This iPhone, Android browser harvests user data even in incognito mode

The UC browser's Google Play listing, as displayed on an Android phone.
(Image credit: Sharaf Maksumov/Shutterstock)

One of the world's leading web browsers harvests users' locations, browsing history and identification data from iOS and Android devices and sends it to Chinese servers even when in incognito mode, security researchers say.

The UC browser, made and marketed by UCWeb, a subsidiary of the Chinese internet giant Alibaba, "is exfiltrating user browsing and search history from its products distributed on mobile devices around the world even when the browser is used in incognito mode," wrote London-based researcher Gabi Cirlig in a blog post yesterday (June 1). "This behavior is consistent on both Android and iOS devices."

Like Chrome, Firefox and Safari, UC states its incognito mode is private, Cirlig wrote. The brower's Google Play page says that Incognito Mode provides "browsing without leaving any history, cookies, caches, etc." and that "Incognito mode makes your browsing and watching experience perfectly private and secret."

Cirlig told Forbes that other browsers he examined, including Chrome, did not do these things while in Incognito Mode.

UC is fourth-ranked globally among web browsers, according to a Statcounter screenshot Cirlig posted, although its share amounted to only 2.3% of the worldwide market. The main Android version of the UC browser has more than 500 million installations just from Google Play, which can't be accessed in China. 

A 2018 Wall Street Journal piece said UC was "dethroning Google in Asia" outside China. Forbes' Thomas Brewster noted that UC had many users in India until that country banned dozens of Chinese apps in mid-2020 following a deadly border skirmish between the two nations. 

However, the browser has long been regarded as rather snoopy. Documents leaked by former NSA contractor Edward Snowden showed that Canadian intelligence found in the early 2010's that the UC browser leaked a lot of sensitive data, behavior that continued until at least 2015.

Hoovering up your information

Working with Argentina-based researcher Nicolas Agnese, Cirlig found that the UC browser hoovers up a phone's network-interface ID (MAC address), phone hardware ID (IMEI), phone serial number, OS version, phone type, browsing history, search queries, IP address and time zone, sending it all to Chinese-registered servers even when in incognito mode on iOS or Android. 

It also sends a unique proprietary device ID that seems to be specific to the UC browser, which Cirlig noted "could easily fingerprint users and tie them back to their real personas."

With all this information, users can be tracked and monitored both physically and across the internet, a far cry from the "perfectly private and secret" experience promised.

Forbes had Cirlig and Agnese's findings verified by Andrew Tierney, a well-regarded British security reseacher. 

Here's a YouTube video of data being harvested from the UC browser running in Incognito Mode from an emulated phone.

Worse on iOS than on Android

The pair discovered that the UC browser was a bit "better" about how it handled this sensitive information on Android than it was on iOS, regardless of the fact that this sort of data collection shouldn't be happening at all. 

On iOS, the personal data was compressed but not encrypted before it was transmitted to the Chinese servers, meaning anyone who intercepted the traffic could read it. [Or maybe not; please see below.] On Android, the data was both compressed and encrypted, although Cirlig and Agnese found a decryption key buried in the UC browser app's source code. 

[Correction: Agnese reached out to us after this story was published to point out that the data being transmitted by the iOS version of the UC browser was indeed encrypted because it went out over a standard secure browser-to-server HTTPS connection. Cirlig and Agnese had run their tests using their own HTTPS certificate, which meant they could easily decrypt HTTPS data.

To read the data transmitted by the iOS version of the UC browser, you'd have to break or evade TLS, the encryption standard used by most web browsers. This can be done using a number of methods, but that's outside the scope of this piece.]

As of Wednesday (June 2), the English-language version of the UC browser was gone from Apple's App Store in most countries, but the Chinese-language one remained. The Google Play store listed the main UC browser plus "mini" and "turbo" versions, all in English.

"At the time of the writing," Cirlig wrote in his blog post, "these issues have not been fixed even after contacting Alibaba, with user browsing/location data being sent to UCWeb's servers in real time."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.