However, security researcher Gabi Cirlig believes that UCWeb’s privacy pledges are deceptive. His findings, which were independently verified for Forbes, reveal that on both the Android and iOS versions of UC Browser, every website a user visits, regardless of whether they are in incognito mode or not, is sent to UCWeb servers. Cirlig added that IP addresses – which can be used to narrow down a user’s approximate location to the town or neighborhood – were also being sent to Alibaba-controlled servers. These servers were registered in China and used the Chinese domain extension.cn, but were physically located in the United States. Each user is also assigned an ID number, implying that the Chinese company can effectively monitor their activity across multiple websites, though it is not yet clear what Alibaba and its subsidiary do with the data. Cirlig wrote in a blog post sent to Forbes ahead of publication on Tuesday, “This could easily fingerprint users and connect them to their real personas.”
Cirlig discovered the flaw after decrypting some encrypted data he noticed being sent back to Beijing. After cracking the key, he discovered that each time he visited a website, the data was encrypted and transmitted back to the Alibaba company. He didn’t even need to reverse engineer the encryption on Apple’s iOS because there was effectively none on the device (though it was encrypted when in transit).
“This type of tracking is carried out deliberately and without regard for user privacy,” Cirlig told Forbes. In comparison to Google’s own Chrome browser, for example, it does not transfer user web browsing habits when incognito mode is enabled. Cirlig stated that he examined other popular browsers and discovered that none performed as well as UC Browser. While cookies may track users in a similar manner, he added, this is quite different from “the browser grabbing the URLs, stuffing them into a briefcase, and fleeing with them.”
Cirlig demonstrated what was happening while he used UC Browser in a video, including how he was assigned a unique identity number.
Another issue with the Alibaba-owned app’s iOS version was that it had not been updated following Apple’s introduction of a feature on the App Store that details each app’s privacy practices. As a result, the harvesting of users’ web browsing was not disclosed to the user. However, as of last week, an unknown, unannounced update to the App Store included tracking via unique identifiers and search histories in the app’s privacy information. There was no disclosure of web browsing monitoring, however.
However, as of Tuesday morning, the Apple App Store did not include an English-language version of UC Browser, though a Chinese-language version was available. (Cirlig said it did not appear that version was transmitting the same data). It is unknown why the English version was removed, despite the fact that it is still available on Google Play. None of the companies – Alibaba, Apple, or Google – had responded to repeated requests for comment at the time of publication.
Nicolas Agnese, an Argentine cybersecurity researcher who validated what was happening with the UC Web app on iPhones, raised another point: while iOS is “very secure” in some ways, he was concerned that privacy-infringing practices could be allowed in apps that pass the App Store review process.
According to an April report in The Information, Alibaba, which has a market capitalization of $600 billion, had been concerned about Apple’s App Tracking Transparency feature, which allows users to block apps from tracking them. Alibaba’s business is fueled by advertising, which is in turn fueled by massive amounts of user data. The fact that one of its most popular mobile applications is now unavailable on the Apple App Store is one of the first tangible signs that Apple’s strict stance on privacy is causing significant problems for companies like Alibaba.
This is not the first time China’s tech behemoths have been accused of tracking users. Cirlig discovered similar issues in UC Browser last year when he reviewed the security of Xiaomi’s browser, which is the default app for web searches on the Chinese giant’s phones. It was performing a similar function, recording each website visited by a user, even when the user was incognito. Despite its denial of the researchers’ findings, the company later updated the app to allow users to opt out of what it described as anonymized, aggregated data collection. Cirlig discovered another Chinese app developer, Cheetah Mobile, which is listed on the New York Stock Exchange, was using a security app with a “private” browser to collect data on internet use and Wi-Fi access point names, among other things. Cheetah stated that it required the data to ensure users did not visit malicious websites and that the app functioned properly.