Qihoo 360 Secure: The Most Popular Browser Youve Never Heard Of

One of the most popular desktop browsers in China is one you’ve
probably never crossed swords with, but it’s huge. According to the tech analytics peeps over at CNZZ, Qihoo 360 Secure Browser (Windows-only for desktop) is second only
to Internet Explorer in mainland China, accounting for 27.84% of total desktop
users. Do you know what’s in third place? Chrome, with 7.74%.

But 360 Secure also has a burgeoning stable of super-haters,
pundits who’ve criticized the browser for its dodgy install and propagation
practices, practices that detractors say make it more akin to malware than software. It’s even been called a “cancer of the internet”.

The Bad Rap

Let’s be real: the criticism isn’t unfounded. For an anti-spyware company (Qihoo first entered the market with a malware protection suite that remains hugely successful today), Qihoo has released some seriously sketchy code. In early
2012, Tech in Asia called attention to some research by New York firm Digital Due Diligence, raking Qihoo over the coals for a list
of nine shameless power plays, which included forcibly blocking other browsers
from becoming default, making uninstallation a huge pain, and totally stealing
IE’s logo in a bid to trick unwary eyes.

Chinese critics leveled worse accusations. In 2013, a report
released on the National Business Daily allegedly uncovers more shady tactics:

“The … report presents a laundry list of accusations
about Qihoo software, backing many of them up with illustrated screenshots
demonstrating what’s going on behind the scenes. Among the many allegations:
that Qihoo’s 360 Safe Browser contains a massive security flaw that messes with
users Windows DLL files, that it can expose users’ passwords, that it tells
users sketchy online payment sites are safe, and that it is making connections
the user isn’t aware of even when it’s just loading a blank page. The report also
contains more familiar charges like Qihoo products masquerading as official
Microsoft patches, forcibly deleting competitor products as “unsafe”, etc.”

Look, I’m not totally down on Qihoo as a company. When the Chinese government finally put the kibosh on Google services over a year ago, Qihoo stepped up and released a mirror of the Google Fonts API, saving China-based devs a pretty big headache.

Plus, mercenary methods aside, a 27.84% slice of the user pie isn’t a stat front-end devs can afford to turn their back on. That means anyone developing an Eastern-facing product needs to know about - and test for - this browser. You’ll need to get familiar with its quirks, its HTML5 capacities, which CSS3 elements it supports, and all that good jazz.

There are plenty of excellent reasons for me to get under the hood here, but I’m not gonna lie: I’m a little scared to install this
thing.

Dive, Dive, Dive!

Okay, maybe a lot scared. I’ve only ever used 360 on someone else’s machine, so I’m going to go ahead and open this in Sandboxie, a friendly little piece of code that “runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer”. Now that I’m all suited up, let’s take a look at some of 360 Secure’s unique features.

Dual-Core

360 Secure integrates both Webkit and Microsoft’s Trident layout engines. By default, pages are loaded on a Webkit-based engine, but at any time, you can open up the little lighting-bolt symbol in the URL bar and choose to load the page in “IE Mode”.

360 Secure also automatically switches back and forth between webkit and different IE modes on certain web pages. But why? If you don’t understand the topography of the net in China, this seems like pointless feature-stuffing. 360’s Investor Relations page sheds a little light on this:

“Webkit increases the speed of opening web pages, while Trident improves the compatibility of our 360 browsers with online banking and video display web pages.” 

Ah-hah. Many large-scale government, medical and financial websites in China were developed in a time when IE6 was the only real player on the field, and antiquated IE-centric security and coding practices abound. Many Chinese banking portals won’t even run or allow login unless the page is opened in IE (preferably an older version). This problem is common enough that 360 has taken the time to build a solution right into its interface.

Having heard reports that some users have had issues loading the HSBC Hong Kong portal in browsers other than IE, I popped the page open in 360 Secure, and sure enough, it auto-swiched to IE mode.

How to Force Default Rendering Mode

If you don’t like the idea of some browser choosing your rendering engine all willy-nilly, you can force 360 Secure to load your site in a specific mode via the meta name="renderer" tag in the <head> section of your markup, like so:

<html>
<head>
    <meta name="renderer" content="webkit">
</head>
<body>
</body>
</html>

To force the site to load with the “IE compatibility” renderer for IE6 and IE7 (ya weirdo), replace webkit with ie-comp; to force the site to load as “standard” IE9/10/11, replace webkit with ie-stand. (Thank you to ihref.com author Suyuwen for the solution.)

Built-in WeChat Integration

WeChat, the most popular mobile social platform in China, is heavily integrated into Qihoo 360. Not only is a QR code pop-up present right in the URL bar (urging users to scan and follow 360 Secure’s Wechat account)...

...but the very first default screens that appear after the browser is launched for the first time urge users to install 360’s Wechat browser plugin.

More Mobile Support: "Send this Page to Phone"

China's mobile-centric environment has engendered a need for users to quickly and easily transfer desktop browsing experiences to their phone. For example, I might be shopping online on my desktop at work, but I want to continue shopping away from my desk during lunch - how do I take my experience with me with a minimum of fuss? 

Top Chinese sites have met this challenge by placing QR codes in the header or footer of their interface; users can use their phones to scan the QR code on the desktop, and the mobile site loads in the phone's browser.

Knowing that non-Chinese sites are unlikely to offer this feature, 360 Browser steps in, building a "send to phone" feature into their interface. 

The feature's introduction screen explains that once your mobile phone number is bound to the desktop browser - which need only be done once - websites and images can be transferred to your phone with a single click.

This is the kind of feature that can only be developed by a company that deeply understands the user behaviors of the market they're looking to serve.

Alright, differences discussed, let's take a look at how this thing renders code.

Test One: HTML5 Support

First up, I ran Qihoo through the engine over at Html5test.com, which checks for HTML5 compatibility across a ton of different vectors. Qihoo clocked in with a score of 462 out of a possible total 555, not great when compared with Chrome 43’s score of 526, but in a surprise twist, Qihoo 360 comes out about on par with Firefox, and way ahead of IE 11 and Safari 8:

Responsive Images? Meh.

One very notable difference between Qihoo and other tested browsers is in its HTML5 responsive image support. While the latest versions of Chrome, Safari and Firefox are all mostly thumbs-up for client-side responsive markup, Qihoo 360 Secure has taken IE’s tack on the issue, with no support for the <picture> element, the srcset attribute or the sizes attribute.

If we’re reviewing this in terms of market necessity, it makes sense: China has been slow to jump on the responsive design bandwagon, and I can see why this might not be a priority for developers.

Out of Pure Curiosity: HTML5Test in IE Mode

When I manually reloaded HTML5 in IE mode, the site now behaves as if I’m running IE11 - same browser, different score.

Test Two: CSS3 Support

Again, 360 Secure didn’t do too badly for a CSS3 support check: 48% vs. Chrome 42’s 52%.

The differences between the two were most notable in image support, blending, shapes and alignment:

Test Three: WebGL

Naturally, running 360 Secure under webkit mode produces a big thumbs-up from doesmybrowsersupportwebgl.com:

And a thumbs down when manually switched to IE mode:

360’s User Agent looks Hard to Target

Noticed that, did you? It’s true: this is been a persistent problem for Chinese developers. It’s hard to target via UA when a browser can switch its UA around at will, and when the UA looks a lot like other major browsers.

Developer Yun Danran has developed a solution to this, allowing devs to target major Chinese browsers–particularly 360 (in either of its major modes) via jQuery. Take a look on Github.

Summing Up

Maybe it was Sandboxie looking out for me, maybe it was the fact that my skills aren’t quite up to digging around in the guts of the registry, but 360 Secure 7.1 didn’t seem to do anything too nasty to my system. No pop-ups. No obvious hostile takeovers.

I understand that no one wants to add another browser to the test list, but if you’re targeting for China, I’m afraid you’ll have to bite down on that strap. The good news is that 360 Secure isn’t anywhere near the nightmare it could be, and if you’re compatible with Chrome and pay attention to any issues with auto-default rendering modes, you should do OK (for the time being, at least).

As always, if you’ve had any malware issues with modern versions of 360 Secure, or if you have any hints for browser testing on this platform, let us know in the comments!