Privacy and security vulnerabilities
In May 2015, the American National Security Agency (NSA) documents leaked by whistleblower Edward Snowden indicated that UC Browser leaks sensitive data like international mobile subscriber identities, international mobile station equipment identities, MSISDN's, Android ID's, MAC addresses, and geolocation and Wi-Fi-related data without any encryption.[12] These leaks are used by intelligence agencies to track users. The documents also revealed that the Australian Signals Directorate (ASD) had identified UC Browser as a security weak point. Its widespread use in China, India and Indonesia made it particularly attractive to ASD's exploits. The Snowden documents revealed that in cooperation with its Five Eyes partners, ASD hacked the UC Browser and infected smartphones with spyware. The ASD declined to comment in relation to the revelations.[13]
Following the leaks, the Citizen Lab based at the University of Toronto published an independent report corroborating numerous privacy and security issues with both the English language and Chinese language editions of the Android version of UC Browser.[14][15][16][17][18] The report criticized the transmission of personally identifiable information to various commercial analytics tools and the transmission of user search queries without encryption. They also managed to bypass the encryption of UC Browser, leading them to accuse UCWeb of using non-effective encryption systems to transmit personally identifiable subscriber data, mobile device identifiers, and user geolocation data.[19]
In May 2016, Alibaba Group provided Citizen Lab with updated versions of UC Browser in order to verify their security fixes to these issues. The subsequent update published by Citizen Lab indicated that not all of the previously identified data leaks and privacy breaches had been fixed in UC Browser.[20][21]
In 2017, the Centre for Development of Advanced Computing (C-DAC), a scientific research unit within India's Ministry of Electronics and Information Technology (MEITY), began a technical investigation into the "several major privacy and security vulnerabilities that would seriously expose users of UC Browser to surveillance and other privacy violations" alleged in the report.[22] C-DAC found that the browser (which was the second-most-used browser in India) had been sending user data to Chinese servers and that it retains control over a user's device DNS even after the browser is deleted.[23]
In March 2019, analysts at the anti-malware firm Doctor Web publicly disclosed that UC Browser and UC Browser Mini for Android were downloading and installing extra modules from the company's own servers via an unprotected HTTP channel.[24] This exposed browser users to potential arbitrary remote code execution if an attacker was able to perform a man-in-the-middle attack to deliver malicious module (but no cases of exploitation were publicly disclosed). Furthermore, this violates Google Play policies that forbid Google Play apps from downloading any executable code from any sources outside of Google Play. In June 2020, a new version of its UC browser was added to the Google Play store with updated settings that comply with the store's security guidelines.[25]
In May 2019, Indian security researcher Arif Khan reported that the URL address bars on the UC Browser and UC Browser Mini apps were susceptible to URL spoofing.[26][27]
In June 2021, it was discovered that the app was recording user data and sending IP addresses to Alibaba servers.[28]