grained data points to multiple network operators, the UC Browser app is increasing the risks to its users, as such data might be used against them by authorities, criminals, or other third parties, highlighted the study.
 

The data leakages are particularly problematic for individuals using their devices to engage in sensitive communications or for whom disclosing their physical location could place them at increased risk. Similarly, individuals concerned with protecting sensitive activities related to their work while travelling or communicating should be concerned about the potential for industrial espionage, the study said.
 

It added that though UC Browser (English) leaked considerably less identifying information, users might be surprised to realise that, despite the presence of an icon suggesting security in one of the search bars, their search terms were transmitted without encryption to Google and Yahoo! India servers.
 

The concerns identified by the study with respect to UC Browser demonstrate the larger challenges of ensuring user security and privacy within the burgeoning market for mobile applications. The mobile ecosystem is complex and multi-layered, involving large volumes of personally identifiable information that are transmitted across networks, devices, operating systems, and applications owned and operated by numerous private companies across many political and regulatory jurisdictions. Such a complex system underscores the importance of systematically evaluating the privacy and security of mobile communications as they become integral to the everyday lives of individuals and communities worldwide.
 

Alibaba spokesman Bob Christie said the problems were immediately fixed and customers notified of an update to the browser after Citizen Lab brought the issues to Alibaba’s attention in April, according to a Reuters report. “We take security very seriously and we do everything possible to protect our users,” he said.