If you went to download Alibaba-owned app UC Browser this month, whether from Google’s Android Play store or Apple’s iOS App Store, you would have been promised that with its “incognito” mode, no web browsing or search history would be recorded. Such guarantees, alongside promises of fast download times, have made the app, created by Alibaba subsidiary UCWeb, incredibly popular across the world, with 500 million downloads on Android alone. Whilst Americans may not have heard of the app, according to one analysis, it’s the fourth biggest browser by user numbers in the world, largely because of large user bases in Asia. Prior to a ban by the Indian government over security concerns linked to Chinese apps, it was reportedly one of the most popular browsers in India.
But the privacy pledges made by UCWeb are misleading, according to security researcher Gabi Cirlig. His findings, verified for Forbes by two other independent researchers, reveal that on both Android and iOS versions of UC Browser, every website a user visits, regardless of whether they’re in incognito mode or not, is sent to servers owned by UCWeb. Cirlig said IP addresses – which could be used to get a user’s rough location down to the town or neighborhood of the user – were also being sent to Alibaba-controlled servers. Those servers were registered in China and carried the .cn Chinese domain name extension, but were hosted in the U.S. An ID number is also assigned to each user, meaning their activity across different websites could effectively be monitored by the Chinese company, though it’s not currently clear just what Alibaba and its subsidiary are doing with the data. “This could easily fingerprint users and tie them back to their real personas,” Cirlig wrote in a blog post handed to Forbes ahead of publication on Tuesday.
Cirlig was able to uncover the problem by reverse engineering some encrypted data he spotted being sent back to Beijing. Once the key had been cracked, he was able to see that every time he visited a website, it was being encrypted and transmitted back to the Alibaba company. On Apple’s iOS, he didn’t even need to reverse engineer the encryption because there effectively was none on the device (though it was encrypted when in transit).
“This kind of tracking is done on purpose without any regard for user privacy,” Cirlig told Forbes. When compared to Google’s own Chrome browser, for instance, it does not transfer user web browsing habits when in incognito. Cirlig said he’d looked at other major browsers and found none did the same as UC Browser. He added that whilst cookies might track users in a similar way, this is very different to “the browser getting the URLs, putting them in a briefcase and running away with them.”
In a video, Cirlig proved just what was happening as he used UC Browser, including how a unique identity number had been attached to him.
There was another issue with the iOS version of the Alibaba-owned app: because it hadn’t been updated after Apple introduced a feature on the App Store to detail the privacy practices of each app, the harvesting of users’ web browsing was not disclosed to the user. As of last week, though, an unspecified, unannounced update to the App Store meant that the tracking via unique identifiers and search histories were included in the privacy information for the app. There was no disclosure of web browsing monitoring, however.
But as of Tuesday morning, the English-language version of UC Browser was not accessible on the Apple App Store, though a Chinese-language version was available. (Cirlig said it did not appear that version was transmitting the same data). It’s unclear why the English version was removed, though it remains live on Google Play. At the time of publication, none of the companies – Alibaba, Apple or Google – had provided statements after repeated requests for comment.
Nicolas Agnese, an Argentina-based cybersecurity researcher who validated what was happening with the UC Web app on iPhones, raised another issue: whilst iOS was “very secure” in some ways, he was concerned privacy-infringing practices could be allowed on apps once they get through the App Store review process.
According to a report in The Information in April, the $600 billion market cap Alibaba had been fretting about Apple’s App Tracking Transparency feature, which lets users block apps from tracking them. Alibaba’s business is fuelled by advertising that itself is powered by huge troves of users’ data. That one of its most popular mobile apps is now inaccessible on the Apple App Store is one of the first tangible signs that the iPhone maker’s hardline on privacy is causing significant issues for the likes of Alibaba.
This isn’t the first time that China’s tech giants have been found to be tracking users. The issues in UC Browser are not dissimilar to those found by Cirlig last year when he reviewed the security of Xiaomi’s browser, the default app for web searches on the Chinese giant’s phones. It was doing much the same, recording every website visited by a user, even when the user was in incognito mode. Even though it denied the researchers’ findings, it later issued an update to the app allowing users to opt out of what it deemed anonymized, aggregated data collection. That news came just after Cirlig discovered another Chinese app developer Cheetah Mobile, which is listed on the New York Stock Exchange, had a security app with a “private” browser that was collecting information on internet use and Wi-Fi access point names, amongst other data. Cheetah said it required the data to help ensure users weren’t visiting dangerous websites and the app was working correctly.