Browsers are often the application that individuals use with censorship circumvention or privacy tools. This is especially true in repressive contexts where app stores are restricted, preventing people from downloading the tools. In these contexts the only practical way for individuals to access censorship circumvention and privacy technology is as Progressive Web Applications (PWAs) that run in the browser. Given this, it is important to understand their vulnerabilities.
In 2016, Jeffrey Knockel, Adam Senft, and Ronald Deibert researched security and privacy issues in BAT (Baidu, Alibaba, Tencent) browsers. To update and expand on this research, investigators at Arizona State University Biodesign Center for Biocomputation, Security and Society partnered with TibCERT/Tibet Action Institute (an organization focused on reducing and mitigating online threats in the Tibetan community) to examine current security vulnerabilities in the three originally studied browsers, along with three other popular Chinese browsers commonly used in Asian markets (including at-risk communities that TibCERT serves).
Key Findings
Researchers found that all six browsers (Baidu Searchbox, Alibaba’s UC Browser, OPPO Browser, Redmi Browser, Tencent’s QQ Browser, and VIVO Browser) collect data and send it with poor or missing cryptography, as well as leak web or search activity (or both) along with other personally identifiable information and network/device information. This includes full URLs and page titles of pages visited (even in HTTPS), search terms, GPS coordinates, device identifiers, and client IP addresses. The findings are beneficial to developers of PWAs and users alike as they safely adapt to China’s increasingly invasive and criminally-punitive information controls.
Learn more: Full Report