UPDATED 06:00 EST / NOVEMBER 24 2020

SECURITY

Android apps from Chinese internet giant Baidu found to leak sensitive data

New research from Palo Alto Network Inc.’s Unit 42 has detailed how Android apps from Chinese internet giant Baidu Inc. listed on Google Play were leaking sensitive data.

The apps, including Baidu Search Box and Baidu Maps that have been downloaded in the U.S. more than 6 million times were found to make users trackable by leaking data from a user’s device. The data leaked by the applications included phone data, screen resolution, the phone’s MAC address, carrier, network, Android I.D., International Mobile Subscriber Identity and International mobile Equipment Identity.

Although the research noted that information such as screen resolution is harmless, the IMSI can be used to identify and track a user uniquely even if the user switches to a different phone. The IMEI is a unique identifier linked to the physical device that could also be used to track a user as long as they continued to use the same phone.

“The IMSI uniquely identifies a subscriber to a cellular network and is typically associated with a phone’s SIM card, which can be transferred between devices,” the research explained “Both identifiers can be used to track and locate users within a cellular network.”

“Android applications that collect data, such as the IMSI, are able to track users over the lifetime of multiple devices,” the research added. “For example, if a user switches their SIM card to a new phone and installs an application that previously collected and transmitted the IMSI number, the app developer is able to uniquely identify that user.”

Unit 42 contacted Baidu with no response as of the time of writing. Google’s Android team was also contacted and not only confirmed the findings but identified additional violations. As a consequence, the applications were removed from Google Play on Oct. 28. A compliant version of Baidu Search Box returned to Google Play Nov. 19, but Baidu Maps remains unavailable.

“Data leakage from Android applications and SDKs represents a serious violation of users’ privacy,” the research concluded. “Detection of such behavior is vital in order to protect the privacy rights of mobile users.”

Image: Baidu Maps

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU