Researchers at the University of Toronto wrote in a paper that both apps leak personal and personally-identifiable data that could allow a network operator or malicious actor on the network to access a user's information, including cellular subscriber information and mobile device identifiers.
Much of the data is transmitted without encryption, such as geolocation data, including a user's longitude, latitude and street name. This is sent to Umeng, an Alibaba analytics tool, in the Chinese language version.
The researchers did notify UCWeb and Alibaba of their findings and intent to publish. Alibaba said it would investigate.
As of this week, UC Browser's most current version still lacks encryption of search queries and insecure data transmission to the Umeng component.