Chinese Government Forces Residents To Install Surveillance App With Awful SecurityApril 09, 2018
In Xinjiang, a part of western China that a Muslim minority population calls home, the government forces residents to install an Android app that scans devices for particular files. Now, cybersecurity researchers have found that the so-called JingWang app has horrendous security practices for transferring data, and uncovered more details on what exactly the app does to phones.
“What we can confirm, based off the audit’s findings, is that the JingWang app is particularly insecure and is built with no safeguards in place to protect the private, personally identifying information of its users—who have been forced by the government to download and use it in the first place,” Adam Lynn, research director at the Open Technology Fund (OTF), the organization that supported the investigation of JingWang by third-party researchers, told Motherboard in an email. OTF is a US government funded program.
In 2017, authorities sent a message across WeChat, a hyper-popular chat program in China, to residents in Urumqi, the capital of Xinjiang. The message included a QR code for residents to scan and download the JingWang app.
Reinforcing and building on what Chinese users discovered when the app was launched last year, in its report OTF says JingWang scans for specific files stored on the device, including HTML, text, and images, by comparing the phone’s contents to a list of MD5 hashes. A hash is essentially a digital fingerprint of a piece of data.
According to a translation of the JingWang announcement message published by Mashable at the time, it said JingWang would “automatically detect terrorist and illegal religious videos, images, e-books and electronic documents.” Users would be told to delete any offending content with the threat of detention for up to 10 days, Mashable added.
It’s not immediately known which specific files JingWang is scanning for. OTF’s public blog post includes a list of the hashes, or the fingerprints of the files—OTF shared a list of some 47,000 hashes from the app with Motherboard. The app also has a screenshot function to capture images of the list of discovered files, OTF adds.
OTF’s report says JingWang also sends a device’s phone number, device model, MAC address, unique IMEI number, and metadata of any files found in external storage that it deems dangerous to a remote server. Motherboard found this server, unsurprisingly, is based in China, according to online records.
As for handling that data, researchers supported by OTF found JingWang exfiltrated data without any sort of encryption, instead transferring it all in plaintext. The app updates are not digitally signed either, meaning they could be swapped for something else without a device noticing.
“The app’s technical insecurity only opens its users up to further attacks by actors aside from the Chinese government. It seem there is zero interest in protecting citizens’ information, only in using it against them,” Lynn said.
Of course, it may not be all that surprising an app designed for wide surveillance on a population doesn’t take security all that seriously, and the much broader issue is authorities forcing residents to install a piece of monitoring software in the first place. But the app still highlights China’s pervasive surveillance efforts developed over decades.