This iPhone, Android browser harvests user data even in incognito mode

The UC browser's Google Play listing, as displayed on an Android phone.

(Image credit: Sharaf Maksumov/Shutterstock)

One of the globe's leading web browsers harvests users' locations, browsing history and identification data from iOS and Android devices and sends it to Chinese servers even when in incognito mode, security researchers say.

The UC browser, fabricated and marketed by UCWeb, a subsidiary of the Chinese internet giant Alibaba, "is exfiltrating user browsing and search history from its products distributed on mobile devices around the earth even when the browser is used in incognito mode," wrote London-based researcher Gabi Cirlig in a blog post yesterday (June i). "This beliefs is consistent on both Android and iOS devices."

Chrome vs. Firefox vs. Edge: Which browser gobbles upwardly the most RAM?
The best Android browsers
Plus: Apple teases homeOS — is a new smart dwelling house platform on the way?

Like Chrome, Firefox and Safari, UC states its incognito way is individual, Cirlig wrote. The brower's Google Play page says that Incognito Fashion provides "browsing without leaving any history, cookies, caches, etc." and that "Incognito way makes your browsing and watching experience perfectly private and hole-and-corner."

Cirlig told Forbes that other browsers he examined, including Chrome, did not practice these things while in Incognito Fashion.

UC is fourth-ranked globally among web browsers, according to a Statcounter screenshot Cirlig posted, although its share amounted to simply ii.3% of the worldwide market. The main Android version of the UC browser has more than 500 meg installations just from Google Play, which can't be accessed in Prc.

A 2018 Wall Street Journal piece said UC was "dethroning Google in Asia" exterior China. Forbes' Thomas Brewster noted that UC had many users in India until that state banned dozens of Chinese apps in mid-2020 following a mortiferous edge skirmish between the two nations.

Nonetheless, the browser has long been regarded equally rather snoopy. Documents leaked by former NSA contractor Edward Snowden showed that Canadian intelligence institute in the early 2010'south that the UC browser leaked a lot of sensitive data, behavior that continued until at least 2015.

Hoovering upward your information

Working with Argentina-based researcher Nicolas Agnese, Cirlig found that the UC browser hoovers up a telephone's network-interface ID (MAC accost), phone hardware ID (IMEI), phone series number, Os version, phone type, browsing history, search queries, IP address and time zone, sending it all to Chinese-registered servers even when in incognito way on iOS or Android.

It besides sends a unique proprietary device ID that seems to be specific to the UC browser, which Cirlig noted "could hands fingerprint users and tie them dorsum to their real personas."

With all this information, users can be tracked and monitored both physically and across the internet, a far cry from the "perfectly private and hole-and-corner" experience promised.

Forbes had Cirlig and Agnese's findings verified by Andrew Tierney, a well-regarded British security reseacher.

Here'southward a YouTube video of data beingness harvested from the UC browser running in Incognito Mode from an emulated phone.

Worse on iOS than on Android

The pair discovered that the UC browser was a bit "meliorate" about how it handled this sensitive information on Android than it was on iOS, regardless of the fact that this sort of information collection shouldn't be happening at all.

On iOS, the personal data was compressed but not encrypted earlier it was transmitted to the Chinese servers, pregnant anyone who intercepted the traffic could read it. [Or maybe not; please encounter beneath.] On Android, the data was both compressed and encrypted, although Cirlig and Agnese plant a decryption key buried in the UC browser app'south source lawmaking.

[ Correction : Agnese reached out to us later this story was published to point out that the data existence transmitted by the iOS version of the UC browser was indeed encrypted because it went out over a standard secure browser-to-server HTTPS connectedness. Cirlig and Agnese had run their tests using their own HTTPS certificate, which meant they could easily decrypt HTTPS data.

To read the information transmitted by the iOS version of the UC browser, you'd accept to break or evade TLS, the encryption standard used past most web browsers. This can be done using a number of methods, but that's outside the scope of this slice.]

As of Wednesday (June two), the English-language version of the UC browser was gone from Apple'southward App Store in nearly countries, but the Chinese-language one remained. The Google Play store listed the main UC browser plus "mini" and "turbo" versions, all in English language.

"At the time of the writing," Cirlig wrote in his blog post, "these issues have non been fixed even subsequently contacting Alibaba, with user browsing/location data existence sent to UCWeb's servers in real fourth dimension."

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul commuter, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel give-and-take at the CEDIA home-technology briefing. You can follow his rants on Twitter at @snd_wagenseil.