Exclusive: Alibaba's Huge Browser Business Is Recording Millions Of Android And iPhone Users' 'Private' Web Habits

www.forbes.com
4 min read
standard
UC Browser, one of the biggest web browsing apps in the world thanks to huge user bases in Asia, claims to respect user privacy. But it has been harvesting its users' website visits via its UC Browser app, even when incognito mode is turned on, researchers warn.
Alibaba Group has reportedly been concerned about Apple's privacy updates that try to put more power back into the hands of the user. Now one of its most popular apps has been taken down from the Apple App Store. (Photo Illustration by Thiago Prudencio/SOPA Images/LightRocket via Getty Images) SOPA Images/LightRocket via Getty Images

If you went to download Alibaba-owned app UC Browser this month, whether from Google's Android Play store or Apple's iOS App Store, you would have been promised that with its "incognito" mode, no web browsing or search history would be recorded. Such guarantees, alongside promises of fast download times, have made the app, created by Alibaba subsidiary UCWeb, incredibly popular across the world, with 500 million downloads on Android alone. Whilst Americans may not have heard of the app, according to one analysis, it's the fourth biggest browser by user numbers in the world, largely because of large user bases in Asia. Prior to a ban by the Indian government over security concerns linked to Chinese apps, it was reportedly one of the most popular browsers in India.

But the privacy pledges made by UCWeb are misleading, according to security researcher Gabi Cirlig. His findings, verified for Forbes by two other independent researchers, reveal that on both Android and iOS versions of UC Browser, every website a user visits, regardless of whether they're in incognito mode or not, is sent to servers owned by UCWeb. Cirlig said IP addresses - which could be used to get a user's rough location down to the town or neighborhood of the user - were also being sent to Alibaba-controlled servers. Those servers were registered in China and carried the .cn Chinese domain name extension, but were hosted in the U.S. An ID number is also assigned to each user, meaning their activity across different websites could effectively be monitored by the Chinese company, though it's not currently clear just what Alibaba and its subsidiary are doing with the…
Thomas Brewster
Read full article