Updated at August 24, 2017:
“We will not breach trust of our users” – UCWeb’s response to the allegation. They said that it was a common practice for IT companies to place servers all around the globe to provide better service to its users. They are collecting user information and data in necessary scenarios to provide localized services. They also take necessary authorization from users to collect this data and have strong measures in place to encrypt the same. Their end-user licensing agreement also protects the interest of its users.
Our original story from Friday, August 25, 2017, follows:
India Government has now turned its attention towards mobile apps which are sending unencrypted user data abroad. This move has come soon after sending notices to foreign mobile vendors asking to set up servers in India. The app of interest is UC Browser from the Chinese Internet company UC Web, under Alibaba Group of China. Let’s see some supporting studies revealing the type of data being sent to servers abroad.
A Chatty Squirrel
Owing to the large user base of UC Browser, researchers were keen to find out the security provided by this app. With over 500 Million downloads, the browser is having two official and many fake counterparts in the app stores. This itself shows how the app is causing confusion among users even from the download. Researchers at Citizen Lab found several privacy and security issues with this browser on detailed analysis. Some excerpts from their analysis are given below.
The browser has two inbuilt components from AMAP and Umeng owned by Alibaba. These components collect and send device identifiers and location for statistical purposes. Even though the app is obtaining user’s permission for this, it is being sent without proper encryption and is stored in servers outside country’s jurisdiction. It is also not made clear to the user how this data will be used and shared. Hence, any authorities, criminals, or other third parties can access and use this data. In 2015, Snowden’s leak also pointed out that intelligence agencies are using this data to track down users and install spyware in many devices.
- Device info sent unencrypted: IMSI, IMEI, Build serial number, Android ID, and Wi-Fi MAC address.
- Search queries sent unencrypted
- Location data received unencrypted: longitude/latitude and street name
- Device and location sent with breakable encryption: IMSI, IMEI, MCC, MNC, LAC, CellId, nearby cellular towers and Wi-Fi access points
UC Web is also running gift voucher giveaways to force users switch to their browser in all platforms. The browser also shows fake green tick mark in unsafe web pages making the user feel secure. They are also into partnership with content writers, app developers and media production companies for widening the market in India. Seems like Government’s sudden interest in their apps isn’t going to favor them.
A Government lab in Hyderabad is currently probing this app and several others to get more answers. On one side, this might be good for the vast user base of UC Browser, who rely on it mainly for downloads and data compression. But looking at the other side of the coin, any agency can access and use the leaks of such apps, you got the point?. The present military stand-off between India and China in Doklam made the Ministry of Electronics and Information Technology (MeitY) to consider this as a security issue. Hope you enjoyed the article, Peace!