Quite a few Android and Windows apps developed on Baidu's software development kit are leaking users' personal data.
The researchers at Citizen Lab, a Canadian-based research firm, said they have uncovered issues in an Android SDK built by Baidu. They said it affected Baidu's mobile browser and apps that Baidu and other companies created through the same SDK. Moreover, they said that the Windows browser of Baidu was also affected and the apps have already been downloaded millions of times.
"It's either shoddy design or it's surveillance by design," told Citizen Lab director Ron Deibert to Reuters.
Citizen Lab said that while Baidu had already resolved a few of the issues since it brought them to the firm's attention back in November, the Android browser continues to send critical information, including the device ID, in a format which can be effortlessly decrypted.
Baidu, meanwhile, informed Reuters that it would be correcting the encryption holes in its SDKs. It said, however, that it would continue to gather information for commercial purposes. It also added that it is sharing a few of the obtained data with third party entities.
The company said that it is only providing "what data is lawfully requested by duly constituted law enforcement agencies."
While Baidu said that its interest in the information was merely commercial, it refused to share with Reuters who else might also have the access to the users' data.
Jeffrey Knockel, Citizen Lab's chief researcher, said that the unencrypted users' data which have been gathered include their search terms, location and website visits.
The researchers went on to say that it is not possible to assess the exact number of users affected by the issue.
This past year, Citizen Lab also exposed similar issues with personal data which weren't protected in Alibaba's UC Browser.
Alibaba said it had already fixed those security flaws by asking its users to have their web browsers updated. Additionally, it said that there wasn't any evidence that its users' data were taken.
The research into UC Browser was motivated by documents from Edward Snowden, a National Security Agency whistleblower. These docs claimed that Western intelligence agencies had allegedly used holes found in Alibaba's browser to spy on its users.
Reuters says in its report that the problem illustrates how hard it is for users to be aware on what details their phone gathers and transmits. On top of that, it shows that personal info might leak due to weak or no encryption.