A Chatty Squirrel: Privacy and Security Issues with UC Browser

May 21, 2015

Tagged: , , , , ,

Categories: Adam Senft, Andrew Hilts, Christopher Parsons, Jakub Dalek, Jason Q. Ng, John Scott-Railton, Katie Kleemola, Masashi Crete-Nishihata, Reports and Briefings, Ron Deibert, Sarah McKune

Authors: Jakub Dalek (lead), Katie Kleemola (lead), Adam Senft (lead), Christopher Parsons, Andrew Hilts, Sarah McKune, Jason Q. Ng, Masashi Crete-Nishihata, John Scott-Railton, Ronald Deibert

Media coverage: CBC News, The Intercept, Reuters, Wall Street Journal, SC Magazine, VICE, The Hacker News, Tech Times, The Straits Times, PC World, The Register, Hindustan Times.

Download PDF version.

Additional resources:

A follow-up to this report with further analysis of UC Browser is available here: A Tough Nut to Crack: A Further Look at Privacy and Security Issues in UC Browser.

Section 1 – Introduction & Overview

UC Browser is the most popular mobile web browser in China and India, boasting over 500 million users. This report provides a detailed analysis of how UC Browser manages and transmits user data, particularly private data, during its operation. Our research was prompted by revelations in a document leaked by Edward Snowden on which the Canadian Broadcasting Corporation (CBC) was preparing a story. The CBC contacted us requesting our comment. The document, apparently prepared in 2012 by Canada’s signals intelligence agency, the Communications Security Establishment (CSE), noted the existence of security vulnerabilities in UC Browser. Given the Citizen Lab’s ongoing research into popular Asian communications tools, and the possibility of vulnerabilities affecting a large number of users, we decided to conduct an independent investigation of UC Browser. While media outlets are publishing a story about the CSE document, we cannot determine if the problems we identify in UC Browser and that are described in this report are identical to those referenced in the 2012 CSE document.

Summary of findings

We have identified a series of major security and privacy issues in the English language and Chinese language editions of the Android version of UC Browser. Our notification to the parent companies is described below in detail. We found that both versions of the application leak a significant amount of personal and personally-identifiable data; as a result, any network operator or in-path actor on the network can acquire a user’s personally identifiable information (including cellular subscriber information, mobile device identifiers, geolocation data, and search queries) through trivial decrypting of traffic or by observing unencrypted traffic. Specifically, the issues we found include:

Transmission of personally identifiable information and user search queries without encryption:

  • User data, including IMSI, IMEI, Android ID, and Wi-Fi MAC address are sent without encryption to Umeng, an Alibaba analytics tool, in the Chinese language version.
  • User geolocation data, including longitude/latitude and street name, are transmitted without encryption by AMAP, an Alibaba mapping tool, in the Chinese language version.
  • User search queries are sent without encryption to the search engine Shenma (in the Chinese language version) or Yahoo! India and Google (in the English language version).
  • Reason for concern: The transmission of personally identifiable information, geolocation data and search queries without encryption represents a privacy risk for users because it allows anyone with access to the data traffic to identify users and their devices, and collect their private search data.

Transmission of personally identifiable information and geolocation data with easily circumvented encryption:

  • Location and user data, including IMSI, IMEI, and data about nearby cellular towers and Wi-Fi access points, are sent with easily circumvented encryption by AMAP, an Alibaba mapping tool, in the Chinese language version.
  • Reason for Concern: UC Browser’s transmission of personally identifiable subscriber data, mobile device identifiers, and user geolocation data without effective encryption presents a security and privacy risk for users.

Private user data is retained on the device even after clearing the application’s cache:

  • In the Chinese language version, when users attempt to delete their private data by clearing the application’s cache their DNS lookups are not deleted.
  • Reason for concern: The cached record of DNS lookup data would allow for a third party with access to the device to identify the websites that a user visited.

This report is a continuation of our prior work examining the security and privacy of popular mobile applications in Asia. Our previous research includes investigations of censorship practices of search engines offered by Google, Microsoft, and Yahoo! in the Chinese market along with domestic Chinese search engine Baidu. In addition, we have analyzed keyword censorship and surveillance in TOM-Skype (the Chinese version of Skype at the time) and keyword censorship in Sina UC, another Chinese instant messaging platform. We are currently conducting comparative analysis of mobile chat applications used in Asia including WeChat, LINE, and KakaoTalk.

For those who may be interested in more context on mobile security and privacy, please see our general introduction to mobile communications. Click on the image below to read “The Many Identifiers in our Pockets.”

Smartphone applications do not transmit data in isolation

Figure 1: Overview of mobile device data transmission.

Notification

We disclosed our findings to Alibaba and UCWeb on April 15, 2015, and informed them that we would publish this report on or after April 29, 2015. Alibaba responded to our notification on April 19, 2015, indicating that their security engineers were investigating the issue. We followed up on April 23, 2015 to reiterate our intention to publish this report on or after April 29, 2015. As of May 19, 2015 we have not received further communication from Alibaba or UCWeb.

On May 19, 2015 we tested version 10.4.1-576 of the Chinese language version of UC Browser, which was downloaded from the uc.cn website. This version does not appear to send location data insecurely to AMAP as described in this report. However, the issues we describe in this report relating to insecure data transmission to the Umeng component, as well the lack of encryption on search queries, remain in this version. Users who use the Chinese version of UC Browser should upgrade the application and ensure they are running version 10.4.1-576 or above.

Section 2 – UC Browser: Quick Background

UC Browser is a mobile web browser for Android, IOS, Windows Phone, and other platforms. A Windows version was released in April 2015. The application is the flagship product of UCWeb Inc., a Guangzhou, China-based company founded in 2004. After an initial investment by e-commerce giant Alibaba, the two companies launched the joint mobile search service Shenma. Shenma reportedly has more than 100 million users per month. In June 2014, Alibaba purchased the remaining stake in UCWeb in the biggest ever merger of Chinese Internet firms.

UC Browser is among the most popular mobile apps in the Chinese Internet space. UC Browser claims to have more than 500 million registered users, and is reported to be the most popular mobile browser in China and India. Overall, the application is the fourth most popular mobile browser globally, and is behind only pre-installed Chrome, Android, and Safari browsers.
UCWeb Inc. claims the app has 100 million daily active users, while parent company Alibaba’s 2014 prospectus reported the number of active users at 264 million in June 2014. UC Browser was ranked as the second most popular app by usage in China in January 2013. The company has also increased its global push, and claims it has at least 10 percent market share in 10 different countries.

UC Browser offers a custom default homepage with links to search engines and social media integration, as well as news, weather, and shopping services. A set of features are aimed at reducing bandwidth usage on mobile clients. “Cloud download,” for example, allows users to send downloads directly to UDisk (a UC cloud offering) in order to save on bandwidth costs. In addition to this feature, UC Browser can act as an optional proxy and compress web sites it fetches to reduce bandwidth consumption.

Section 3 – Methodology and Technical Analysis

This section describes the methods we used to analyze UC Browser, and presents detailed findings from our analysis.

We isolated specific versions of the Chinese- and English-language builds of UC Browser for Android and analyzed their mobile (cellular network) data and Wi-Fi traffic. We also analyzed the application’s data retention and deletion practices. Our analyses revealed major privacy and security issues with all of the tested versions of UC Browser. Figure 2 highlights the major findings for the Chinese language version of UC Browser.

Data leakage in UC Browser (Chinese language version)

Figure 2: A visual summary of privacy and security issues presented by UC Browser.

Test Setup

We isolated specific versions of the Chinese- and English-language builds in order to examine UC Browser’s security and privacy features. Specifically, we monitored the data that was transmitted between the application and external servers. We were specifically interested in what, if any, personally identifiable information was transmitted by UC Browser, and whether encryption was used to secure those transmissions. We analyzed the state of the application, both in-idle state (soon after the app was opened) as well as during use of the app’s features, such as searching. Lastly, we examined the data UC Browser stored on the device, and whether that data was protected with encryption.

Tests were conducted within an Android emulator and on an Android handset. All traffic sent to and from the device was collected and analyzed using the packet-capture utility WireShark. We decompiled the downloaded APKS with APKtool and then analyzed the code for functionality related to the transmission of user data.

Versions Analyzed

We analyzed two versions of UC Browser for Android. We downloaded the two versions from different app stores: the Chinese-language version of UC Browser (UC浏览器) was downloaded in March 2015 from the Xiaomi mobile app store. Henceforth we will refer to this app as UC Browser (Chinese) to distinguish between versions. We downloaded the English version, henceforth UC Browser (English), in April 2015 from the UCWeb website. These two versions have differences beyond language: by default, the Chinese version uses Shenma (sm.cn) for search, while the English version uses Yahoo! India and Google; the Chinese version has links to China-based services such as Baidu, Sina Weibo, and Youku, while the English version uses services such as Google, Facebook, and Twitter.

Side-by-side comparison of UC Browser (Chinese) and UC Browser (English).

Figure 3: Side-by-side comparison of UC Browser (Chinese) and UC Browser (English).

Side-by-side comparison of permissions requested during installation of UC Browser (Chinese) (left) and UC Browser (English) (right) versions of UC Browser.

Figure 4: Side-by-side comparison of permissions requested during installation of UC Browser (Chinese) (left) and UC Browser (English) (right) versions of UC Browser.

Figure 4 shows the permissions that the Chinese and English versions of UC Browser requires when being installed on an Android device. For the purposes of this report, it is notable that the application requests access to phone status and identity, geolocation information, the ability to read Web bookmarks and history, as well as to extensive networking information. As discussed further in the report, UC Browser (Chinese) accesses phone identity and geolocation information and transmits it insecurely.

Table 1 summarizes the two versions of UC Browser we analyzed:

Platform Version (Language) Version Date Downloaded Source
Android UC Browser (Chinese) (UC浏览器) 10.2.1_161 March 12, 2015 Xiaomi App Store: http://app.mi.com/detail/1363
Android UC Browser (English) 10.4.1.565 April 10, 2015 Direct from UC website: http://www.ucweb.com/ucbrowser/download/android.html

3.1 UC Browser (UC浏览器) Chinese language version 10.2.1_161

This section describes our findings from analyzing the Chinese language version of UC Browser (UC浏览器), downloaded from the Xiaomi mobile app store. Our test results are summarized in Table 2:

Table 2: Summary of test results for UC Browser (Chinese).

Test Mode Results
Idle test Cell only
  • The AMAP component of UC Browser (Chinese) contacts apilocate.amap.com, and sends user and device identifiers (IMSI, IMEI) and location data (cell tower data) with easily circumvented encryption.
  • The Umeng component of UC Browser (Chinese) sends device identifiers (including IMSI, IMEI, Android ID) without encryption.
Idle test Cell + Wi-Fi
  • The AMAP component  sends, with easily circumvented encryption, the same data as noted in the row above (“Cell only” mode). In addition, it sends device Wi-Fi MAC address, SSID, and MAC address of the Wi-Fi access point to which the user is connected, and nearby wireless access points.
  • The Umeng component sends the same device identifiers as noted in the row above (“Cell only” mode), with the addition of the device Wi-Fi MAC address, without encryption.
Search Cell only & Cell + Wi-Fi
  • Search queries using the search bar are sent to Alibaba’s Shenma search engine without encryption.
Data storage Cell only & Cell + Wi-Fi
  • After clearing the application’s private data, the cached record of DNS lookup data remains.

Idle test

In our first test, we launched the application, let UC Browser (Chinese) idle for 270 seconds, and collected all network traffic sent to and from the device. We then analyzed that traffic to determine what data was being sent and its destination. We performed the test first by connecting the mobile device to the Internet using a cellular connection, and, second, by connecting the device to the Internet using a Wi-Fi network.

Testing UC Browser (Chinese)’s Cellular-Only Communication

Upon starting the application, the application communicated with the following hosts over HTTP:

Hosts communicated with by UC Browser (Chinese) within 270 seconds of launching the app

Figure 5: Hosts communicated with by UC Browser (Chinese) within 270 seconds of launching the app

Easily decrypted data sent to AMAP

As seen in Figure 5, the majority of communications (57% of HTTP packets in our 270 second sample) are between the application and apilocate.amap.com. AMAP is a mobile mapping application that was originally developed by Autonavi, a company acquired by Alibaba in April 2014. AMAP is estimated to have more than 100 million users.

Investigating these communications further, we saw that a typical exchange with apilocate.amap.com looked as follows:

Sample communication between UC Browser (Chinese) and apilocate.amap.com. The user-agent string indicates this communication is from “AMAP Location SDK Android 1.0.5.” We have redacted personally identifiable data.

Figure 6: Sample communication between UC Browser (Chinese) and apilocate.amap.com. The user-agent string indicates this communication is from “AMAP Location SDK Android 1.0.5.” We have redacted personally identifiable data.

As we were interested in determining what, if any, data the application transfers from the device, the block of data sent to apilocate.amap.com was of interest. We used a freely available tool, pyhttpextract, to decipher the contents of this encoded data block. After using this tool, we saw that UC Browser (Chinese) sent the following data to apilocate.amap.com:

Deciphered communication between UC Browser (Chinese) and apilocate.amap.com. Personally identifiable data redacted with asterisks.

Figure 7: Deciphered communication between UC Browser (Chinese) and apilocate.amap.com. Personally identifiable data redacted with asterisks.

The encoded data sent within the ‘<sreq>’ structure intrigued us because it was a relatively large block of data. Its size suggested that it might contain user data. To confirm if user data was present we first analyzed how the data was encrypted. Using apktool we decompiled UC Browser (Chinese) to see how the application created and serialized the ‘<sreq>’ structure. After decompiling, we looked for the string ‘sreq’ in the outputted code and found this in a directory associated with the com/aps class (Android programs often incorporate a mix of components, called classes, sometimes from different developers).

Since the com/aps/* directory serializes the ‘sreq’ structure in which we were interested, we next examined this directory to see which .smali files (code format used by Android) translated to which .java filenames:

Mapping of smali files in com/aps directory to java source code.

Figure 8: Mapping of smali files in com/aps directory to java source code.

We examined the file Aes.java in searching for the component of the application that encrypted data in the ‘sreq’ structure (AES is a widely used form of encryption). The file showed that encryption was performed using symmetric AES/CBC encryption that used the hard-coded key ‘autonavi_amaploc’. The encryption process is shown in Figure 9:

Aes.java smali code showing AES/CBC encryption with a hard-coded key.

Figure 9: Aes.java smali code showing AES/CBC encryption with a hard-coded key.

The use of symmetric encryption with a hard-coded key means that anyone who knows the key can decrypt UC Browser (Chinese) traffic in transit. Moreover, key holders can also retroactively decrypt any historical data that they have collected or obtained.

We used a standard AES decryption tool to decrypt the ‘sreq’ data structure in order to demonstrate that retroactive decryption was possible. After formatting the structure for readability, the data sent looked as follows:

Decrypted data sent via AMAP service. Personally identifiable data redacted with asterisks.

Figure 10: Decrypted data sent via AMAP service. Personally identifiable data redacted with asterisks.

The data sent to apilocate.amap.com included a number of unique identifiers. The first set referred to the mobile device itself: the IMSI, IMEI, and unique user data related to this installation of UC Browser (Chinese). The second set referred to details of the cell tower to which the device is connected: the Mobile Country Code (MCC), Mobile Network Code (MNC), Location Area Code (LAC), Cell Tower ID, and the cell tower signal strength. In aggregate, these sets of information can be used to identify the cellular subscriber, the physical handset, and the physical location of the device.

After transmitting this location information, the application received an unencrypted response that included the longitude/latitude of the user (the ‘cenx’ and ‘ceny’ values seen below), as well as the specific street name where the user was located, as shown below in Figure 11:

Unencrypted response received by UC Browser (Chinese).

Figure 11: Unencrypted response received by UC Browser (Chinese).

Such identifications are problematic because, using the information and the rate at which the application transmits it, we can determine a cell tower location with considerable accuracy and thus geolocate the person using the application. As an example, we were able to pinpoint the location of our lab where we conducted the testing, as shown in Figure 12:

Example of location identified from MCC, MNC, LAC, and CellID.

Figure 12: Example of location identified from MCC, MNC, LAC, and CellID.

In summary, we strongly suspect that AMAP is the component of UC Browser (Chinese) that is responsible for transmitting the geolocation information. Our belief is based on the fact that the user-agent string (“AMAP Location SDK Android 1.0.5”), the location where the data is sent (apilocate.amap.com), and the text of the hard-coded key (‘‘autonavi_amaploc”) all reference AMAP. Given the apparent integration between AMAP and UCWeb we believe that it is likely that AMAP was incorporated into UC Browser (Chinese) to provide mapping and geolocation functionality.

Unencrypted data transfer to Umeng

As seen in Figure 5, UC Browser (Chinese) also periodically contacted utop.umengcloud.com and upoll.umengcloud.com when idle. Umeng is a mobile analytics service that is reportedly used by over 180,000 applications. It was purchased by Alibaba in 2013. The data structure sent, unencrypted, to utop.umengcloud.com hosts looked as follows:

GET request made to utop.umeng.cloud with a cellular Internet connection showing that application sends IMSI, IMEI, Android ID, and build serial number without encryption. Personally identifiable data redacted with asterisks.

Figure 13: GET request made to utop.umeng.cloud with a cellular Internet connection showing that application sends IMSI, IMEI, Android ID, and build serial number without encryption. Personally identifiable data redacted with asterisks.

A number of unique personal identifiers are included in this data structure. This included the IMEI, IMSI, device Android ID (‘c6’), and the build serial number (‘c5’). Like AMAP, we believe it is likely that Umeng was incorporated into UC Browser (Chinese) to provide in-app analytics.

Testing UC Browser’s Wi-Fi Communication

Easily decrypted data sent to AMAP

Upon starting the application and letting it idle for 270 seconds while connected to a Wi-Fi network, we found that UC Browser (Chinese) sent the same easily-decrypted user data seen in Cell only communication. However, in addition the application sent data about nearby Wi-Fi access points, including their MAC address. These data elements are identified in Figure 14:

Data sent by UC Browser (Chinese) to AMAP when Wi-Fi is enabled. Personally identifiable data redacted with asterisks.

Figure 14: Data sent by UC Browser (Chinese) to AMAP when Wi-Fi is enabled. Personally identifiable data redacted with asterisks.

Unencrypted data transfer to Umeng

When connected to a Wi-Fi network, personal user data is also sent unencrypted to Umeng. In addition to the data sent while connected to a cell network, the application also sent the device’s Wi-Fi MAC address. Figure 15 shows a sample of traffic sent to utop.umengcloud.com while connected to a Wi-Fi network:

Traffic sent to utop.umengcloud.com during idle. Personally identifiable data redacted.

Figure 15: Traffic sent to utop.umengcloud.com during idle. Personally identifiable data redacted.

Re-formatting the above traffic for readability shows the following GET request to utop.umengcloud.com:

GET request made to utop.umengcloud.com with Wi-Fi enabled showing that IMSI, IMEI, Android ID, and device Wi-Fi MAC address are sent unencrypted. Personally identifiable data redacted with asterisks.

Figure 16: GET request made to utop.umengcloud.com with Wi-Fi enabled showing that IMSI, IMEI, Android ID, and device Wi-Fi MAC address are sent unencrypted. Personally identifiable data redacted with asterisks.

In summary, when connected to a Wi-Fi network, the IMSI, IMEI, Android ID, and Wi-Fi MAC address are sent unencrypted by UC Browser (Chinese) to umengcloud.com.

Examining the Search Functionality of UC Browser (Chinese)

The Chinese version of UC Browser uses the mobile search engine Shenma, a joint venture between UCWeb and Alibaba. Search queries that are entered into the search bar were sent without encryption to http://m.sm.cn, as seen in Figure 17:

Search for “cntower” using Shenma mobile search engine via UC Browser (Chinese) search bar.

Figure 17: Search for “cntower” using Shenma mobile search engine via UC Browser (Chinese) search bar.

Insecure Data Deletion in UC Browser (Chinese)

As part of our research we conducted tests to determine what, if any, personal user data was stored on the device. We began by selecting the option in the application allowing users to delete private information from the device, such as cookies and browser history. After selecting this option, we examined whether user data remained on the device by checking the cache directory for the application. While most user data was deleted, a record of the application’s DNS lookups remained, as shown in Figure 18:

DNS records found in cache after private information was deleted.

Figure 18: DNS records found in cache after private information was deleted.

This DNS data was stored in the cache as a serialized LinkedHashMap, and persisted even after all other data in the cache had been cleared using the application’s feature to clear private browsing data. There was sufficient plaintext remaining that the records could be read using a simple text editor. In other words, even if a user attempts to clear browsing records their personal data remains available for scrutiny and can be trivially accessed.

3.2 UC Browser (English) language version 10.4.1.565

We next conducted tests of the English language edition of UC Browser version 10.4.1.565. This version was downloaded as an APK directly from the UCWeb English-language website. Our test results are summarized in Table 3:

Table 3: Summary of test results for UC Browser (English).

Test Both Results
Idle test Cell only & Cell + Wi-Fi
  • No issues identified
Search Cell only & Cell + Wi-Fi
  • Search queries sent through the search bar are sent unencrypted to Yahoo! India
  • Search queries sent through the address bar are sent unencrypted to Google
Data storage Cell only & Cell + Wi-Fi
  • No issues identified

Idle test

We performed the same idle test described previously with the English language version: the application was launched, left idle for 270 seconds, and all traffic sent to and from the device was collected. We first performed the test by connecting the mobile device to the Internet using a cellular connection and, second, by connecting the device to the Internet using a Wi-Fi network.

Our analysis showed that UC Browser (English) did not send and receive traffic through the AMAP or Umeng component as in the Chinese language version. We were not able to identify any easily decrypted traffic sent in the English language version.

Search

UC Browser (English) has two methods for performing web searches. The first method is by tapping the “Search” button shown in the upper-right hand corner of the application. The second method is by entering a search term in the address bar to the left of the search button. Both of these methods can be seen in the following screenshot:

Screenshot of search features of UC Browser (English). Both the “Enter URL” and “Search” fields can be used to perform a web search.

Figure 19: Screenshot of search features of UC Browser (English). Both the “Enter URL” and “Search” fields can be used to perform a web search.

We performed searches through both methods and observed the traffic sent and received by UC Browser (English). Performing the search through the search bar sent data unencrypted to Yahoo! India search, as shown in this packet capture:

Packet capture of search for ‘toronto bluejays’ (highlighted in blue) performed using search bar in UC Browser (English). Search query is sent unencrypted to Yahoo! India.

Figure 20: Packet capture of search for ‘toronto bluejays’ (highlighted in blue) performed using search bar in UC Browser (English). Search query is sent unencrypted to Yahoo! India.

In addition, the results of such a search are displayed with a green checkmark at the far left of the search bar:

Search results for an unencrypted search to Yahoo! India with a green checkmark.

Figure 21: Search results for an unencrypted search to Yahoo! India with a green checkmark.

The use of this green checkmark could lead to some confusion with users, as most web browsers use a green icon to the left of the search bar to reflect an encrypted connection. UC Browser (English) displays a green padlock to the left of the browser bar if the HTTPS-encrypted version of a site is opened manually in a browser.

Next, we performed a search by entering a search term in the address bar of UC Browser (English). This search was sent unencrypted to Google search:

Packet capture of search for “go jays” (highlighted in blue) performed using the address bar of UC Browser (English).

Figure 22: Packet capture of search for “go jays” (highlighted in blue) performed using the address bar of UC Browser (English).

In summary, both methods of performing a search in UC Browser (English) sent the search query unencrypted to either Yahoo! India or Google. The standard web version of each of these search engines uses HTTPS encryption by default.

Data storage

Finally, we analyzed how UC Browser (English) stored personal user data on the device. The English language version, unlike the Chinese language version, did not store DNS lookup data as part of the private browsing data. Further, using the option within the application to delete private browsing data did delete all such data.

Section 4 – UC Browser Leaks Sensitive User Data

Our analysis shows that both versions of UC Browser leak information to third parties, but that privacy and security concerns for the Chinese language UC Browser are much greater. The Chinese UC Browser version we tested (“UC Browser (Chinese)” in this report) leaks a significant amount of personally identifiable information, raising major security and privacy concerns. The leakage of the IMSI, IMEI, and geolocational information can identify a cellular subscriber, the device that they are using, and their specific location. As a result of the weak encryption used by UC Browser, any party with access to the data traffic — either real-time or historical — can link specific devices to specific places at specific times. And if the decrypting party has a large volume of data they can track subscribers vis-a-vis their mobile devices as they move around the world.

Just by installing and opening UC Browser (Chinese), users unwittingly expose a significant number of personal identifiers and location information to numerous third parties. Although users must agree to grant the application permission to access personal identifiers and location data, it is not made clear to the user how this data will be shared. This exposed information includes:

  • Device info sent unencrypted: IMSI, IMEI, Android ID, and Wi-Fi MAC address
  • Search queries sent unencrypted
  • Location data received unencrypted: longitude/latitude and street name
  • Device and location sent with breakable encryption: IMSI, IMEI, MCC, MNC, LAC, CellId, nearby cellular towers and Wi-Fi access points

In many political jurisdictions (including China and India) it is common for authorities to require telecommunications companies, cellular providers, and Internet cafes to share the data they collect with security agencies as a condition of obtaining an operating license. By leaking a large volume of fine-grained data points to multiple network operators, the UC Browser app is increasing the risks to its users that such data may be used against them by authorities, criminals, or other third parties.

The data leakages we outline are particularly problematic for individuals who use their devices to engage in sensitive communications or for whom disclosing their physical location could place them at increased risk. Similarly, individuals concerned with protecting sensitive activities related to their work while traveling or communicating should be concerned about the potential for industrial espionage.

While we concluded that UC Browser (English) leaks considerably less identifying information, users might be surprised to realize that, despite the presence of an icon suggesting security in one of the search bars, their search terms are transmitted without encryption to Google and Yahoo! India servers.

On the issue of mobile security and privacy

Ultimately, the concerns identified here with respect to UC Browser demonstrate the larger challenges of ensuring user security and privacy within the burgeoning market for mobile applications. The mobile ecosystem is complex and multi-layered, involving large volumes of personally identifiable information that are transmitted across networks, devices, operating systems, and applications owned and operated by numerous private companies across many political and regulatory jurisdictions. Such a complex system underscores the importance of systematically evaluating the privacy and security of mobile communications as they become integral to the everyday lives of individuals and communities worldwide.

Would Encryption Solve UC Browser’s Problems?

We have highlighted the lack of encryption for personally identifiable data as a key reason for concern over UC Browser. Encrypting data that is this sensitive certainly represents an industry best practice, and it is unclear why only the English version seems to implement encryption consistently. Modifying the Chinese version to match the encryption used in its English counterpart could be an important step in increasing user security, as would encrypting queries to Google and Yahoo! India in the English version.

However, even if all data were strongly encrypted, this step would simply simply make it more difficult for unauthorized parties to read the contents of data transmissions. Encrypting sensitive user data can limit the number of actors who can access the data but does not prevent the inappropriate collection, retention, and analysis of the data by application developers and their commercial partners. Put bluntly: increases in transport security do not necessarily improve corporate data handling practices.

The core advantage of better encrypting data traffic is to engage, and hopefully make more transparent, the processes that government agencies and other third parties must engage in to access information that is collected, retained, and processed by application developers. In many jurisdictions, authorities will first have to obtain a court order before lawfully accessing the application developers’ data. Nevertheless, when data is held in jurisdictions where this process is not enshrined, or where there are strong incentives to share the data, encryption alone does not solve the problem.

Acknowledgments

This project was supported by the John D. and Catherine T. MacArthur Foundation.

2 Comments

  1. Prashant
    Posted May 22, 2015 at 3:36 am | Permalink

    Does UC mini also has these problems ?

  2. jei
    Posted May 22, 2015 at 10:42 am | Permalink

    Great break down. It does beg the question, with all the clear text and hard coded encryption strings showing up in apps. How many un-tested apps are still at risk.

    With google locking down apps only being installed from their play store I would not be surprised if we see an increase in lax security from more popular apps.

80 Trackbacks

  1. […] Read the Citizen Lab report for details on the English and Chinese app editions […]

  2. […] A Chatty Squirrel: Privacy and Security Issues with UC Browser […]

  3. […] in a English and Chinese editions. The Citizen Lab researchers have authored their possess minute technical report surveying a many ways a app has been leaking data, including some users’ hunt queries, SIM label […]

  4. […] Read the Citizen Lab report for details on the English and Chinese app editions […]

  5. […] research group Citizen Lab, however, also discovered the vulnerability and alerted UC Browser, leading to the company issuing an update for the app that closed the […]

  6. […] no existe, pero desde Citizen Lab -un grupo de investigación de la Universidad de Toronto- advertían que en lugar de avisar de esa vulnerabilidad, las agencias de inteligencia “la convierten en […]

  7. […] ya no existe, pero desde Citizen Lab -un grupo de investigación de la Universidad de Toronto- advertían que en lugar de avisar de esa vulnerabilidad, las agencias de inteligencia “la convierten en […]

  8. […] experts at the technology research group in Toronto, Citizen Lab, confirmed that the presence of several “major security and privacy issues” in the English and Chinese editions of the UC Browsers, it is easy to imagine how the flaws were […]

  9. […] experts at the technology research group in Toronto, Citizen Lab, confirmed that the presence of several “major security and privacy issues” in the English and Chinese editions of the UC Browsers, it is easy to imagine how the flaws were […]

  10. […] ya no existe, pero desde Citizen Lab -un grupo de investigación de la Universidad de Toronto- advertían que en lugar de avisar de esa vulnerabilidad, las agencias de inteligencia “la convierten en […]

  11. […] research group Citizen Lab, however, also discovered the vulnerability and alerted UC Browser, leading to the company issuing an update for the app that closed the […]

  12. […] researchers have published their technical report detailing the many ways the UC Browser app has been leaking data, including SIM card numbers, […]

  13. […] uncovered in UC Browser, a popular Android internet browser used across much of Asia. Citizen Lab performed an extensive examination of the browser for CBC News, finding a wealth of exploitable data leaks. [PDF link for full Citizen Lab […]

  14. […] newly published Snowden leak reveals that the NSA planned to hack the Android store so that it could covertly install malware on […]

  15. […] in its English and Chinese editions. The Citizen Lab researchers have authored their own detailed technical report outlining the many ways the app has been leaking data, including some users’ search queries, SIM […]

  16. […] technologies (ICT), human rights, and global security matters. The laboratory decided to conduct an analysis of UC Browser after being contacted by media organizations for comments on a 2012 document from Canada’s […]

  17. […] Lab, a analysis group out of the University of Toronto, analyzed UC Browser. In its report published Thursday, the lab stated it discovered “a collection of main safety and privateness points within the […]

  18. […] Lab, a research group out of the University of Toronto, analyzed UC Browser. In its report published Thursday, the lab said it found “a series of major security and privacy issues in the English language […]

  19. […] Lab, a research group out of the University of Toronto, analyzed UC Browser. In its report published Thursday, the lab said it found “a series of major security and privacy issues in the English language […]

  20. […] Browser, a popular web browser in China and India used by half a billion people. The UC Browser was leaking information such as users’ search queries, phone numbers and UIDs that can be used to track people, as […]

  21. […] Lab, a research group out of the University of Toronto, analyzed UC Browser. In its report published Thursday, the lab said it found “a series of major security and privacy issues in the English language […]

  22. […] in a English and Chinese editions. The Citizen Lab researchers have authored their possess minute technical report surveying a many ways a app has been leaking data, including some users’ hunt queries, SIM label […]

  23. […] Lab, a research group out of the University of Toronto, analyzed UC Browser. In its report published Thursday, the lab said it found “a series of major security and privacy issues in the English language […]

  24. […] Lab, a research group out of the University of Toronto, analyzed UC Browser. In its report published Thursday, the lab said it found “a series of major security and privacy issues in the English language […]

  25. […] Lab, a investigate organisation out of a University of Toronto, analyzed UC Browser. In a news published Thursday, a lab pronounced it found “a array of vital confidence and remoteness issues in a English […]

  26. […] Lab, a research group out of the University of Toronto, analyzed UC Browser. In its report published Thursday, the lab said it found “a series of major security and privacy issues in the English language […]

  27. […] Lab, a research group out of the University of Toronto, analyzed UC Browser. In its report published Thursday, the lab said it found “a series of major security and privacy issues in the English language […]

  28. […] Lab, a research group out of the University of Toronto, analyzed UC Browser. In its report published Thursday, the lab said it found “a series of major security and privacy issues in the English language […]

  29. […] Lab, un grupo de investigación de la Universidad de Toronto, analizó UC Browser. En su informe Publicado Jueves , dicho laboratorio se encontró “una serie de importantes cuestiones de seguridad y […]

  30. […] Lab, a investigate organisation out of a University of Toronto, analyzed UC Browser. In a news published Thursday, a lab pronounced it found “a array of vital confidence and remoteness issues in a English […]

  31. […] non-profit Citizen Lab has now compiled a full report into vulnerabilities and they have now been fixed. Citizen Lab Director Ron Deibert said that while […]

  32. […] newly published Adward Snowden leak discloses that the NSA intended to attack the Google Play and Samsung Android store so they could […]

  33. […] pesquisadores publicaram seu relatório técnico detalhando as muitas maneiras de como o app UC Browser está vazando esses dados, incluindo […]

  34. […] in its English and Chinese editions. The Citizen Lab researchers have authored their own detailed technical report outlining the many ways the app has been leaking data, including some users’ search queries, SIM […]

  35. […] Lab, a research group out of the University of Toronto, analyzed UC Browser. In its report published Thursday, the lab said it found “a series of major security and privacy issues in the English language […]

  36. […] Lab, a research group out of the University of Toronto, analyzed UC Browser. In its report published Thursday, the lab said it found “a series of major security and privacy issues in the English language […]

  37. […] Read a Citizen Lab news for sum on the English and Chinese app editions […]

  38. […] The lack of encryption would let anyone with access to the data traffic to identify a user’s phone number, the device, and the person’s location, Citizen Lab said in its report released Thursday. […]

  39. […] in its English and Chinese editions. The Citizen Lab researchers have authored their own detailed technical report outlining the many ways the app has been leaking data, including some users’ search queries, SIM […]

  40. […] The transmission of this information “represents a privacy risk for users because it allows anyone with access to the data traffic to identify users and their devices, and collect their private search data”, it said in a report. […]

  41. […] ya no existe, pero desde Citizen Lab -un grupo de investigación de la Universidad de Toronto- advertían que en lugar de avisar de esa vulnerabilidad, las agencias de inteligencia “la convierten en […]

  42. […] in its English and Chinese editions. The Citizen Lab researchers have authored their own detailed technical report outlining the many ways the app has been leaking data, including some users’ search queries, SIM […]

  43. […] researchers have published their technical report detailing the many ways the UC Browser app has been leaking data, including SIM card numbers, […]

  44. […] in a English and Chinese editions. The Citizen Lab researchers have authored their possess minute technical report surveying a many ways a app has been leaking data, including some users’ hunt queries, SIM label […]

  45. By May 22, 2015 | cybersecurity update on May 22, 2015 at 11:40 am

    […] A Chatty Squirrel: Privacy and Security Issues with UC Browser [Citizen Lab] […]

  46. […] A Chatty Squirrel: Privacy and Security Issues with UC Browser – Citizen Lab […]

  47. […] Lab, a research group out of the University of Toronto, analyzed UC Browser. In its report published Thursday, the lab said it found “a series of major security and privacy issues in the English language […]

  48. […] The lack of encryption would let anyone with access to the data traffic to identify a user’s phone number, the device, and the person’s location, Citizen Lab said in its report released Thursday. […]

  49. […] 加拿大知名安全实验室调查和比较了中文版UC浏览器和英文版UC浏览器,其中中文版被发现会收集和发送用户的隐私数据,但英文版却没有这么多隐私问题,明显内外有别。中文版本的AMAP组件会联系apilocate.amap.com,发送用户设备识别码(IMSI、IMEI)和地理位置数据,Wi-Fi的MAC地址或手机塔相关数据,以及Android ID,向阿里巴巴的搜索引擎Shenma发送未加密的搜索查询词。英文版没有发现发送设备相关识别码或Wi-Fi的MAC地址。(原文链接) […]

  50. […] scintillating security breach was shared by a Canadian technology research group called Citizen Lab. And interestingly, they were able to discover this massive leak when Canadian Broadcasting […]

  51. […] * 参考来源citizenlab,cindy编辑,转自FreeBuf黑客与极客(FreeBuf.COM) […]

  52. […] 加拿大的Citizen Lab最近發表了一篇研究報告,報告中指出中國的UC瀏覽器會洩露使用者的隱私資料。由於UC瀏覽器是在手機上相當多使用者使用的一款瀏覽器,並且於去年六月由阿里巴巴所收購,因此這個新聞也格外引人注意。 […]

  53. […] 加拿大的Citizen Lab最近發表了一篇研究報告,報告中指出中國的UC瀏覽器會洩露使用者的隱私資料。由於UC瀏覽器是在手機上相當多使用者使用的一款瀏覽器,並且於去年六月由阿里巴巴所收購,因此這個新聞也格外引人注意。 […]

  54. […] non-profit Citizen Lab has now compiled a full report into vulnerabilities and they have now been fixed. Citizen Lab Director Ron Deibert said that while […]

  55. […] Citizen Lab, un grupo de derechos e investigación tecnológico, encontró vulnerabilidades en esta aplicación en sus ediciones china e inglesa. Además de la invasión a la privacidad, la explotación de vulnerabilidades por los gobiernos sin comunicarlas a los desarrolladores facilita la actuación de los cibercriminales. […]

  56. […] Citizen Lab at the University of Toronto’s Munk School of Global Affairs conducted this investigation and […]

  57. […] scintillating security breach was shared by a Canadian technology research group called Citizen Lab. And interestingly, they were able to discover this massive leak when Canadian Broadcasting […]

  58. […] scintillating security breach was shared by a Canadian technology research group called Citizen Lab. And interestingly, they were able to discover this massive leak when Canadian Broadcasting […]

  59. […] in its English and Chinese editions. The Citizen Lab researchers have authored their own detailed technical report outlining the many ways the app has been leaking data, including some users’ search queries, SIM […]

  60. […] data that can be used track people and gain insight into their lives without their consent, as revealed by the Citizen Lab Toronto based research group earlier this […]

  61. […] data that can be used track people and gain insight into their lives without their consent, as revealed by the Citizen Lab Toronto based research group earlier this […]

  62. […] researchers have published their technical report detailing the many ways the UC Browser app has been leaking data, including SIM card numbers, […]

  63. […] UC浏览器是一种移动浏览器,它目前拥有超过5亿的注册用户,是中国和印度最受欢迎的手机浏览器。在《啰嗦的松鼠:UC浏览器的隐&#…这一报告中,公民实验室(Citizen Lab)发现中文和英文安卓版UC浏览器中存在多个隐私及安全漏洞, 并讨论了它们的重要性。 […]

  64. […] researchers have published their technical report detailing the many ways the UC Browser app has been leaking data, including SIM card numbers, […]

  65. By Brèves S20 et S21 | La Mare du Gof on May 25, 2015 at 8:13 pm

    […] on which the Canadian Broadcasting Corporation (CBC) was preparing a story (…).» Source : citizenlab.org/2015/05/a-chatty-squirrel-privacy-and-security-issues-with-uc-browser/ Billets en relation : 21/05/2015. NSA Planned to Hijack Google App Store to Hack Smartphones : […]

  66. […] Ein geschwätziges Eichhörnchen: Privatsphäre und Datensicherheit beim UC Browser – Citizen Lab […]

  67. […] The Citizen Lab at the University of Toronto’s Munk School of Global Affairs conducted this investigation, and found out that unencrypted data included phone numbers, device serial numbers, apart from user search queries and geo-location data. […]

  68. […] * 参考来源citizenlab,cindy编辑,转载请注明来自FreeBuf黑客与极客(FreeBuf.COM) […]

  69. […] researchers have published their technical report detailing the many ways the UC Browser app has been leaking data, including SIM card numbers, […]

  70. […] CitizenLab] Tweet window.fbAsyncInit = function() { FB.init({appId: "112154305528363", status: true, cookie: […]

  71. […] can also retroactively decrypt any historical data that they have collected or obtained.” The report […]

  72. […] A Chatty Squirrel: Privacy and Security Issues with UC Browser [Citizen Lab] […]

  73. […] failles dans UC Browser ont été analysées et confirmées par Citizen Lab, qui les considère comme très sérieuses. Un rapport complet a d’ailleurs été émis hier pour […]

  74. […] The agencies successfully found vulnerabilities in UCWeb, which was found to leak IMSI, MSISDN, IMEI, and other device characteristics. These vulnerabilities were used to discover a target and it was determined that the vulnerabilities might let a SIGINT agency serve malware to the target. A ‘microplugin’ for XKeyscore was developed so that analysts could quickly surface UCWeb-related SIGINT material. (NOTE: The Citizen Lab analyzed later versions of UCWeb and found vulnerabilities that were subsequently patched by the company. For more, see: “A Chatty Squirrel: Privacy and Security Issues with UC Browser.”) […]

  75. […] The transmission of this information “represents a privacy risk for users because it allows anyone with access to the data traffic to identify users and their devices, and collect their private search data”, it said in a report. […]

  76. […] The Citizen Lab at the University of Toronto’s Munk School of Global Affairs conducted this investigation, and found out that unencrypted data included phone numbers, device serial numbers, apart from user search queries and geo-location data. […]

  77. […] The lack of encryption would let anyone with access to the data traffic to identify a user’s phone number, the device, and the person’s location, Citizen Lab said in its report released Thursday. […]

  78. […] 加拿大多伦多大学公民实验室调查和比较了中文版UC浏览器和英文版UC浏览器,其中中文版被发现会收集和发送用户的隐私数据,但英文版却没有这么多隐私问题,明显内外有别。UC浏览器号称有5亿注册用户,是全球第四大移动浏览器,仅次于 Chrome、Android浏览器和Safari,每天有1亿活跃用户,它已被阿里巴巴收购。研究人员测试的中文版是从小米应用商店下载的,而英文版则直接从官网下载的APK文件。他们分析了两种浏览器在空闲情况下发送的流量数据,发现中文版本的AMAP组件会联系apilocate.amap.com,发送用户设备识别码(IMSI、IMEI)和地理位置数据,Wi-Fi的MAC地址或手机塔相关数据,以及Android ID,向阿里巴巴的搜索引擎Shenma发送未加密的搜索查询词。英文版没有发现发送设备相关识别码或Wi-Fi的MAC地址。 […]

  79. […] A Chatty Squirrel: Privacy and Security Issues with UC Browser – Citizen Lab […]

  80. […] researchers have published their technical report detailing the many ways the UC Browser app has been leaking data, including SIM card numbers, […]

Post a Comment

Your email is never shared. Required fields are marked *

*
*