UC Browser Has A Chatty Squirrel That Raises Privacy Issues For Users

The Indians and the Chinese are familiar with the UC Browser. Developed by UCWeb Inc., a Guangzhou, China-based company owned by Alibaba.com, this browser has statistics suggesting that it has more than 500 million registered users from Asia (biggest user base in China, followed by India). In a report titled "A Chatty Squirrel" (a reference made to the orange & white logo featuring a squirrel on the app, a team of researchers from The Citizen Lab have thrown light on the grave privacy and security concerns that arise from the use of the UC Browser. In the detailed analysis, the research team presents how the browser can transmit user data while in use. The Citizen Lab is an interdisciplinary lab based at University of Toronto, Canada.

From their findings, it appears that both English & Chinese editions of UC Browser for Android can leak personal information about the user to the network operator or any attacked on the network. The personal information includes - Cellular Subscriber Information, GeoLocation Data, Search Queries, IMSI, IMEI, Android ID, Mobile Device Identifiers etc.

ucweb-logo
The researchers did their job by submitting their report to Alibaba as well as UCWeb in April and taking due action on these findings, Alibaba responded saying that their security engineers had began working on solving the issue. On May 19th, the Citizen Lab team decided to again test the new version (10.4.1-576) of the Chinese language version of UC Browser and found that it no more sent the location data insecurely to AMAP as was earlier pointed out by them. However, the issues about insecure data transmission to the Umeng component and search queries lacking encryption still remained. And thus, the researchers released the report publicly.

The report suggests that the lack of encryption for personally identifiable data is the primary cause of concern for UC Browser. The best practices in industry advocate that the sensitive data be encrypted. This however doesn't solve the problem fully. Encrypting can make it difficult or limit the number of unauthorized people to access your contents, however it still can't prevent the attacker (app developers & commercial partners) from collection, retention, and analysis of the data. In other words, better transport security does not indicate that there are corporate data handling practices.

It remains to be seen what UC Web Inc and Alibaba think about these issues and what actions will be taken.

Are you using UC Browser on your Android smartphone? Be aware of the security issues raised and take appropriate action.

Source: #-Link-Snipped-#

Replies

You are reading an archived discussion.

Related Posts

hi,i'm pradeep recently completed my b.tech in 2015 in ece branch with 70%.now i'm looking forward get training on software testing tools.can u please let me know is a fresher...
In May first week, the largest hypermarket chain in India aka Big Bazaar's CEO Mr. Kishore Biyani declared that as early as next month, they will be launching the Big...
hi , The company which i work for provides its employees a Integrated Learning Program , which is MS in Software Engineering , from BITS Pilani. it's been 8 months...
can any1 help me with deloitte previous years question papers along with answers! i hav got a few question papers from the previous threads but unable to solve a few....
Wishing this enthusiastic CEan a very happy birthday! Have loads of fun on this day! 🎉😁