UC Browser: The privacy-less browser for Android

[Zaroad 26]

Hi, I found this report of UC Browser https://citizenlab.org/2015/05/a-chatty-squirrel-privacy-and-security-issues-with-uc-browser/ and it seems it leaks any kind of information such as  IMSI, IMEI and location (this last one, only on chinese version) in plain text! 

 

Have you ever used this browser on your Android/Xiaomi device

[InactiveUser 188]

No, I haven't. I only use applications from F-Droid -
besides the FOSS requirement, applications are also vetted for tracking libraries, which either get removed or generate a warning ("This application tracks and reports your activity").

Thanks for bringing up this topic. The behavior of apps like UC Browser really is despicable. Grabbing unnecessary information (a map application does not need IMEI/IMSI to function), not telling the user about it, and then even failing to secure the transmission.

Somewhat related story:
Samsung epicly fails to securely fetch software updates, putting 600 million phones at risk of total exploitation.


People, use Free & Open Source software.
If you aren't permitted to read an app's source code, the app will read you.

[OpenSourcerer 1435]

My general rule is to avoid apps from Google Play. If unavoidable, I look up permissions, if it offers In-App purchases, and in which country the dev is living. Last one is a trust thing.
Problem: There also are apps which are very good despite being closed source. Examples: Öffi, Titanium Backup, wetter.com. Why?

 

First is one of the most complete and easy-to-use timetable info for buses and trains. In Germany, I feel there's every region available, and no matter where you are, you will always find a station in your vicinity and take a bus or train if you wanted. There is no alternative in the open source world.

 

Titanium Backup is one of the most powerful backup and restore apps I ever used. This is a good example of how some closed source apps can be much better than open source ones. I know only one open source backup solution for Android, oandbackup, it misses 80% of the features.

 

Third is an extremely precise weather service. The open source variant OpenWeatherMap can absolutely not compete with its forecast precision.

 

People, use your mind to decide which apps are useful for you and which are not. Open Source is not everything.

[zhang888 1066]

Cyanogenmod+Privacy Guard should block all those leaky applications.

No other Android rom offers that out of the box, supposedly Android M will have such feature as well.

[OpenSourcerer 1435]

Cyanogenmod+Privacy Guard should block all those leaky applications.

 

Unfortunately, it doesn't. It does not prevent them from sending things. You can hide sensible info like contacts, but your IMEI for example cannot be hidden by that..

[zhang888 1066]

 

Cyanogenmod+Privacy Guard should block all those leaky applications.

 

Unfortunately, it doesn't. It does not prevent them from sending things. You can hide sensible info like contacts, but your IMEI for example cannot be hidden by that..

 

 

I thought that's what you intend to hide.

For more advanced hiding you have XPrivacy then, but I wouldn't recommend it the less tech-savvy people, as it can easily break stuff.

 

https://github.com/M66B/XPrivacy

 

 

Phone
return a fake own/in/outgoing/voicemail number
return a fake subscriber ID (IMSI for a GSM phone)
return a fake phone device ID (IMEI): 000000000000000
return a fake phone type: GSM (matching IMEI)
return a fake network type: unknown
return an empty ISIM/ISIM domain
return an empty IMPI/IMPU
return a fake MSISDN
return fake mobile network info
Country: XX
Operator: 00101 (test network)
Operator name: fake
return fake SIM info
Country: XX
Operator: 00101
Operator name: fake
Serial number (ICCID): fake

[OpenSourcerer 1435]

Yes, in comparison to XPrivacy, Privacy Guard inside CM is somewhat inferior, but easier to use.

[lsat 23]

People, use Free & Open Source software.

 

It doesn't help if you install Chromium on Linux

[InactiveUser 188]

lsat, you make a great point there!

To be pedantic: I wouldn't consider Chromium to be true FOSS. It's a FOSS wrapper to download proprietary Google blobs

(Firefox is not much better in this regard.)

 

EDIT: removed link to Chromium story - I missed that lsat already included it.

[zhang888 1066]

Firefox started to behave bad as well... Shoved us that WebRTC thing by default, then started with all the DRM and EME.

Later added some Telefonica call-home by default, some Cisco stuff

 

I used to like Firefox, but recently completely dropped it in favor of IceCat.

 

Forgot to mention, avoid downloading "Free software" from Sourceforge as well. That free software will come bundled with malware.

[OpenSourcerer 1435]

Forgot to mention, avoid downloading "Free software" from Sourceforge as well. That free software will come bundled with malware.

 

Would be nice if you included some.. stories.

[zhang888 1066]

Sourceforge bundled malware in GIMP, NMAP, VLC, Filezilla.

 

Finally Google flagged this malware hub that once used to host FOSS for us as untrusted a few days ago.