From the Archives
Archived discussions on CrazyEngineers

@Ankita Katdare • 21 May, 2015
The Indians and the Chinese are familiar with the UC Browser. Developed by UCWeb Inc., a Guangzhou, China-based company owned by Alibaba.com, this browser has statistics suggesting that it has more than 500 million registered users from Asia (biggest user base in China, followed by India). In a report titled "A Chatty Squirrel" (a reference made to the orange & white logo featuring a squirrel on the app, a team of researchers from The Citizen Lab have thrown light on the grave privacy and security concerns that arise from the use of the UC Browser. In the detailed analysis, the research team presents how the browser can transmit user data while in use. The Citizen Lab is an interdisciplinary lab based at University of Toronto, Canada.

From their findings, it appears that both English & Chinese editions of UC Browser for Android can leak personal information about the user to the network operator or any attacked on the network. The personal information includes - Cellular Subscriber Information, GeoLocation Data, Search Queries, IMSI, IMEI, Android ID, Mobile Device Identifiers etc.

ucweb-logo
The researchers did their job by submitting their report to Alibaba as well as UCWeb in April and taking due action on these findings, Alibaba responded saying that their security engineers had began working on solving the issue. On May 19th, the Citizen Lab team decided to again test the new version (10.4.1-576) of the Chinese language version of UC Browser and found that it no more sent the location data insecurely to AMAP as was earlier pointed out by them. However, the issues about insecure data transmission to the Umeng component and search queries lacking encryption still remained. And thus, the researchers released the report publicly.

The report suggests that the lack of encryption for personally identifiable data is the primary cause of concern for UC Browser. The best practices in industry advocate that the sensitive data be encrypted. This however doesn't solve the problem fully. Encrypting can make it difficult or limit the number of unauthorized people to access your contents, however it still can't prevent the attacker (app developers & commercial partners) from collection, retention, and analysis of the data. In other words, better transport security does not indicate that there are corporate data handling practices.

It remains to be seen what UC Web Inc and Alibaba think about these issues and what actions will be taken.

Are you using UC Browser on your Android smartphone? Be aware of the security issues raised and take appropriate action.

Source: Citizen Lab

Related Posts

Archives

@mvaa07 · Apr 25, 2010

we've been taught that ac current is alternating in nature i.e. no negative or positive poles but we been also told that live actually carries the current and the neutral...
Archives

@Ankita Katdare · Sep 18, 2013

Micromax Mobile, the Indian consumer electronics manufacturer, is here to sizzle the tablet market with a new product called the Micromax Canvas Tablet P650. The smartphone maker has unveiled this...
Archives

@khushibjl · Feb 16, 2013

pls suggest me some electronics and communication tech fest names👎
Archives

@Ankita Katdare · Nov 5, 2013

ZTE has today launched a new Android smartphone called the ZTE Grand S Flex in Europe. Making the phone available in Spain, Czech Republic and Slovakia followed by Germany, Finland...
Archives

@Debasmita Banerjee · Jan 11, 2016

The Chinese Start-up, Letv has decided to launch its much awaited, “Le Max Pro”, which comes with Qualcomm’s latest flagship processor, the Snapdragon Qualcomm 820. Priced at RMB 3,500 (around...