Baidu is one of China's biggest internet companies
Baidu is one of China's biggest internet companies

Thousands of Baidu apps collected and leaked personal information, report finds

Baidu's approach to online security could have put users' personal information at risk, researchers claim

Doug Bolton
Wednesday 24 February 2016 20:23
Comments

Hundreds of millions of Android mobile users have downloaded apps which have sent unencrypted and easily interceptable private data to servers in China, a recent security report has claimed.

The report says the personal information of countless Android users who have downloaded certain apps have had their personal information collected by Chinese advertising and search giant Baidu.

It alleges information about users' precise locations, browsing histories and search terms were transmitted to Baidu's servers either without any encryption, or with easily decryptable encryption.

Device IMEI numbers, which can be used to identify a person's phone, were also allegedly sent to Baidu's servers in an easily decryptable format.

Encryption is the practice of encoding digital information so that only authorised parties can read it. Companies like Google collect some of the same information Baidu collects, but use encryption to make sure it doesn't fall into the wrong hands.

Without encryption, data sent to Baidu's servers could be intercepted by hackers.

Furthermore, the report claims Baidu web browser updates for Windows and Android don't include any code signatures, which are used to guarantee that the incoming updates come from an authorised source. This potentially means hackers could use Baidu's security flaws to perform a 'man in the middle' attack, sending anything to the browser and having it installed on the computer - including viruses and trojans which could put even more personal information at risk.

"It's either shoddy design or it's surveillance by design."

&#13; <p>Ron Deibert, Citizen Lab director</p>&#13;

The researchers, working at the University of Toronto's Citizen Lab, found the problems in an app development kit built by Baidu. They claim the security flaws affect Baidu's mobile browser, apps developed by the company and others using the development kit, and even Baidu's desktop Windows browser.

Citizen Lab director Ron Deibert told Reuters said: "It's either shoddy design or it's surveillance by design."

Citizen Lab said Baidu had fixed some of these issues since it brought them to the company's attention in November 2015. However, the Android browser still sends sensitive data such as the device's unique ID in an easily decryptable format.

Speaking to Reuters, Baidu said its interest in the data was just commercial. However, it didn't say who else might have access to it.

China's digital economy is booming, but a lack of encryption is commonplace, partly due to rapid growth and poor awareness of common security issues.

Andy Tian, chief executive of Beijing-based app develoiper Asia Innovations, told Reuters: "It's really, really painful, but it's a growing pain."

Register for free to continue reading

Registration is a free and easy way to support our truly independent journalism

By registering, you will also enjoy limited access to Premium articles, exclusive newsletters, commenting, and virtual events with our leading journalists

Please enter a valid email
Please enter a valid email
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Must be at least 6 characters, include an upper and lower case character and a number
Please enter your first name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
Please enter your last name
Special characters aren’t allowed
Please enter a name between 1 and 40 characters
You must be over 18 years old to register
You must be over 18 years old to register
Opt-out-policy
You can opt-out at any time by signing in to your account to manage your preferences. Each email has a link to unsubscribe.

Already have an account? sign in

By clicking ‘Register’ you confirm that your data has been entered correctly and you have read and agree to our Terms of use, Cookie policy and Privacy notice.

This site is protected by reCAPTCHA and the Google Privacy policy and Terms of service apply.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged in