One of the world's leading web browsers harvests users' locations, browsing history and identification data from iOS and Android devices and sends it to Chinese servers even when in incognito mode, security researchers say.
The UC browser, made and marketed by UCWeb, a subsidiary of the Chinese internet giant Alibaba, "is exfiltrating user browsing and search history from its products distributed on mobile devices around the world even when the browser is used in incognito mode," wrote London-based researcher Gabi Cirlig (opens in new tab) in a blog post yesterday (June 1). "This behavior is consistent on both Android and iOS devices."
- Chrome vs. Firefox vs. Edge: Which browser gobbles up the most RAM?
- The best Android browsers
- Plus: Apple teases homeOS — is a new smart home platform on the way?
Like Chrome, Firefox and Safari, UC states its incognito mode is private, Cirlig wrote. The brower's Google Play page (opens in new tab) says that Incognito Mode provides "browsing without leaving any history, cookies, caches, etc." and that "Incognito mode makes your browsing and watching experience perfectly private and secret."
Cirlig told Forbes that other browsers he examined, including Chrome, did not do these things while in Incognito Mode.
UC is fourth-ranked globally among web browsers, according to a Statcounter screenshot Cirlig posted, although its share amounted to only 2.3% of the worldwide market. The main Android version of the UC browser has more than 500 million installations just from Google Play, which can't be accessed in China.
A 2018 Wall Street Journal piece (opens in new tab) said UC was "dethroning Google in Asia" outside China. Forbes' Thomas Brewster (opens in new tab) noted that UC had many users in India until that country banned dozens of Chinese apps in mid-2020 following a deadly border skirmish between the two nations.
However, the browser has long been regarded as rather snoopy. Documents leaked by former NSA contractor Edward Snowden showed that Canadian intelligence found in the early 2010's that the UC browser leaked a lot of sensitive data (opens in new tab), behavior that continued until at least 2015.
Hoovering up your information
Working with Argentina-based researcher Nicolas Agnese, Cirlig found that the UC browser hoovers up a phone's network-interface ID (MAC address), phone hardware ID (IMEI), phone serial number, OS version, phone type, browsing history, search queries, IP address and time zone, sending it all to Chinese-registered servers even when in incognito mode on iOS or Android.
It also sends a unique proprietary device ID that seems to be specific to the UC browser, which Cirlig noted "could easily fingerprint users and tie them back to their real personas."
With all this information, users can be tracked and monitored both physically and across the internet, a far cry from the "perfectly private and secret" experience promised.
Forbes had Cirlig and Agnese's findings verified by Andrew Tierney, a well-regarded British security reseacher.
Here's a YouTube video of data being harvested from the UC browser running in Incognito Mode from an emulated phone.
Worse on iOS than on Android
The pair discovered that the UC browser was a bit "better" about how it handled this sensitive information on Android than it was on iOS, regardless of the fact that this sort of data collection shouldn't be happening at all.
On iOS, the personal data was compressed but not encrypted before it was transmitted to the Chinese servers, meaning anyone who intercepted the traffic could read it. [Or maybe not; please see below.] On Android, the data was both compressed and encrypted, although Cirlig and Agnese found a decryption key buried in the UC browser app's source code.
[Correction: Agnese reached out to us after this story was published to point out that the data being transmitted by the iOS version of the UC browser was indeed encrypted because it went out over a standard secure browser-to-server HTTPS connection. Cirlig and Agnese had run their tests using their own HTTPS certificate, which meant they could easily decrypt HTTPS data.
To read the data transmitted by the iOS version of the UC browser, you'd have to break or evade TLS, the encryption standard used by most web browsers. This can be done using a number of methods, but that's outside the scope of this piece.]
As of Wednesday (June 2), the English-language version of the UC browser was gone from Apple's App Store in most countries, but the Chinese-language one remained. The Google Play store listed the main UC browser plus "mini" and "turbo" versions, all in English.
"At the time of the writing," Cirlig wrote in his blog post, "these issues have not been fixed even after contacting Alibaba, with user browsing/location data being sent to UCWeb's servers in real time."