REDWOOD CITY, Ca. – Techdirt readers know that the Chinese authorities have been steadily tightening their grip on most aspects of online life in the country, but there’s one area that hasn’t been mentioned much: the Web browser.
Recently, a new report from the University of Toronto’s Citizen Lab identified security and privacy issues in QQ Browser, a mobile browser produced by the China-based Internet giant Tencent.
The Android version of the browser transmits personally identifiable data, including a user’s search terms, the URLs of visited websites, nearby WiFi access points, and the user’s IMSI [International Mobile Subscriber Identification] and IMEI [International Mobile Equipment Identifier] identifiers, without encryption or with easily decrypted encryption. Similarly, the Windows version sends personally identifiable data, including the URL of all pages visited in the browser, a user’s hard drive serial number, MAC address, Windows hostname, and Windows user security identifier, also without encryption or with easily decrypted decryption.
Now, this could just be the result of some supremely sloppy coding combined with lax privacy practice — in theory, at least. But that generous interpretation becomes rather harder to sustain when you bear in mind that this is not the first time Citizen Lab has found this behavior. To be precise, this is the third time. Last month, it discovered that Baidu Browser, a free Web browser for the Windows and Android platforms produced by Baidu, one of China’s biggest tech companies, has strikingly similar problems to QQ Browser:
The report identifies security concerns in both the Windows and Android versions of the browser that may expose personal user data, including a user’s geolocation, hardware identifiers, nearby wireless networks, web browsing data and search terms. Such user data is transmitted, in both the Windows and Android versions, unencrypted or with easily decryptable encryption, which means that any in-path actor could acquire this data by collecting the traffic and performing any necessary decryption. In addition, neither version of the application secures its software update process with a digital signature, which means that a malicious in-path actor could cause the browser to download and execute arbitrary code.
And before that, back in May last year, the same researchers found unauthorized transmission of personal data by another widely-used browser:
UC Browser is among the most popular mobile apps in the Chinese Internet space. UC Browser claims to have more than 500 million registered users, and is reported to be the most popular mobile browser in China and India. Overall, the application is the fourth most popular mobile browser globally, and is behind only pre-installed Chrome, Android, and Safari browsers.
To read more, click on https://www.techdirt.com/articles/20160330/07355534055/china-considers-cutting-itself-off-global-internet-as-three-home-grown-browsers-are-found-leaking-personal-data.shtml
