China propaganda app fraught with security concerns: report
A widely downloaded Chinese propaganda app that quizzes users on Communist Party heroes and military achievements may be “studying them right back” through data collection and potential security breaches, an internet freedom campaign group says.
The app — called “Xuexi Qiangguo” or “Study to make China strong” — has accumulated 130 million users since its launch by the Communist Party’s propaganda arm in January, according to state media in August.
But the Open Technology Fund (OTF) — a US government-funded group that campaigns for internet freedom — says users also provide a plethora of data to the app, including location and emails.
OTF contracted the independent German tech firm Cure53 to study the app.
While the Communist Party advertises it as “a way for citizens to prove their loyalty and study their country, the app’s maintainers are studying them right back”, OTF wrote on its website.
The app’s terms and conditions also say users may have to hand over more personal information — such as fingerprints and ID numbers — depending on the features or third-party tools they want to access.
The Chinese government has come under increasing scrutiny for high-tech surveillance — from facial recognition-enabled security cameras to apps used by police to extract personal information from smartphones at checkpoints.
And though “Study to make China strong” is an education app, Cure53 said it contains code that could run “arbitrary commands” — reminiscent of a backdoor — on certain phones.
The app “maintains a level of access that no app would normally have over a user’s device”, said OTF.
– ‘Intrusive app’ –
The investigation, which was conducted in August, only looked at the Android version of the app, partly because of its market dominance, said Sarah Aoun, the group’s director of technology.
OTF is considering tackling the iOS version — which runs on Apple iPhones — next, Aoun told AFP.
“This is just another way of expanding that digital control through a very intrusive app that is being pushed onto its citizens,” said Aoun.
The Communist Party’s propaganda arm, which is responsible for the app, did not respond to AFP’s request for comment.
Dozens of provincial and county governments across the country reportedly held workshops to promote the app earlier this year.
“It is unusual to see so much data gathered for an education app,” said Jane Manchun Wong, who reverse-engineers apps for security vulnerabilities and unreleased features.
“It’s like reading a book about the great nation but the book somehow searches your home,” she told AFP.
The app also scans for 960 applications — including gaming, travel and chat apps — appearing as if “attempting to find which popular apps are installed on the phone”, said Cure53’s report.
– ‘Creepy code’ –
A spokesperson at DingTalk, an enterprise chat platform that was used to build the app, told AFP that it had “no ‘backdoor code’ or scanning issues”.
But OTF said users’ data and their phones could be further jeopardised if the code that “amounts to a backdoor” runs successfully.
Currently, this code only affects phones where users have installed software that gives them “superuser” privileges — such as the ability to modify the device’s code.
But apps can also abuse this level of privilege to take over a user’s device.
“The code they found is creepy”, Baptiste Robert, a French security researcher, told AFP — but cautioned against the use of the word backdoor.
The investigation also found “no evidence” that the code was used during testing, with Cure53 concluding that “further investigation” was needed to determine how it was used.
The code “can raise suspicion,” Robert said, but to conclude that there is “vast espionage from China is complicated”.
We need your help. The SpaceDaily news network continues to grow but revenues have never been harder to maintain. With the rise of Ad Blockers, and Facebook – our traditional revenue sources via quality network advertising continues to decline. And unlike so many other news sites, we don’t have a paywall – with those annoying usernames and passwords. Our news coverage takes time and effort to publish 365 days a year. If you find our news sites informative and useful then please consider becoming a regular supporter or for now make a one off contribution.
We need your help. The SpaceDaily news network continues to grow but revenues have never been harder to maintain.
With the rise of Ad Blockers, and Facebook – our traditional revenue sources via quality network advertising continues to decline. And unlike so many other news sites, we don’t have a paywall – with those annoying usernames and passwords.
Our news coverage takes time and effort to publish 365 days a year.
If you find our news sites informative and useful then please consider becoming a regular supporter or for now make a one off contribution.
$5 Billed Once
credit card or paypal
SpaceDaily Monthly Supporter
$5 Billed Monthly
Rapidly patching legacy software vulnerabilities in mission-critical systems
Washington DC (SPX) Oct 16, 2019
There are a vast number of diverse computing devices used to run the critical infrastructure our national security depends on – from transportation systems to electric grids to industrial equipment.
Much like commercial or personal computing devices, these systems utilize embedded software to execute and manage their operations. To fix certain security vulnerabilities, commercial and personal devices must undergo frequent updates, and are replaced every few years – or on occasion, more frequently … read more