TenCent’s QQ Browser Exposes Millions To Security and Privacy Issues


Posted March 29, 2016

Researchers at the Citizen Lab in the University of Toronto’s Munk School of Global Affairs have found several problems related to the use of Chinese Company TenCent’s QQ Mobile Browser. The QQ mobile browser is available on both Android and Windows Mobile phones. What most people don’t know is that the mobile browser shares a large amount of personal information about the user, and the app also leaves the user open to malware that can be installed on their phones.

The Android version of QQ shares “personally identifiable data, including a user’s search terms, the URLs of visited websites, nearby WiFi access points, and the user’s IMSI and IMEI identifiers, without encryption or with easily decrypted encryption.”

The Windows version of QQ sends out the URLs of all visited webpages, the user’s hard drive serial number, MAC address, Windows hostname, and Windows user security identifier. This transmission of data is all done without encryption or with weak encryption.

The collection of information using weak encryption or lack thereof can lead to spying by the user’s ISP, wireless network operator, mobile carrier, malicious actors, or a government agency. The collection of this information by TenCent is concerning especially with the lack of cybersecurity controls in place.

Another problem is the fact that the update mechanism in the QQ browser is not secured. This weakness could allow threats to trick users into downloading malware on to their mobile devices. These vulnerabilities were disclosed to TenCent February 5, 2016 and several updates to address these vulnerabilities were released March 2016. Although some problems were solved, others still remain.

Citizen Lab researcher, Ron Deibert, sent inquiries to TenCent about their data collection activity and whether these actions were done in support of nation state directives. TenCent did not respond to these queries. The idea that the nation with the most restrictions on civil liberties and vast surveillance efforts is possibly involved with an app developer’s information collection is actually very feasible. On January 1st, 2016 China’s anti-terrorism law came into effect. This law requires “telecommunications operators and internet service providers to ‘provide technical interfaces, decryption, and other technical support assistance to public security organs and state security organs conducting prevention and investigation of terrorist activities in accordance with law.’ ”