CrazyEngineers Archive
Old, but evergreen and popular discussions on CrazyEngineers, presented to you in read-only mode.
@Ankita Katdare • 21 May, 2015
The Indians and the Chinese are familiar with the UC Browser. Developed by UCWeb Inc., a Guangzhou, China-based company owned by Alibaba.com, this browser has statistics suggesting that it has more than 500 million registered users from Asia (biggest user base in China, followed by India). In a report titled "A Chatty Squirrel" (a reference made to the orange & white logo featuring a squirrel on the app, a team of researchers from The Citizen Lab have thrown light on the grave privacy and security concerns that arise from the use of the UC Browser. In the detailed analysis, the research team presents how the browser can transmit user data while in use. The Citizen Lab is an interdisciplinary lab based at University of Toronto, Canada.

From their findings, it appears that both English & Chinese editions of UC Browser for Android can leak personal information about the user to the network operator or any attacked on the network. The personal information includes - Cellular Subscriber Information, GeoLocation Data, Search Queries, IMSI, IMEI, Android ID, Mobile Device Identifiers etc.

ucweb-logo
The researchers did their job by submitting their report to Alibaba as well as UCWeb in April and taking due action on these findings, Alibaba responded saying that their security engineers had began working on solving the issue. On May 19th, the Citizen Lab team decided to again test the new version (10.4.1-576) of the Chinese language version of UC Browser and found that it no more sent the location data insecurely to AMAP as was earlier pointed out by them. However, the issues about insecure data transmission to the Umeng component and search queries lacking encryption still remained. And thus, the researchers released the report publicly.

The report suggests that the lack of encryption for personally identifiable data is the primary cause of concern for UC Browser. The best practices in industry advocate that the sensitive data be encrypted. This however doesn't solve the problem fully. Encrypting can make it difficult or limit the number of unauthorized people to access your contents, however it still can't prevent the attacker (app developers & commercial partners) from collection, retention, and analysis of the data. In other words, better transport security does not indicate that there are corporate data handling practices.

It remains to be seen what UC Web Inc and Alibaba think about these issues and what actions will be taken.

Are you using UC Browser on your Android smartphone? Be aware of the security issues raised and take appropriate action.

Source: Citizen Lab
3.4k views

Related Posts

@Debapriya sen · Aug 20, 2015

I did a mistake when i was registering for tcs nexstep application form fill up..i accidentally typed my date of birth as 13/08/1993 n it got saved..but my date of...
7.9k views

@Kaustubh Katdare · Jan 6, 2015

At the CES 2015, Nikon's launched the much awaited upgrade in the Nikon D55XX series - the Nikon D5500, we informed you about few days in advance. Nikon's finally introduced...
3.2k views

@Kaustubh Katdare · Sep 14, 2010

Well, it could be a sci-fi flick; but I have began believing that machines around us are smart and intelligent enough to act dumb and slowly gain control of human...
7.8k views

@viratvicky · Oct 23, 2015

Got bit confusion. please clear my doubt with examples. Difference between Torque and Moment ?
4.5k views

@RajeshCDCA · Jul 11, 2013

Guru Gobind Singh Indraprastha University​, Delhi conduct MCA program have various colleges some government and more private there are about 1,040 seats, entrance exam CET is conducted every year. ​...
32.9k views