Communicating Privacy and Security Research: A Tough Nut to Crack

Today at the Citizen Lab we released a new report on (yet more) privacy and security issues in UC Browser, accompanied by a new cartoon series, called Net Alert.

Our new UC Browser report, entitled “A Tough Nut to Crack,” and authored by Jeffrey Knockel, Adam Senft and me, is our second close-up examination of UC Browser, which is by some estimates the second most popular mobile browser application in the world.   In our first analysis of UC Browser, undertaken in 2015, we discovered several major privacy and security vulnerabilities that would seriously expose users of UC Browser to surveillance and other privacy violations.  We were tipped off to look at UC Browser while going through some of the Edward Snowden disclosures and discovered the NSA, CSE and other SIGINT partners were patting themselves on the back for exploiting data leaks and faulty update security related to UC Browser.   I wrote an oped at the time discussing the security tradeoffs involved in keeping knowledge of software flaws like this quiet, and how we need a broader public discussion about software vulnerability disclosures.

We decided to take a second look at UC Browser, this time led by Jeffrey Knockel.  By reverse engineering several versions of UC Browser, Jeffrey was able to determine the likely version number of UC Browser referenced in the Snowden disclosure slides, and which led the NSA to develop an XKeyscore plugin for UC Browser exploitation.  We also found that all versions of the browser examined — Windows and Android — transmit personal user data with easily decryptable encryption, and the Windows version does not properly secure its software update process, leaving it vulnerable to arbitrary code execution.  We disclosed our findings to Alibaba, the parent company, and report back on their responses and fixes, such as they are, in an appendix to the report. 

Communicating these risks to users is not always easy, as the details are very technical and can be confusing.  To help better communicate privacy and security research to a broader audience,  we co-timed the release of our new UC Browser report with the first in a series of cartoons and info-nuggets on digital security, called “Net Alert.”   The first Net Alert features two informative and funny cartoons by Hong Kong artist Jason Li, each of which tells a story about the risks of using UC Browser.  The Net Alert series also includes background information on digital security topics, like the risks of “man-in-the-middle” attacks and of using open WiFi networks.   (Net Alert is produced by Citizen Lab in collaboration with Open Effect and the University of New Mexico).  We will be producing more of these Net Alert cartoons and info-nuggets co-timed with future Citizen Lab reports.  Our hope is that by communicating privacy and digital security risks in a friendly and accessible way, more people will be inclined to take small steps to better protect themselves against exposure and learn more about the research we undertake.

The UC Browser report is but one in an ongoing research series on mobile privacy and security.  For those who are interested, we have also published a FOCI paper, which we are presenting this week at the 2016 USENIX Free and Open Communications on the Internet workshop , that summarizes our technical analysis of the security and privacy vulnerabilities in three web browsers developed by China’s three biggest web companies: UC Browser, QQ Browser and Baidu Browser; developed by UCWeb (owned by Alibaba), Tencent and Baidu, respectively.