The 4th largest mobile browser exfiltrates users’ data even in Incognito mode

Executive summary

UCWeb, a Chineses mobile internet company owned by Alibaba Group is exfiltrating user browsing and search history from its products distributed on mobile devices around the world even when the browser is used in incognito mode. This behavior is consistent on both Android and iOS devices.

“Your browsing history and search history won’t be recorded”
Source: StatCounter Global Stats

Setup

  • iOS/Android device with MITM proxy TLS certificate installed
  • Latest versions of UCWeb on both iOS and Android
  • MITM proxy capturing HTTP+HTTPS traffic
  • VPN with different exit points

General findings

The behavior is a bit different across platforms. While for iOS the sensitive data is just gzipped, on Android additional care against snooping is taken with traffic being AES encrypted after its compression.

iOS

The requests are made over HTTPS connections, and contain binary data, which is gzip compressed data with no password nor additional encryption. Once we decompressed the data we observed the sensitive information.

The purple of the incognito mode can be seen above
Clear evidence that incognito mode was used for navigating to the URL
Charles capture of the traffic
CyberChef recipe for decoding
  • Exact timestamp of when the navigation event happened
  • Complex geolocation data such as neighbourhood and town
  • IMEI and MAC of the device (seems to be left blank for the moment though)
Section of uncompressed request in CyberChef
Section of uncompressed request in CyberChef
Section of uncompressed request in CyberChef

Android

After installing the UC browser we noticed a lot of pingbacks to their servers even when the browser was used in incognito mode.

A lot of traffic done in a few minutes towards UCWeb servers
Visited domain exfiltration
Browser in incognito mode (notice the icon and the disclaimer)
AES key
Encrypted browsing history being sent
Decrypted browsing history

Domains of interest

Domain

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store