Thousands of apps running Baidu code collect and leak personal data, researchers say

Thousands of apps running code built by Chinese Internet giant Baidu have collected and transmitted users’ personal information to the company, much of it easily intercepted, researchers say.

The apps have been downloaded hundreds of millions of times.

The researchers at Canada-based Citizen Lab said they found the problems in an Android software development kit developed by Baidu. These affected Baidu’s mobile browser and apps developed by Baidu and other firms using the same kit. Baidu’s Windows browser was also affected, they said.

The same researchers last year highlighted similar problems with unsecured personal data in Alibaba’s UC Browser, another mobile browser widely used in the world’s biggest Internet market.

Alibaba fixed those vulnerabilities, and Baidu said it would be fixing the encryption holes in its kits, but would still collect data for commercial use, some of which it said it shares with third parties. Baidu said it “only provides what data is lawfully requested by duly constituted law enforcement agencies.”

The unencrypted information that has been collected includes a user’s location, search terms and website visits, Jeffrey Knockel, chief researcher at Citizen Lab, said ahead of publication of the research on Wednesday.

The problem highlights how difficult it is for users to know just what data their phone collects and transmits, and the risk that personal data might leak because of poor or no encryption. It also highlights how many different groups might be interested in accessing such data.