51 comments

[ 4.1 ms ] story [ 84.9 ms ] thread
Uhmm I read through the README but most of the screenshots don't say anything to me, and I did my fair bit of reverse-engineering.

I see a screenshot of normal app startup, some random wireshark requests, some traces of what looks like a login/account system and some localization strings. The de-minified Javascript in the screenshot that author claims he could "clearly see the data was being exfiltrated" looks to me like a random Icon with some attrs. How is this relevant to exfiltration?

(Side-note his claim that he "performed a MITM attack to capture this iOS specific data" sounds more sensational than it actually is. He just put a transparent proxy in the middle, and didn't really attack anything)

The iFlytek stuff could be relevant and is interesting but there is so much noise, big headlines and "read my full report", that it feels to me the author tried very hard to find anything to post

Not saying the app is innocent. It's important to look more into what it's phoning home, but this is just the impression I got from reading through it. Maybe the full report will have some more solid findings in it. Still very cool that the entire decompiled source has been uploaded, that will get more curious eyes on it

Did not RTFA, but it could be more complicated than a transparent proxy if the app uses SSL and pinned certificates.
Here is the breakdown from the Citizen Lab.

https://citizenlab.ca/2022/01/cross-country-exposure-analysi...

To me the scariest is the exfiltration of so much personal data to parts unknown. Often unencrypted even.

This is an interesting take on the summary I read that this is just another shitty, useless app including some CCP-censorship. Tell me: do you know to whom the myriad of ad-networks and apps you use send their data? I don't. And even if you look at the privacy policy, you don't, because according to meta, for Whatsapp they store your phone number, a list of blocked contacts aaaand nothing else? (which I honestly do not believe...)
It's probably basic stuff that has to be in most Chinese apps, but I found the list of illegal words really interesting: https://github.com/jonathandata1/2022_beijing/blob/main/ille...

It's a mixture of spam filtering ("... for sale", gambling, drugs/weapons) and swearwords, that you'd expect to find in western apps as well. But there are also a lot of phrases about the CCP, dissidents and Tibet/Taiwan.

And stuff like "Eighty-eight bloody cases" and "CIBS overseas immigration investment". I really wonder how they ended up there and the story behind.
There is also an entry for "88 event", the "eighty-eight bloody cases" are almost certainly related to censoring that. I am not familiar with any famous event -- I wonder if it relates to the 8888 uprising in Myanmar where the Burmese rose up against their communist totalitarian dictatorship (and were slaughtered in the thousands, natch).

No idea about the second one - but every single major mainland Chinese politician and ministry is on the list too, so it is probably just yet another political topic they want to monitor/suppress...

The last time I looked at this sort of thing it was claimed that a Chinese phone manufacturer had spying and censorship functionality on a phone that turned out to be part of its ad network. Specifically the phone manufacturer had an ad network that ran inside of certain applications on the phone that they sold access to and they didn't know server-side what an affiliates advertisement was going to be, so they implemented client-side filtering of the advertisements to prevent things like porn adverts and so forth.

Looking through this list, I'm fairly certain that this is something like that because it also includes a bunch of Chinese government entity names that clearly would not be censored in China and also includes a lot of terms relating to pornography.

So the round about point is "88 event" likely refers to a specific string in an advertisment that was once loaded by an affiliate and found to be undesirable for one reason or another and not any sort of specifically political event or similar.

It also includes "Der Spiegel", a German newspaper (one of the most influential one in Germany).

https://github.com/jonathandata1/2022_beijing/blob/main/ille...

Looks auto-translated. I'd guess the original Chinese wordlist contained more nuance.
Rape for sale Rape Drugs Rape Pill Monopoly Rape Perfume For Sale

Some on the list

line 559

> China has no freedom of speech

whoever wrote that into "illegalwords.zh-CN.en.txt" must have been aware of the irony...

I read that list and thought that if you remove the stuff that they specifically want to censor like 'Tiananmen Square 1989' it's probably a really useful list of things to filter for anti-spam.
The last time I looked at this sort of thing it was claimed that a Chinese phone manufacturer had spying and censorship functionality on a phone that turned out to be part of its ad network. Specifically the phone manufacturer had an ad network that ran inside of certain applications on the phone that they sold access to and they didn't know server-side what an affiliates advertisement was going to be, so they implemented client-side filtering of the advertisements to prevent things like porn adverts and so forth.

Looking through this list, I'm fairly certain that this is something like that because it also includes a bunch of Chinese government entity names that clearly would not be censored in China and also includes a lot of terms relating to pornography.

It's pretty likely this isn't a ban list at all in the traditional sense but rather something more like the recent phone debacle which turned out to be a case where the chinese phone manufacturer also ran an ad network and the way its affiliates program was structured it didn't actually know what advertisement it was displaying on the server side, so it included functionality to inhibit undesirable advertisements-- which is pretty standard form.

As a result, while the publicised list included things that the CPC may seek to censor, the full list showed that it was mostly porn filtering and similar and included blocks for advertisements from the CPCs main newspaper (people's daily). Briefly looking through the illegal words list, it looks very much the same and also includes a wide range of Chinese government entities and so its likely not censorship functionality in the way you'd expect but more likely things the company would prefer not to advertise to users.

I've asked the original poster for more information, specifically for which classes contain the functionality he suspects but have gotten no response-- my suspicion is that he just read the strings of the program and made some assumptions, e.g. "monitor thread" probably doesn't mean what he thinks it does but I can't discern because I can't get a clear statement about what he thinks just screenshots with red arrows and him pointing to a decompiled application telling me to read it without referencing what exactly inside contains the suspect functionality.

> This repo directly correlates with a report I will be releasing Jan 24th, 2022.

Does anyone have the link?

I checked their twitter and couldn't see it. Though their (current) latest tweet is "After reverse engineering all of the #Beijing2022 #spyware app for @Apple #ios and @Google #Android I can definitively say all Olympian audio is being collected, analyzed and saved on Chinese servers using tech from USA blacklisted AI firm @iflytek1999".

These permissions on Android are incredible, how did it even get to the Play store?

For those who want a tldr:

The android app for olympics allows the developers to get all your contacts, listen to your microphone, wifi & bluetooth device connections, location, files. It starts at startup, can hide and reorder itself, can REMOTELY download files and trigger all kinds of tracking and spoofing.

Basically, anyone who installs this app on their device will throw away all the privacy not just while the app is installed, but also possibly long-term since with the amount of permissions, you cannot be sure it won't leave a remotely downloaded trojan horse in your device after dumping all your files, contacts and listening to your conversations. From controlling the narrative to spying on other teams and coaches, anything goes with this one.

And it's not just that this permission list is batshit insane (remember that batman scene with all the phone data giving him a full 3D image of the city? that level of batshit insane) - its insane Google is allowing this to be published.

> The android app for olympics allows the developers to get all your contacts, listen to your microphone, wifi & bluetooth device connections, location, files. It starts at startup, can hide and reorder itself, can REMOTELY download files and trigger all kinds of tracking and spoofing.

Most of those trigger a specific Android permission popup at runtime to grant access when actually needed/used. The app doesn't them just by the user installing it.

This is correct. And it is normal practice for not-truly-native apps (apps using React Native, Ionic, etc.). By declaring every permission in the manifest, they can add new features that would require those permissions without by just updating the javascript code over the air (no play store update / google play review needed).
It's not standard anymore. Google has started requiring lengthy documents you have to fill out justifying the more sensitive permissions and will stop letting you publish if they find things you have left out. This applies to new and old apps.

They've become a liability to leave in. Basically killed the entire beacon industry since some people used those to track exact location.

I’m using the [Expo SDK](https://expo.io) and it declares a whole bunch of permissions yet goes through review fine without any explanation.
Just watch the energy consumption. When in China - and having "must-have" Chinese apps like Baidu installed - my smartphone lasts not even half as long as "in the West". The battery is drained in record time. Once I remove the apps after my trip, I am back to normal.

Whatever these apps doing in the background, it takes a lot of energy. That is probably one of the reasons why you can rent power packs literally everywhere in China.

VPN might have a part in this too. I remember when I was in China, I was connected to ExpressVPN 24/7 (whatsapp, gmail etc), and the battery drain was visibly higher than when I had the VPN off.
The usual suspect is that apps cannot rely on Google Play Services for push notifications and so they keep a background task to fetch them.
> The usual suspect is that apps cannot rely on Google Play Services for push notifications and so they keep a background task to fetch them.

Surprisingly, that not all of the reason, although push notifications does count. It's like Facebook's (Android) app (which famously tries to not remove something as much as possible due to bad app design), but much more heavier. This is why Chinese Android builds (without Google Services) has heavy-handed "battery optimizations" (more like killing apps).

"When in China - and having "must-have" Chinese apps like Baidu installed".

This is mandatory in China?

It has essential features, like a better than google maps street & building maps, for the average day to day needs of one in China. Not running these apps would be like going to meet someone, but you have no face or hands. These app are that integrated into their society, without them you are not really there.
Google maps and such don't function correctly, so for a modern smartphone experience it's necessary, but not strictly mandatory
What platform? I found no battery change wtih WeChat on my iPhone, though I can force-kill it and as I understand it does nothing.
> I remove the apps after my trip

So maybe it's not just the apps that make a difference, it could also be your location. Your battery can drain faster when your phone is searching more frequently for a cell signal.

And this can happen on trips because of the different local cellular operators and the different frequency bands used.

This is of course only a hypothesis.

So the iOS app collects data and lies about it. How does Apple not ban this app from the store? Those AppSore “Data Not Collected” badges are obviously worth nothing while Apple pretends they mean something. Apple's user privacy/security pretexts for their walled garden and outrageous taxes have lost all credibility.
>>> How does Apple not ban this app from the store?

CCP got apple over the barrel. All these companies talking principles is just smoke and mirrors

Being "over the barrel" implies that Apple isn't more than willing to work with the CCP; Apple is a willing partner here. Corporations are sociopathic AIs, they have no concept of morals and no qualms about making the world a worse place in the pursuit of profit.
Yes, it is not that apple is innocent, because they are dependent on the chinese market which CCP controls, apple is pliable in the hands of the CCP and that is why they are over the barrel
What data is collected? Currently, the screenshots of the README don't show anything. Instead, the author just says there are some remote capabilities and the details will be posted in a future report.

If you know what the author is referring to, can you link the relevant files so we can take a look at them?

Apple does "privacy/security" thing as a marketing stunt in the western market. Meanwhile, it complies with all the government demands in China. As a corporation, they do what is required for profit, as one should expect.
I don't have a comment on this specific one but @jonathandata1 received his fair bit of critique before for being sensational when it comes to his finds.

Dan Borges (aka @1njection ) wrote a blog about him last year https://lockboxx.blogspot.com/2021/10/the-shenanigans-of-jon...

I personally have not looked in to either this or his previous disclosures, but my spider sense is tingling based on the sensational language he uses in his tweets like this one https://twitter.com/jonathandata1/status/1486466958992228366

So I would maybe be a bit careful in putting too much into this before there is some more validation, I think the citizenlab article linked elsewhere in this discussion had a more balanced take on it.

Thanks for the context. It’s certainly the vibe I was getting too

Will take what he posts with a big grain of salt

Exactly why we sent our reporters with loaner iPhones and dummy email addresses (for the AppleID as well), an always-on VPN and Signal accounts set-up, along with the recommendation to not bring any personal devices and accounts.

Can't trust the Chinese Government and IOC to not fuck this up.