Privacy and Security Issues with UC Browser

[ObscureMammal]

Source: https://citizenlab.org/2015/05/a-chatty-squirrel-privacy-and-security-issues-with-uc-browser/

 

 

Researchers at Citizen Lab have analyzed the popular mobile web browser UC Browser and discovered that it’s plagued by some serious security and privacy issues.

 

Introduction & Overview

UC Browser is the most popular mobile web browser in China and India, boasting over 500 million users. This report provides a detailed analysis of how UC Browser manages and transmits user data, particularly private data, during its operation. Our research was prompted by revelations in a document leaked by Edward Snowden on which the Canadian Broadcasting Corporation (CBC) was preparing a story. The CBC contacted us requesting our comment. The document, apparently prepared in 2012 by Canada’s signals intelligence agency, the Communications Security Establishment (CSE), noted the existence of security vulnerabilities in UC Browser. Given the Citizen Lab’s ongoing research into popular Asian communications tools, and the possibility of vulnerabilities affecting a large number of users, we decided to conduct an independent investigation of UC Browser. While media outlets are publishing a story about the CSE document, we cannot determine if the problems we identify in UC Browser and that are described in this report are identical to those referenced in the 2012 CSE document.

 

Summary of findings

We have identified a series of major security and privacy issues in the English language and Chinese language editions of the Android version of UC Browser. Our notification to the parent companies is described below in detail. We found that both versions of the application leak a significant amount of personal and personally-identifiable data; as a result, any network operator or in-path actor on the network can acquire a user’s personally identifiable information (including cellular subscriber information, mobile device identifiers, geolocation data, and search queries) through trivial decrypting of traffic or by observing unencrypted traffic. Specifically, the issues we found include:

 

Transmission of personally identifiable information and user search queries without encryption:

• User data, including IMSI, IMEI, Android ID, and Wi-Fi MAC address are sent without encryption to Umeng, an Alibaba analytics tool, in the Chinese language version.
• User geolocation data, including longitude/latitude and street name, are transmitted without encryption by AMAP, an Alibaba mapping tool, in the Chinese language version.
• User search queries are sent without encryption to the search engine Shenma (in the Chinese language version) or Yahoo! India and Google (in the English language version).
• Reason for concern: The transmission of personally identifiable information, geolocation data and search queries without encryption represents a privacy risk for users because it allows anyone with access to the data traffic to identify users and their devices, and collect their private search data.

 

Transmission of personally identifiable information and geolocation data with easily circumvented encryption:

• Location and user data, including IMSI, IMEI, and data about nearby cellular towers and Wi-Fi access points, are sent with easily circumvented encryption by AMAP, an Alibaba mapping tool, in the Chinese language version.
• Reason for Concern: UC Browser’s transmission of personally identifiable subscriber data, mobile device identifiers, and user geolocation data without effective encryption presents a security and privacy risk for users.

 

Private user data is retained on the device even after clearing the application’s cache:

• In the Chinese language version, when users attempt to delete their private data by clearing the application’s cache their DNS lookups are not deleted.
• Reason for concern: The cached record of DNS lookup data would allow for a third party with access to the device to identify the websites that a user visited.

 

 

This report is a continuation of our prior work examining the security and privacy of popular mobile applications in Asia. Our previous research includes investigations of censorship practices of search engines offered by Google, Microsoft, and Yahoo! in the Chinese market along with domestic Chinese search engine Baidu. In addition, we have analyzed keyword censorship and surveillance in TOM-Skype (the Chinese version of Skype at the time) and keyword censorship in Sina UC, another Chinese instant messaging platform. We are currently conducting comparative analysis of mobile chat applications used in Asia including WeChat, LINE, and KakaoTalk.

 

We disclosed our findings to Alibaba and UCWeb on April 15, 2015, and informed them that we would publish this report on or after April 29, 2015. Alibaba responded to our notification on April 19, 2015, indicating that their security engineers were investigating the issue. We followed up on April 23, 2015 to reiterate our intention to publish this report on or after April 29, 2015. As of May 19, 2015 we have not received further communication from Alibaba or UCWeb.

 

On May 19, 2015 we tested version 10.4.1-576 of the Chinese language version of UC Browser, which was downloaded from the uc.cn website. This version does not appear to send location data insecurely to AMAP as described in this report. However, the issues we describe in this report relating to insecure data transmission to the Umeng component, as well the lack of encryption on search queries, remain in this version. Users who use the Chinese version of UC Browser should upgrade the application and ensure they are running version 10.4.1-576 or above........

 

 

Citizen Lab is a human rights and technology research group based at the University of Toronto that focuses on studying information and communication technologies, human rights, and global security matters. The laboratory decided to conduct an analysis of UC Browser after being contacted by media organizations for comments on a 2012 document from Canada’s Communications Security Establishment. The document, leaked by former NSA contractor Edward Snowden, reveals the existence of vulnerabilities in UC Browser.

 

UC Browser is developed by Alibaba-owned UCWeb and it’s one of the most popular mobile browsers in China and India. The application is said to have more than 500 million users worldwide. Citizen Lab has analyzed the English and Chinese language editions of UC Browser for Android and found that both, particularly the Chinese version, leak information.

 

Researchers have analyzed the cellular network data and Wi-Fi traffic of UC Browser, and the application’s data retention practices. In their tests, experts first analyzed the traffic to and from the device while the application was left idle for 270 seconds.

 

In the case of the Chinese version, when it’s connected to the Internet via the phone’s mobile data connection, the browser’s AMAP component, an Alibaba mapping tool, sends user and device identifiers (IMSI, IMEI) and location data (cell tower data) to a remote server. Umeng, an Alibaba analytics tool, also sends device identifiers (IMSI, IMEI, Android ID) to a remote location.

 

According to Citizen Lab, the AMAP data is sent to the server using easily circumvented encryption, while the Umeng data is sent without any sort of encryption.

 

When the device is connected to the Web using Wi-Fi, the same data and additional Wi-Fi-related data is collected and sent with weak or no encryption. The Wi-Fi details include the phone’s MAC address, the SSID, and the MAC address of the Wi-Fi access point.

 

 

 

 

Comment from Alibaba:

"We take security very seriously and we do everything possible to protect our users. Recently we were alerted to a potential concern with a third party component used by the browser and we moved swiftly to investigate this concern. We have no evidence that any user information has been taken. However, to address these potential concerns, UCWeb has already proactively asked UC Browser users to update their browsers to the latest version."

 

 

[WereCat]

So this is only Android issue or the other mobile OS were not tested yet?

I am using UC Browser on my Windows phone L920 all the time and also right now because it is a lot better than IE on my opinion.

[ObscureMammal]

So this is only Android issue or the other mobile OS were not tested yet?

I am using UC Browser on my Windows phone L920 all the time and also right now because it is a lot better than IE on my opinion.

 

Just Android for now I believe

Not sure if they plan on testing other devices in the future 

 

From the report:

Tests were conducted within an Android emulator and on an Android handset.