Skip to main content

PSA: Chinese UC Browser on iOS harvests your data even in incognito mode

Okay, it’s a rather obvious PSA not to install a Chinese web browser on your iPhone, but Alibaba’s UC Browser is actually the fourth most popular browser in the world by user numbers, and the eighth most downloaded mobile app in the last decade …

A security researcher – whose work has been verified by two others – has found that UC Browsers is about as big a privacy nightmare as you can imagine. It not only logs every website you ever visit and sends it to an Alibaba-owned server, it does this even in incognito mode. Oh, and it captures your IP address, too.

Forbes reports.

If you went to download Alibaba-owned app UC Browser this month, whether from Google’s Android Play store or Apple’s iOS App Store, you would have been promised that with its “incognito” mode, no web browsing or search history would be recorded. Such guarantees, alongside promises of fast download times, have made the app, created by Alibaba subsidiary UCWeb, incredibly popular across the world […]

But the privacy pledges made by UCWeb are misleading, according to security researcher Gabi Cirlig. His findings, verified for Forbes by two other independent researchers, reveal that on both Android and iOS versions of UC Browser, every website a user visits, regardless of whether they’re in incognito mode or not, is sent to servers owned by UCWeb. Cirlig said IP addresses – which could be used to get a user’s rough location down to the town or neighborhood of the user – were also being sent to Alibaba-controlled servers […]

Cirlig was able to uncover the problem by reverse engineering some encrypted data he spotted being sent back to Beijing. Once the key had been cracked, he was able to see that every time he visited a website, it was being encrypted and transmitted back to the Alibaba company. On Apple’s iOS, he didn’t even need to reverse engineer the encryption because there effectively was none on the device (though it was encrypted when in transit).

Cirlig provides a video capture of the data, including a unique ID assigned to him by the browser, which you can watch below. Full details can be found in a Medium blog post.

Other Chinese browsers have been found in the past to do the same thing, including one pre-installed on Xiaomi phones.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear

Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications