One of the world's leading web browsers is acquiring user location, browsing history, and identification data from iOS and Android devices and sending it to servers in China even when in incognito mode, security researchers have found.

The UC Browser, manufactured and marketed by UCWeb, a subsidiary of Chinese Internet giant Alibaba, "leaks users' browsing and search history from products distributed to mobile devices worldwide even when the browser is used in incognito mode," London based researcher Gabi Cirlig wrote in a blog post yesterday (June 1). This behavior is consistent across both Android and iOS devices."

Like Chrome, Firefox, and Safari, UC states that its incognito mode is private, Cirlig wrote. The browser's Google Play page states that Incognito mode offers "browsing without leaving history, cookies, cache, etc." and that "Incognito mode makes your browsing and viewing experience completely private and confidential."

Cirlig told Forbes that other browsers he looked at, including Chrome, did not do these things during Incognito mode.

According to a Statcounter screenshot posted by Cirlig, UC is the fourth largest web browser in the world, but its share of the global market is only 2.3%; the main Android version of the UC browser is not accessible in China, Google Play alone has 500 It has more than 500 million installations.

A 2018 Wall Street Journal article stated that outside of China, UC is "fending off Google in Asia"; Forbes' Thomas Brewster noted that UC had many users in India.

However, the browser has long been considered rather snoopy. According to documents leaked by former NSA contractor Edward Snowden, Canadian intelligence discovered in the early 2010s that the UC browser was leaking a lot of sensitive data, a behavior that continued until at least 2015.

Working with Argentina-based researcher Nicolas Agnese, Carrig discovered that UC Browser leaked information on cell phone network interface ID (MAC address), cell phone hardware ID (IMEI), cell phone serial number, OS version, cell phone type, browsing history, search queries, IP address, and time zone, and found that it sends all of this information to a Chinese registration server, even when in incognito mode on iOS or Android.

It also sends a unique device ID that appears to be specific to the UC browser, which Cirlig noted "could easily fingerprint a user and tie them to a real persona."

With all this information, users could be tracked and monitored both physically and over the Internet, a far cry from the promised "completely private and confidential" experience.

Forbes had Andrew Tierney, a prominent British security researcher, review the findings of Cirlig and Agnese.

Below is a YouTube video of data being harvested from a UC browser running in Incognito mode from an emulated cell phone.

The two found that the UC browser was slightly "better" on Android than on iOS in how it handled this sensitive information, regardless of the fact that this type of data collection should not happen at all.

On iOS, personal data was compressed but not encrypted before being sent to the Chinese servers. [On Android, the data was compressed and encrypted, but Cirlig and Agnese found the decryption key buried in the source code of the UC browser app.

[CORRECTION: After this article was published, Agnese contacted us and pointed out that the data the iOS version of the UC browser was sending was indeed encrypted because it was being sent over an HTTPS connection from a standard secure browser to the server Cirlig and Agnese performed the test using their own HTTPS certificate, which allowed them to easily decrypt the HTTPS data.

In order to read data sent from the iOS version of the UC browser, it is necessary to break or bypass TLS, the encryption standard used by most web browsers. This can be done in a variety of ways, but is beyond the scope of this article.]

As of Wednesday (June 2), the English version of the UC browser had disappeared from Apple's App Store in most countries, but the Chinese version remained; the Google Play store listed the main UC browser, plus "mini" and "turbo" versions and all were in English.

"At the time of this writing, user browsing/location information is being sent to UCWeb's servers in real time and these issues have not been fixed after contacting Alibaba," Cirlig wrote in a blog post.