25th USENIX Security Symposium

In this position paper, we summarize our technical analysis of the security and privacy vulnerabilities in three web browsers developed by China’s three biggest web companies: UC Browser, QQ Browser and Baidu Browser; developed by UCWeb (owned by Alibaba), Tencent and Baidu, respectively. We found them to consistently contain sensitive data leaks and remote code execution vulnerabilities in their update processes. Despite the massive user bases of these browsers, particularly in China, there has been limited attention paid to the applications by the information security research community. This lack of attention is problematic, as it is known that the insecure transmission of personal user data by UC Browser has been used by the intelligence community to perform surveillance. We conclude by evaluating explanations for why this class of apps has such uniform security and privacy issues, and recommend researchers better engage software development companies in developing and newly industrialized economies.