Palo Alto Networks recently discovered that two Baidu apps were leaking sensitive data. The apps in question were Baidu Maps and Baidu Search Box. Both were removed from the Google Play Store in October after a Google investigation into Palo Alto’s findings. As of last week, Baidu Search Box is again available on the Play Store, but Baidu Maps remains barred.
Who is Baidu?
Baidu is a Chinese multinational tech giant headquartered in Beijing. It specializes in internet-related products and services as well as artificial intelligence (AI). Baidu was founded in January 2000 by Robin Li and Eric Xu and is now one of the largest tech companies in the world.
The company offers various services including a search engine called Baidu Search Box and a mapping service called Baidu Maps. The search engine is currently the fourth largest website in the Alexa Traffic rankings. This ranking is partly due to Google being banned in mainland China. Consequently, most Chinese people use Baidu’s search engine instead.
Baidu was the first Chinese company to be included in the US’s NASDAQ-100 index, which specializes in technology stocks. Furthermore, Baidu was the first Chinese firm to join the US-based computer ethics consortium called Partnership on AI. An announcement by Baidu about its third quarter results published last week states that “Baidu App’s daily active users (“DAUs”) reached 206 million and its monthly active users (“MAUs”) reached 544 million in September 2020.”
App SDK Code Leaks User Information
A report published yesterday by Palo Alto researchers claims that sensitive user information was being leaked by two Baidu apps. The apps leaking data were Baidu Maps and Baidu Search Box, which together have been downloaded 6 million times in the US alone.
The researchers define leaking data “as transferring certain information from a users’ device without their knowledge and collecting it at the receiver’s side.” This means that Baidu was collecting data from its users without their consent. Furthermore, the data could have been exposed to third parties during transmission from the users’ devices to Baidu’s servers.
The leak was in Baidu’s Software Development Kit (SDK), which was used in both the apps to show real-time notifications. The code collected information such as phone model, MAC address, carrier information and IMSI numbers. The MAC address identifies a user’s device and once set by the device’s manufacturer cannot be changed. The IMSI (International Mobile Subscriber Identity) number uniquely identifies a subscriber on a cellular network.
Tracking Users Even If They Change Phones
Consequently, both MAC addresses and IMSI numbers can be used to track the location of mobile devices and their users. This is why it is of such grave concern that Baidu is collecting this information. Especially as the IMSI numbers can be used to identify and track users even if they change phones.
“Data leakage from Android applications and SDKs represents a serious violation of users’ privacy. Detection of such behavior is vital in order to protect the privacy rights of mobile users,” state the Palo Alto researchers. They add, “This data can also be misused by cybercriminals or state actors to […] intercept phone calls or text messages.”
Baidu Apps Removed from Google Play Store
The report states that the apps potentially left some 1.4 billion users open to cybercrime and surveillance. Consequently, when Palo Alto made Baidu and Google aware of its findings, Google removed both apps from its Play Store. This was done once Google conducted its own investigations to verify the researchers’ findings.
During the investigation, Google identified “additional violations”. However, neither Google nor Palo Alto revealed what these additional violations entailed. Nevertheless, Baidu has rectified the issues with Baidu Search Box, and it is thus once again available on the Play Store.
Baidu Maps, on the other hand, remains barred. With regards to Baidu Maps, a Baidu spokesperson said: “We’re working to update Baidu Maps in accordance with Google’s guidelines and expect that the app will return to Google Play in early December.”