Thousands of Baidu apps collected and leaked personal information, report finds
Baidu's approach to online security could have put users' personal information at risk, researchers claim
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.Hundreds of millions of Android mobile users have downloaded apps which have sent unencrypted and easily interceptable private data to servers in China, a recent security report has claimed.
The report says the personal information of countless Android users who have downloaded certain apps have had their personal information collected by Chinese advertising and search giant Baidu.
It alleges information about users' precise locations, browsing histories and search terms were transmitted to Baidu's servers either without any encryption, or with easily decryptable encryption.
Device IMEI numbers, which can be used to identify a person's phone, were also allegedly sent to Baidu's servers in an easily decryptable format.
Encryption is the practice of encoding digital information so that only authorised parties can read it. Companies like Google collect some of the same information Baidu collects, but use encryption to make sure it doesn't fall into the wrong hands.
Without encryption, data sent to Baidu's servers could be intercepted by hackers.
Furthermore, the report claims Baidu web browser updates for Windows and Android don't include any code signatures, which are used to guarantee that the incoming updates come from an authorised source. This potentially means hackers could use Baidu's security flaws to perform a 'man in the middle' attack, sending anything to the browser and having it installed on the computer - including viruses and trojans which could put even more personal information at risk.
"It's either shoddy design or it's surveillance by design."
The researchers, working at the University of Toronto's Citizen Lab, found the problems in an app development kit built by Baidu. They claim the security flaws affect Baidu's mobile browser, apps developed by the company and others using the development kit, and even Baidu's desktop Windows browser.
Citizen Lab director Ron Deibert told Reuters said: "It's either shoddy design or it's surveillance by design."
Citizen Lab said Baidu had fixed some of these issues since it brought them to the company's attention in November 2015. However, the Android browser still sends sensitive data such as the device's unique ID in an easily decryptable format.
Speaking to Reuters, Baidu said its interest in the data was just commercial. However, it didn't say who else might have access to it.
China's digital economy is booming, but a lack of encryption is commonplace, partly due to rapid growth and poor awareness of common security issues.
Andy Tian, chief executive of Beijing-based app develoiper Asia Innovations, told Reuters: "It's really, really painful, but it's a growing pain."
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments