UC Browser Giving 20GB Free Storage with Update: Understanding its Privacy Aspect

Editor's note: Story has been updated to include a UC Browser spokesperson's responses to queries and request for a statement sent to them by News18.com. The response includes the company's statement describing the privacy standards that UC Drive, through which the free storage is being offered, follows. The same has been added at the end of this story.

UC Browser, the Alibaba-owned web browser, has announced a new version of its app that claims to offer 20GB free storage through its integrated cloud storage medium, UC Drive. Announced yesterday, it is also offering a lucky draw that claims to give users 20 grams of free gold during its promotional period of between January 13 and 19. The update is presently drawing considerable traction on social media, with '20GB free storage' presently trending on Twitter. To promote its new version, UC Browser has announced multiple partners supporting its new app and offer on Twitter, including various publications, social media platforms, streaming services and more.

Using the tags #UnlimitedDownloads, the move is drawing considerable attention on Twitter in India. However, it is important to note UC Browser's previous, well documented struggles with privacy policy, malware attacks and protecting user data, over at least the past five years. University of Toronto's cybersecurity watchdog group The Citizen Lab had reported in April 2015 that a critical flaw on both Chinese and English language versions of UC Browser had exposed private data of users to malicious threat actors. However, Alibaba had stated then that it had no evidence of data being stolen, and subsequently patched the issue.

Dicey privacy

Privacy and data safety concerns regarding UC Browser have refused to die down, despite it being one of the most popular web browsing apps globally. On the Google Play Store, UC Browser has over 500 million installs and is rated 4.3, and also has similar stats on Apple's iOS App Store. As of February 2018, UC Browser had disclosed that it had over 130 million monthly active users (MAUs) in India, and has since expanded into providing perks such as curated content through its app, to draw more users on to its platform. That, though, does not safely validate its privacy credentials.

In March 2019, Russian privacy firm Dr Web had stated that UC Browser used an unsecured HTTP pathway to download additional files, which may be required for aspects such as software updates. This, as the vulnerability disclosed, could have been tapped into by threat actors, and used to send malware, ransomware and other spam links to users, who could be tricked into downloading them by considering it as official. A similar threat also surfaced later last year, when in 2019, security firm Zscaler disclosed to Google that UC Browser was still letting users download third party APKs from unsecured channels. Such a move is in full violation of Google's Play Store app usage and update policy, which states, "Applications distributed via Google Play may not modify, replace, or update itself using any method other than Google Play's update mechanism. Likewise, an app may not download executable code (e.g. dex, JAR, .so files) from a source other than Google Play."

The above is a repeated and rather serious breach of basic security requirements, and the issue is further aggravated when one realises exactly how popular UC Browser is. Since the issue was reported in October 2019, UC Browser has since stated that it no longer warrants third party APK downloads from sources outside the Google Play Store, a claim that was verified by reporting cybersecurity organisation Zscaler. No reports surfaced about whether any private data was actually siphoned off using these vulnerabilities, be it directly or as an indirect effect of malware affecting device through this channel.

Attracting attention

Privacy malpractices aside, UC Browser is a seemingly credible web browser that offers a fast and feature rich app, hence attracting high MAUs. As a result, it is easy to see why its latest offering of 20GB free storage has generated the extensive buzz on Twitter, and how this might help the app grow even more in India, one of its key markets. That said, it is UC Browser's own precedent that acts as a deterrent, and it is important that users looking to use the app must proceed with caution with their data. With privacy coming to the fore of late, it is important that users are aware of UC Browser's track record with handling user privacy, before choosing to use the 20GB free data that is offered to them with UC Browser's new version.

Common knowledge of the internet affirms that nothing is really offered for free — take a look at Facebook and its data collection practices for reference. As a result, those interested in getting the free data from UC Browser should at least take time out to read UC Browser and UC Drive's full data usage disclosures and end user license agreements, before proceeding to download the app.

Update: UC Browser has clarified the scope and use case of the free storage on offer, alongside instating its privacy credentials. In response to our queries, a UC Browser spokesperson said, "UC Drive is an add-on feature along with UC Browser and is integrated into the browsing tool. Any downloadable online content on UC browser can be saved onto UC Drive." Touching upon the privacy and data security concerns raised by us here, and various previous reports, the spokesperson further added, "UC Drive uses HTTPS and AES encryption. The content is encrypted during transfer. During storage, only a user can access the content. UC is dedicated to long-term development in the Indian market and serves local users' demands. Data security is essential to us and we will spare no effort to make sure users' data is secured. We have been steadfast in complying with local laws and regulations and will continue to do so while bringing better services to the market."