Thousands of Baidu apps collected and leaked personal information, report finds

Baidu's approach to online security could have put users' personal information at risk, researchers claim

Hundreds of millions of Android mobile users have downloaded apps which have sent unencrypted and easily interceptable private data to servers in China, a recent security report has claimed.

The report says the personal information of countless Android users who have downloaded certain apps have had their personal information collected by Chinese advertising and search giant Baidu.

It alleges information about users' precise locations, browsing histories and search terms were transmitted to Baidu's servers either without any encryption, or with easily decryptable encryption.

Device IMEI numbers, which can be used to identify a person's phone, were also allegedly sent to Baidu's servers in an easily decryptable format. 

Encryption is the practice of encoding digital information so that only authorised parties can read it. Companies like Google collect some of the same information Baidu collects, but use encryption to make sure it doesn't fall into the wrong hands. 

Without encryption, data sent to Baidu's servers could be intercepted by hackers. 

Furthermore, the report claims Baidu web browser updates for Windows and Android don't include any code signatures, which are used to guarantee that the incoming updates come from an authorised source. This potentially means hackers could use Baidu's security flaws to perform a 'man in the middle' attack, sending anything to the browser and having it installed on the computer - including viruses and trojans which could put even more personal information at risk.

"It's either shoddy design or it's surveillance by design."

Ron Deibert, Citizen Lab director

The researchers, working at the University of Toronto's Citizen Lab, found the problems in an app development kit built by Baidu. They claim the security flaws affect Baidu's mobile browser, apps developed by the company and others using the development kit, and even Baidu's desktop Windows browser.

Citizen Lab director Ron Deibert told Reuters said: "It's either shoddy design or it's surveillance by design."

Citizen Lab said Baidu had fixed some of these issues since it brought them to the company's attention in November 2015. However, the Android browser still sends sensitive data such as the device's unique ID in an easily decryptable format.

Speaking to Reuters, Baidu said its interest in the data was just commercial. However, it didn't say who else might have access to it.

China's digital economy is booming, but a lack of encryption is commonplace, partly due to rapid growth and poor awareness of common security issues.

Andy Tian, chief executive of Beijing-based app develoiper Asia Innovations, told Reuters: "It's really, really painful, but it's a growing pain."

Comments