One of the world’s leading web browsers collects user locations, browsing history, and identifying data from iOS and Android devices and sends it to Chinese servers even when in incognito mode, security researchers say.
The UC browser, manufactured and marketed by UCWeb, a subsidiary of the Chinese Internet giant Alibaba, “is filtering the user’s browsing and search history of its products distributed on mobile devices around the world, even when the browser is used in mode. incognito, ”wrote London. -base researcher Gabi Cirlig in a blog post yesterday (June 1). “This behavior is consistent on both Android and iOS devices.”
- Chrome vs. Firefox vs. Edge: Which browser consumes the most RAM?
- The best Android browsers
- Plus: Apple teases homeOS: is there a new smart home platform on the way?
Like Chrome, Firefox, and Safari, UC claims its incognito mode is private, Cirlig wrote. The Navigator Google Play page It says that incognito mode provides “browsing without leaving any history, cookies, caches, etc.” and that “incognito mode makes your browsing and viewing experience perfectly private and secret.”
Cirlig told Forbes that other browsers he examined, including Chrome, did not do these things while in incognito mode.
UC ranks fourth globally among web browsers, according to a Statcounter screenshot released by Cirlig, although its share amounted to just 2.3% of the global market. The major Android version of the UC browser has more than 500 million installs from Google Play alone, which are not accessible in China.
A 2018 Pieza del Wall Street Journal He said UC was “dethroning Google in Asia” outside of China. Forbes Thomas Brewster He noted that UC had many users in India until that country banned dozens of Chinese apps in mid-2020 following a deadly border skirmish between the two nations.
However, the browser has long been considered quite snoopy. Documents leaked by former NSA contractor Edward Snowden showed that Canadian intelligence discovered in early 2010 that UC browser leaked a large amount of sensitive data, a behavior that continued until at least 2015.
Sucking your information
Working with Argentina-based researcher Nicolas Agnese, Cirlig discovered that the UC browser checks the network interface identification (MAC address), the phone’s hardware identification (IMEI), the phone’s serial number, the OS version, phone type, browsing history, phone search queries. , IP address and time zone, sending everything to servers registered in China even in incognito mode on iOS or Android.
It also submits a unique proprietary device ID that appears to be specific to UC’s browser, which Cirlig noted “could easily take fingerprints of users and link them to their actual characters.”
With all this information, users can be tracked and monitored both physically and over the Internet, a far cry from the promised “perfectly private and secret” experience.
Forbes had Cirlig and Agnese’s findings verified by Andrew Tierney, a well-regarded British security researcher.
Here is a YouTube video of the data collected from the UC browser running incognito from an emulated phone.
Worse on iOS than Android
The pair found that the UC browser was a little “better” at how it handled this sensitive information on Android than it was on iOS, regardless of the fact that this type of data collection shouldn’t be happening at all.
On iOS, personal data was compressed but not encrypted before it was transmitted to Chinese servers, meaning it could be read by anyone intercepting the traffic. [Or maybe not; please see below.] On Android, the data was compressed and encrypted, although Cirlig and Agnese found a decryption key buried in the source code of the UC browser app.
[Correction: Agnese reached out to us after this story was published to point out that the data being transmitted by the iOS version of the UC browser was indeed encrypted because it went out over a standard secure browser-to-server HTTPS connection. Cirlig and Agnese had run their tests using their own HTTPS certificate, which meant they could easily decrypt HTTPS data.
To read the data transmitted by the iOS version of the UC browser, you’d have to break or evade TLS, the encryption standard used by most web browsers. This can be done using a number of methods, but that’s outside the scope of this piece.]
As of Wednesday (June 2), the English version of the UC browser disappeared from the Apple App Store in most countries, but the Chinese version remained. The Google Play store listed the main UC browser plus the “mini” and “turbo” versions, all in English.
“At the time of writing,” Cirlig wrote in his blog post, “these issues have not been fixed even after contacting Alibaba, and the user’s browsing / location data is sent to UCWeb’s servers on time. real”.