UC Browser for Android, Desktop Exposes 500+ Million Users to MiTM Attacks
The extremely popular UC Browser and UC Browser Mini Android applications with a total of over 600 million installs expose their users to MiTM attacks by downloading and installing extra modules from their own servers using unprotected channels and bypassing Google Play’s servers altogether.
Usman Rahim, Digital Security & Operations Manager at The Media Trust, provided the following comments:
“The update feature is not the only way that bad actors can exploit browsers. Bad actors can insert their code through insecure third-party code suppliers. Browsers and other apps are being developed within ever shorter timescales and with a traditional security mindset where the security deficiencies of a product are determined after it has been designed, not before and during. Third parties are often not carefully vetted for security capabilities. Moreover, security considerations fail to receive the priority and resources they require and are, instead, treated as unnecessary costs—that is, of course, until a breach happens. Companies shouldn’t wait until they fall victim to an attack or to benign negligence. They should build data security and compliance into an app’s entire product lifecycle; they need to scan their apps to find out what happens to users who download, use, and update the app. Are the code that execute throughout these processes authorized? The frequency of data scandals has reduced consumer trust to an all-time low and is prompting the passage of data privacy laws around the world. If a business fails to ride this wave of changes, they will find themselves drowned out by those that do.”