UC Browser, a popular mobile web browser in China and India owned by the Alibaba Group, has multiple security and privacy deficits, a Canadian technology research group said on Thursday. Researchers at Citizen Lab revealed that UC Browser poorly secures data in its English and Chinese language versions for Android. Sensitive user data, such as device identifiers, nearby Wi-Fi access points, and cellular tower information, as well as search queries to the search engine Shenma, asre insufficiently secured by the Chinese version of the application before transmitting to its destination, according to a report published by Citizen Lab. The Chinese version also permanently retains users’ DNS query history which was discovered after researchers tried to delete personal information using the application’s built-in personal information deletion functions.
The ressearchers also discovered that the English version of the application sends search queries to Yahoo! India or Google without encryption; however, it does not exhibit the other information leakages present in the Chinese version of the application.
"Our analysis shows that the information leakages in the Chinese version of the application could be used to track the location of persons either in real-time or retroactively," the researchers said. "Moreover, the application’s failure to delete DNS queries means that third parties that access the application’s cache could determine what websites a user had previously visited. Both the Chinese and English versions of the applications showcase poor security practices by failing to encrypt queries made to either Chinese- or English-based search engines."
The transmission of unencrypted search engine queries enables third parties to monitor searches as well as potentially return modified search results without the user realizing that their data has been monitored or modified. Sensitive personal information can be inferred from search results including health conditions, such as pregnancy, disease, mental and psychological conditions, marital relations, and medical information. The data can also be used by third parties to develop, use, and sell user profiles and by corporate or government agents to modify or prevent access to certain search results.
Generally, the researchers found that users of the English version of the applications experience fewer privacy or security problems compared to users of the Chinese version.
Citizen Lab disclosed their findings to Alibaba on April 15, 2015. The company responded, indicating that Alibaba security engineers were investigating the issue.
The researchers later tested a newer version (10.4.1-576) of the Chinese language version of UC Browser. This version did not appear to send location data insecurely to AMAP. However, issues relating to insecure data transmission to the Umeng component, as well the lack of encryption on search terms, did not appear to have changed in that latest version.