Security researcher Gabi Cirlig has found that UC Browser, a popular third-party browser on the iOS App Store and Google Play, secretly sends users’ browsing data to UCWeb servers in China. The data even includes a user’s IP address, which could be used to track their approximate location down to their neighborhood.
UC Browser is made by Alibaba’s subsidiary UCWeb, and it is the fourth-largest mobile web browser. It is a relatively popular browser in Asian markets, with over 500 million downloads on the Google Play Store alone. The browser sends users’ browsing data to UCWeb servers registered in China but located in the US, even when the incognito mode is used. This is despite the company claiming it won’t record a user’s “browsing history and search history” when incognito mode is used.
More worryingly, a unique ID number is assigned to every user to make tracking them easier across different websites. It is unclear what UCWeb is doing with all the data, with researcher Cirlig claiming that the company could use the data for fingerprinting users. The issue is present on both the Android and iOS versions of the app.
On Android, UC Browser was at least encrypting the data it was sending back to its servers. The iOS version of the browser was not even doing that, though it was encrypted while in transit.
“This kind of tracking is done on purpose without any regard for user privacy,” Cirlig told Forbes. When compared to Google’s own Chrome browser, for instance, it does not transfer user web browsing habits when in incognito. Cirlig said he’d looked at other major browsers and found none did the same as UC Browser. He added that whilst cookies might track users in a similar way, this is very different to “the browser getting the URLs, putting them in a briefcase and running away with them.”
UC Browser rolled out an update for its browser last week and updated its privacy nutrition label to mention that users were tracked using unique identifiers. However, it was never mentioned that the browser also monitored the web browsing activity of a user.
Interestingly, the English version of the UC Browser was removed from the iOS App Store yesterday (Tuesday). The Chinese version of the app continues to be on the App Store, and unlike the English version, it does not send back data to UCWeb servers.
[Via Forbes, Hookgab]