[liberationtech] New Citizen Lab Report

[Ronald Deibert]

Hi LibTech

I am pleased to announce a new Citizen Lab report, entitled "A Chatty Squirrel: Privacy and Security Issues with UC Browser."  Links to the report and some supplementary documents, as well as a summary of key findings are outlined below.

The CBC is publishing a related news item here http://www.cbc.ca/news/canada/spy-agencies-target-mobile-phones-app-stores-to-implant-spyware-1.3076546

The Intercept is also publishing a news item here: https://citizenlab.org/2015/05/a-chatty-squirrel-privacy-and-security-issues-with-uc-browser/

A Chatty Squirrel: Privacy and Security Issues with UC Browser
https://citizenlab.org/2015/05/a-chatty-squirrel-privacy-and-security-issues-with-uc-browser/

Authors: Jakub Dalek (lead), Katie Kleemola (lead), Adam Senft (lead), Christopher Parsons, Andrew Hilts, Sarah McKune, Jason Q. Ng, Masashi Crete-Nishihata, John Scott-Railton, Ronald Deibert

Read our primer on mobile privacy and security.

Read the summary: Privacy and security issues with UC Browser.

Read the summary in Chinese: 啰嗦的松鼠：UC浏览器的隐私与安全问题

Overview

UC Browser is the most popular mobile web browser in China and India, boasting over 500 million users. This report provides a detailed analysis of how UC Browser manages and transmits user data, particularly private data, during its operation. Our research was prompted by revelations in a document leaked by Edward Snowden on which the Canadian Broadcasting Corporation (CBC) was preparing a story. The CBC contacted us requesting our comment. The document, apparently prepared in 2012 by Canada's signals intelligence agency, the Communications Security Establishment (CSE), noted the existence of security vulnerabilities in UC Browser. Given the Citizen Lab's ongoing research into popular Asian communications tools, and the possibility of vulnerabilities affecting a large number of users, we decided to conduct an independent investigation of UC Browser. While media outlets are publishing a story about the CSE document, we cannot determine if the problems we identify in UC Browser and that are described in this report are identical to those referenced in the 2012 CSE document.

Summary of findings

We have identified a series of major security and privacy issues in the English language and Chinese language editions of the Android version of UC Browser. Our notification to the parent companies is described below in detail. We found that both versions of the application leak a significant amount of personal and personally-identifiable data; as a result, any network operator or in-path actor on the network can acquire a user’s personally identifiable information (including cellular subscriber information, mobile device identifiers, geolocation data, and search queries) through trivial decrypting of traffic or by observing unencrypted traffic. Specifically, the issues we found include:

Transmission of personally identifiable information and user search queries without encryption:

User data, including IMSI, IMEI, Android ID, and Wi-Fi MAC address are sent without encryption to Umeng, an Alibaba analytics tool, in the Chinese language version.
User geolocation data, including longitude/latitude and street name, are transmitted without encryption by AMAP, an Alibaba mapping tool, in the Chinese language version.
User search queries are sent without encryption to the search engine Shenma (in the Chinese language version) or Yahoo! India and Google (in the English language version).
Reason for concern: The transmission of personally identifiable information, geolocation data and search queries without encryption represents a privacy risk for users because it allows anyone with access to the data traffic to identify users and their devices, and collect their private search data.

Transmission of personally identifiable information and geolocation data with easily circumvented encryption:

Location and user data, including IMSI, IMEI, and data about nearby cellular towers and Wi-Fi access points, are sent with easily circumvented encryption by AMAP, an Alibaba mapping tool, in the Chinese language version.
Reason for Concern: UC Browser’s transmission of personally identifiable subscriber data, mobile device identifiers, and user geolocation data without effective encryption presents a security and privacy risk for users.

Private user data is retained on the device even after clearing the application’s cache:

In the Chinese language version, when users attempt to delete their private data by clearing the application’s cache their DNS lookups are not deleted.
Reason for concern: The cached record of DNS lookup data would allow for a third party with access to the device to identify the websites that a user visited.

This report is a continuation of our prior work examining the security and privacy of popular mobile applications in Asia. Our previous research includes investigations of censorship practices of search engines offered by Google, Microsoft, and Yahoo! in the Chinese market along with domestic Chinese search engine Baidu. In addition, we have analyzed keyword censorship and surveillance in TOM-Skype (the Chinese version of Skype at the time) and keyword censorship in Sina UC, another Chinese instant messaging platform. We are currently conducting comparative analysis of mobile chat applications used in Asia including WeChat, LINE, and KakaoTalk.

Notification

We disclosed our findings to Alibaba and UCWeb on April 15, 2015, and informed them that we would publish this report on or after April 29, 2015. Alibaba responded to our notification on April 19, 2015, indicating that their security engineers were investigating the issue. We followed up on April 23, 2015 to reiterate our intention to publish this report on or after April 29, 2015. As of May 19, 2015 we have not received further communication from Alibaba or UCWeb.

On May 19, 2015 we tested version 10.4.1-576 of the Chinese language version of UC Browser, which was downloaded from the uc.cn website. This version does not appear to send location data insecurely to AMAP as described in this report. However, the issues we describe in this report relating to insecure data transmission to the Umeng component, as well the lack of encryption on search queries, remain in this version. Users who use the Chinese version of UC Browser should upgrade the application and ensure they are running version 10.4.1-576 or above.

Ronald Deibert
Director, the Citizen Lab 
Munk School of Global Affairs
University of Toronto
(416) 946-8916
PGP: http://deibert.citizenlab.org/pubkey.txt
http://deibert.citizenlab.org/
twitter.com/citizenlab
twitter.com/rondeibert
r.deibert at utoronto.ca



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20150521/cb036116/attachment.html>