February 23, 2016
Toronto, ON – A new report from the University of Toronto’s Citizen Lab reveals that Baidu Browser, a popular mobile browser based in China and used by millions of people, has many privacy and security issues that could put users’ communications at risk.
Baidu Browser is available in both an Android and Windows version, and the researchers found both contain several problems. The Android version transmits data such as a user’s search terms, GPS coordinates, and URLs visited in the browser to Baidu servers without encryption. Other data are sent with easily decryptable encryption. Similarly, the Windows version of the app transmits a user’s search terms, hard drive serial number, wireless MAC address, URL and title of visited web pages and CPU model number without encryption or with easily decryptable encryption.
The researchers’ analysis also shows that many of the leaks of sensitive information are the result of an analytics software development kit (SDK) that the researchers identified being used in hundreds of additional applications developed by both Baidu and third parties in the Google Play Store and thousands in one popular Chinese app store, affecting potentially millions of other uses in a kind of “collateral exposure.”
The unencrypted and poorly encrypted transmission of this information places sensitive user data at risk of being exposed to surveillance by a number of intermediaries, including a user’s ISP, wireless network operator, mobile carrier or a malicious actor with network visibility.
In addition, neither the Windows nor Android versions of the application protected software updates with code signatures, meaning that a malicious actor could cause the application to download and run arbitrary code. This vulnerability could potentially lead to malicious code being installed on a user’s device without their knowledge.
The Citizen Lab, an interdisciplinary research group at the Munk School of Global Affairs, University of Toronto, has an ongoing research project on the privacy and security of popular mobile applications used in Asia. In May 2015, Citizen Lab research identified similar security concerns with UC Browser, a popular mobile web browser owned by China-based e-commerce giant Alibaba.
“When you’re using the browser, Baidu and anyone monitoring your traffic can use your hardware’s serial numbers to track your GPS location, nearby wireless networks, and every unencrypted and encrypted web page you visit,” says Jeffrey Knockel, Senior Researcher at the Citizen Lab, Munk School of Global Affairs, University of Toronto. “Even if you’re not using their browser, third-party apps using their analytics SDK have similar leaks. Most users would have no way of knowing their personal data was being transmitted this way and would be unable to prevent it. The extent of these issues and the ease with which they were found suggests that security researchers need to better engage with software companies in foreign markets.”
Citizen Lab researchers notified Baidu of these security issues in November 2015 and Baidu released updates in February 2016. Analysis shows that while some of the issues have been remedied in the updated versions, many of the security issues identified remain unresolved.
“The digital ecosystem that surrounds us and to which we entrust our thoughts, habits, and movements is built upon a constantly shifting, often insecure, and yet highly interconnected foundation of millions of devices and applications,” says Ron Deibert, Director of the Citizen Lab at the Munk School of Global Affairs and Professor of Political Science at the University of Toronto. “Our analysis of Baidu Browser shows precisely why lifting the lid on this ecosystem is not only important for the protection of users’ privacy and security, it should be seen as an urgent civic imperative.”
For media inquiries, contact:
Public Affairs & Engagement
Munk School of Global Affairs
University of Toronto
Guide on Citing in Media
Title: Baidu’s and Don’ts: Privacy and Security Issues in Baidu Browser
Published By: The Citizen Lab, Munk School of Global Affairs, University of Toronto
Publication Date: 22 February 2016
Report URL: https://citizenlab.org/2016/02/privacy-security-issues-baidu-browser