The 4th largest mobile browser exfiltrates users’ data even in Incognito mode

Gabi Cirlig
6 min readJun 1, 2021

--

Executive summary

UCWeb, a Chineses mobile internet company owned by Alibaba Group is exfiltrating user browsing and search history from its products distributed on mobile devices around the world even when the browser is used in incognito mode. This behavior is consistent on both Android and iOS devices.

UCWeb advertises the product incognito mode to be a private & secure way of browsing the internet. However, they are exfiltrating the users activity to UCWeb’s servers.

“Your browsing history and search history won’t be recorded”

UC Browser, the company’s main product, is the 4th largest browser on the mobile market.

Source: StatCounter Global Stats

However, upon a closer scrutiny by me and fellow researcher Nicolas Agnese we found… well… this:

Setup

  • iOS/Android device with MITM proxy TLS certificate installed
  • Latest versions of UCWeb on both iOS and Android
  • MITM proxy capturing HTTP+HTTPS traffic
  • VPN with different exit points

Note: You need a transparent proxying system for Android as no data will be sent if a proxy is detected.

General findings

The behavior is a bit different across platforms. While for iOS the sensitive data is just gzipped, on Android additional care against snooping is taken with traffic being AES encrypted after its compression.

While the format differs, the overall behavior is the same. The browser will send to UCWeb’s servers data usage logs including detailed information of browsed URLs and searched terms, device details and other sensitive information.

iOS

The requests are made over HTTPS connections, and contain binary data, which is gzip compressed data with no password nor additional encryption. Once we decompressed the data we observed the sensitive information.

This behavior was observed regardless of the IP our device was browsing from, including US, Europe and India. Details about browsing activity in incognito mode were also exfiltrated with the same level of detail.

Upon launching an incognito tab the user would expect to not have any of the metadata sent outside of its device, just as modern browsers minding users privacy behave, and as advertised on the UC Browser’s website (https://www.ucweb.com/).

However, only a few seconds after visiting the website the team discovered that the whole browsing history (even while in incognito mode) is sent to the UCWeb servers. Just by leveraging a MITM proxy and Gunzipping the traffic any researcher can duplicate these findings:

The purple of the incognito mode can be seen above
Clear evidence that incognito mode was used for navigating to the URL
Charles capture of the traffic

The request is easy to decode, we can just Gunzip it and get to the decoded data:

CyberChef recipe for decoding

In addition to that, the data is annotated with the following:

  • Unique serial number of the device (internal to UCWeb)
  • Exact timestamp of when the navigation event happened
  • Complex geolocation data such as neighbourhood and town
  • IMEI and MAC of the device (seems to be left blank for the moment though)

Device details are sent in lines starting with: lt=uc:

Section of uncompressed request in CyberChef

Browsing details are sent in lines starting with lt=ev and ct=eagle_eye:

Section of uncompressed request in CyberChef

Other values in ct are: normal, infrastructure, int_news_flow, cards_flow, video, develop and monitor.

Search queries are logged with: […]`ev_na=search`[…]`from=private:

Section of uncompressed request in CyberChef

These also contain the searched query and the UI source, indicating where it originated. Either in an incognito mode tab (private) or some other tab (home_l).

Android

After installing the UC browser we noticed a lot of pingbacks to their servers even when the browser was used in incognito mode.

A lot of traffic done in a few minutes towards UCWeb servers

By manually inspecting the bodies of the request we can already see that they are sending the domains visited to their servers:

Visited domain exfiltration

However, this is not enough as I want to get conclusive proof on the amount of data being exfiltrated from my device.

After firing up an AES interceptor we managed to inspect some of the strings being encrypted by the app:

{“w_tm”:”1621365464",”w_bid”:”u4_default”,”w_url”:”http:\/\/www.winnie-pooh.org\/pooh-stories.htm","ps":"com.UCMobile.intl","pid":"22318","stime":"1623345420651","type":"pvuv","fr":"android","mcc":"denied","pkg":"com.UCMobile.intl","vcode":"50186","dsp_w":"1080","rom":"10","dsp_d":"300","wid":"76b24e88-a1dd-4256-a4dc-1c99be62ff74","tmem":"7659","sdkver":"1.0.0.8","ctime":"1621365464","model":"RMX1971","lang":"en","dsp_dpi":"480","net":"wifi","brand":"realme","dsp_h":"2132","ver":"13.4.0.1306","product":"UCMobile","mnc":"denied","ip":"185.226.144.94","bsver":"inapppatch64","bver":"13.4.0.1306","bserial":"210428170421","appid":"UCMobileIntl","amem":"3424","sdk":"29","tzone":"Asia\/Jayapura","crver":"4.1.1.0","crserial":"210426141251"}

The data exfiltration happened in incognito mode:

Browser in incognito mode (notice the icon and the disclaimer)

In order to validate that the data encrypted is the one that’s actually sent over the wire we dived deep into the code so we can find a way to decrypt the live traffic. By hooking all the AES calls and manually checking each of them we discovered a stack trace of the request that produced the JSON above:

By reversing the APK using JADX we can find the code snippet ingesting the above ciphertext.

Data encrypted before being sent over the wire

The Cipher object above is instantiated with a hardcoded IV of 0x0 and the bytes contained in the key string QcBe1t#jvn9$ea8f

AES key

The function above is fed a gzip of the JSON which is then pushed to px-intl.ucweb[.]com/v1/raw/upload

Encrypted browsing history being sent

By leveraging the decryption key above we can decode the ciphertext and inspect the payload sent over the wire (CyberChef link):

Decrypted browsing history

Seen above can be a visit to a website just opened in the browser as per the iOS example. In addition to the visited URL the browser sends the IP of the user and a proprietary ID which seems to have been the same over the duration of the analysis. This could easily fingerprint users and tie them back to their real personas.

To reiterate, as it can be seen below, the website was opened in incognito mode:

It’s not consistent with the privacy representation UCWeb made for the browser to send anything to any logging server while the incognito mode is on. However, this is not the case. In addition, the domain where the data is sent is listed under a Chinese registrar but has US IPs:

This is not the first time UCWeb had privacy issues. While the findings are no longer applicable (the exfiltration mechanism/endpoints were changed), the problem remains nonetheless. At the time of the writing these issues have not been fixed even after contacting Alibaba, with user browsing/location data being sent to UCWeb’s servers in real time.

Domains of interest

Domain

gjapplog[.]uc[.]cn

Registrar

China Internet Network Information Center (CNNIC

Creation Date

2003–03–17

Expiration Date

2022–03–17

IP Address

168.235.204[.]12

157.185.133[.]31

157.185.133[.]129

8.37.236[.]197

Country

CN

Domain

px-intl[.]ucweb[.]com

Registrar

Alibaba Cloud Computing (Beijing) Co., Ltd.

Creation Date

2003–05–20

Expiration Date

2023–05–20

IP Address

157.185.188[.]1

157.185.128[.]218

157.185.128[.]213

Country

CN

--

--

Gabi Cirlig
Gabi Cirlig

Written by Gabi Cirlig

Software developer turned rogue

No responses yet