This iPhone, Android browser harvests user data even in incognito mode

1. Home
2. News
3. Privacy

This iPhone, Android browser harvests user information even in incognito mode

(Image credit: Sharaf Maksumov/Shutterstock)

One of the world'southward leading web browsers harvests users' locations, browsing history and identification data from iOS and Android devices and sends it to Chinese servers even when in incognito mode, security researchers say.

The UC browser, made and marketed by UCWeb, a subsidiary of the Chinese internet giant Alibaba, "is exfiltrating user browsing and search history from its products distributed on mobile devices around the globe even when the browser is used in incognito style," wrote London-based researcher Gabi Cirlig in a blog mail service yesterday (June one). "This beliefs is consequent on both Android and iOS devices."

• Chrome vs. Firefox vs. Edge: Which browser gobbles up the most RAM?
• The best Android browsers
• Plus: Apple tree teases homeOS — is a new smart home platform on the way?

Like Chrome, Firefox and Safari, UC states its incognito mode is private, Cirlig wrote. The brower's Google Play folio says that Incognito Mode provides "browsing without leaving any history, cookies, caches, etc." and that "Incognito mode makes your browsing and watching feel perfectly private and secret."

Cirlig told Forbes that other browsers he examined, including Chrome, did not do these things while in Incognito Mode.

UC is fourth-ranked globally amid web browsers, co-ordinate to a Statcounter screenshot Cirlig posted, although its share amounted to only two.3% of the worldwide market. The main Android version of the UC browser has more than 500 million installations just from Google Play, which tin can't be accessed in China.

A 2018 Wall Street Journal slice said UC was "dethroning Google in Asia" outside China. Forbes' Thomas Brewster noted that UC had many users in India until that state banned dozens of Chinese apps in mid-2020 following a deadly border skirmish between the two nations.

Yet, the browser has long been regarded as rather snoopy. Documents leaked past former NSA contractor Edward Snowden showed that Canadian intelligence found in the early on 2010's that the UC browser leaked a lot of sensitive data, behavior that continued until at least 2015.

Hoovering upwards your information

Working with Argentina-based researcher Nicolas Agnese, Cirlig institute that the UC browser hoovers upwardly a phone'south network-interface ID (MAC address), phone hardware ID (IMEI), phone serial number, Os version, telephone type, browsing history, search queries, IP address and fourth dimension zone, sending it all to Chinese-registered servers fifty-fifty when in incognito manner on iOS or Android.

It also sends a unique proprietary device ID that seems to exist specific to the UC browser, which Cirlig noted "could easily fingerprint users and tie them back to their existent personas."

With all this information, users can be tracked and monitored both physically and beyond the internet, a far weep from the "perfectly private and clandestine" feel promised.

Forbes had Cirlig and Agnese'south findings verified by Andrew Tierney, a well-regarded British security reseacher.

Here'south a YouTube video of data being harvested from the UC browser running in Incognito Mode from an emulated phone.

Worse on iOS than on Android

The pair discovered that the UC browser was a scrap "improve" virtually how information technology handled this sensitive information on Android than it was on iOS, regardless of the fact that this sort of data drove shouldn't be happening at all.

On iOS, the personal data was compressed but not encrypted before it was transmitted to the Chinese servers, meaning anyone who intercepted the traffic could read it. [Or mayhap not; please come across below.] On Android, the information was both compressed and encrypted, although Cirlig and Agnese found a decryption key buried in the UC browser app's source code.

[ Correction : Agnese reached out to usa after this story was published to signal out that the information being transmitted past the iOS version of the UC browser was indeed encrypted because it went out over a standard secure browser-to-server HTTPS connection. Cirlig and Agnese had run their tests using their own HTTPS certificate, which meant they could easily decrypt HTTPS data.

To read the data transmitted past the iOS version of the UC browser, you'd accept to break or evade TLS, the encryption standard used by most web browsers. This can exist washed using a number of methods, but that's exterior the scope of this piece.]

As of Wednesday (June ii), the English language-language version of the UC browser was gone from Apple'south App Shop in most countries, only the Chinese-linguistic communication one remained. The Google Play store listed the master UC browser plus "mini" and "turbo" versions, all in English.

"At the time of the writing," Cirlig wrote in his blog post, "these issues have non been fixed fifty-fifty later on contacting Alibaba, with user browsing/location information being sent to UCWeb's servers in existent time."

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has likewise been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He'south been rooting around in the data-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom'south Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

Source: https://www.tomsguide.com/news/uc-browser-incognito-snooping

Posted by: brownforwas.blogspot.com

Share this post