You might want to read this February 2016 article at citizenlab.org.
Most relevant part of the article:
Leaks sensitive data on startup
Upon application launch, we observed Baidu Browser sending an HTTP POST request to https://hmma.baidu.com/app.gif
The body of this HTTP request is a gzipped JSON file. The JSON file contains a list of fields with various details about the phone and the user, some in plain text and others encrypted.
Unencrypted fields in the JSON file include:
- o: the userxe2x80x99s operating system (e.g., xe2x80x9cAndroidxe2x80x9d)
- n: Baidu Browser version number
- w, h: width and height, respectively, of the screen in pixels
- gl: GPS coordinates and time of last GPS update
Some fields are encrypted using AES+ECB with the hard-coded ASCII-encoded key h9YLQoINGWyOBYYk
and then Base64 encoded. These fields include:
- dd: IMEI number
- ii: a string containing the phonexe2x80x99s IMEI number written backwards and an MD5 hash of Android software version information
- wl2: list of all in-range wireless networks and their MAC addresses and signal strengths
With knowledge of the hard-coded key, these fields can easily be decrypted. The source code for a python script for decrypting these fields is available here.
And then there's Baidu's response (PDF file hosted at citizenlab.org). They don't seem to see an issue in collecting this data, they just acknowledge that they need to improve their encryption:
Baidu endeavors to collect data in a way consistent with the highest standards of security and user privacy in the industry. We disclose our practices in our terms of service under privacy rights as detailed here (Chinese): https://www.baidu.com/duty/yinsiquan.html
We're grateful of Citizen Lab for being mindful of data security in transmission and we have already made substantial progress toward ensuring that any such transmission will be secure.
So citizenlab's article is probably no morexc2xa0describing what you can see on the net nowadays.