UC Browser is a mobile web browser application that has over 500 million registered users and is the most popular mobile web browser in China and India. The report “A Chatty Squirrel: An Analysis of Privacy and Security Issues with UC Browser” discusses the significance of multiple security and privacy deficits that the Citizen Lab identified and documented in the English and Chinese language Android versions of UC Browser. This analysis was prompted by a slide presentation leaked by Edward Snowden on which the Canadian Broadcasting Corporation (CBC) asked us to comment. The document was prepared in 2012 by Canada’s signals intelligence agency, the Communications Security Establishment (CSE), and noted the existence of security vulnerabilities in the UC Browser application.
Our report reveals that UC Browser poorly secures data in its English and Chinese language versions for Android. The report discusses how sensitive user data, such as device identifiers, nearby Wi-Fi access points, and cellular tower information, as well as search queries to the search engine Shenma, are insufficiently secured by the Chinese version of the application before transmitting to its destination. The Chinese version also permanently retains users’ DNS query history which was discovered after researchers tried to delete personal information using the application’s built-in personal information deletion functions.
The English version of the application sends search queries to Yahoo! India or Google without encryption; however, it does not exhibit the other information leakages present in the Chinese version of the application.
Our analysis shows that the information leakages in the Chinese version of the application could be used to track the location of persons either in real-time or retroactively. Moreover, the application’s failure to delete DNS queries means that third parties that access the application’s cache could determine what websites a user had previously visited. Both the Chinese and English versions of the applications showcase poor security practices by failing to encrypt queries made to either Chinese- or English-based search engines.
While media outlets are publishing a story about the CSE document we cannot positively determine if the problems we identified in UC Browser, which are described in our report, are similar to or the same as those referenced in the CSE document.
This research demonstrates the poor data security practices of an Android application that may ultimately threaten users’ privacy. The transmission of unencrypted search engine queries enables third parties to monitor searches as well as potentially return modified search results without the user realizing that their data has been monitored or modified. Sensitive personal information can be inferred from search results including health conditions, such as pregnancy, disease, mental and psychological conditions, marital relations, and medical information. The data can also be used by third parties to develop, use, and sell user profiles and by corporate or government agents to modify or prevent access to certain search results.
The Chinese version of UC Browser has trivially encrypted cellular tower location information using symmetric AES/CBC encryption that uses a hard-coded key. The use of a hard-coded key and symmetric encryption enables third parties to decrypt cellular tower information in real-time as they read it, or retroactively as they gain access to previously captured and stored UC Browser data traffic. The application transmits device identifiers, including IMSI, IMEI, the Android ID, and Wi-Fi MAC address, without encryption. In aggregate these pieces of information can be used to track individuals as they move around the world, to conduct social network analyses by determining who is located near whom at what times of the day, and to identify ‘aberrant’ activities such as being in the proximity of persons/devices that are subject to surveillance or being in a location that the device normally does not pass through or near.
The report highlights significant variations between the data security included in the Chinese and English versions of the applications. We conclude that users of the English version of the applications experience fewer privacy or security problems compared to users of the Chinese version.
What Should UC Browser Users Do?
We disclosed our findings to Alibaba (the parent company of UCWeb, the creator of UC Browser) on April 15, 2015, and informed them that we would publish this report on or after April 29, 2015. The company responded to our notification on April 19, 2015, indicating that Alibaba security engineers were investigating the issue. We followed up on April 23, 2015 to reiterate our intention to publish this report on or after April 29, 2015.
On May 19, 2015 we tested version 10.4.1-576 of the Chinese language version of UC Browser, which was downloaded from the uc.cn website. This version does not appear to send location data insecurely to AMAP as described in this report. The issues we describe in this report relating to insecure data transmission to the Umeng component, as well the lack of encryption on search terms, do not appear to have changed in this version. Users who use the Chinese version of UC Browser should upgrade the application and ensure they are running version 10.4.1-576 or above.
We suggest that users contact Alibaba [email@example.com] if they are interested in learning about what progress has been made in resolving the problems we uncovered in our analyses.