App Targeting Uyghur Population Censors Content, Lacks Basic Security
A recent New York Times opinion piece began:
Imagine that this is your daily life: While on your way to work or on an errand, every 100 meters you pass a police blockhouse. Video cameras on street corners and lamp posts recognize your face and track your movements. At multiple checkpoints, police officers scan your ID card, your irises and the contents of your phone. At the supermarket or the bank, you are scanned again, your bags are X-rayed and an officer runs a wand over your body — at least if you are from the wrong ethnic group. Members of the main group are usually waved through.
You have had to complete a survey about your ethnicity, your religious practices and your “cultural level”; about whether you have a passport, relatives or acquaintances abroad, and whether you know anyone who has ever been arrested or is a member of what the state calls a “special population.”
This personal information, along with your biometric data, resides in a database tied to your ID number. The system crunches all of this into a composite score that ranks you as “safe,” “normal” or “unsafe.”Based on those categories, you may or may not be allowed to visit a museum, pass through certain neighborhoods, go to the mall, check into a hotel, rent an apartment, apply for a job or buy a train ticket. Or you may be detained to undergo re-education, like many thousands of other people.
A science-fiction dystopia? No. This is life in northwestern China today if you are Uighur.
One of the components of this massive surveillance state is a mobile app that local police are forcing residents to install. It is dubbed “Jingwang,” or “clean internet” in Chinese. The app has been reported to search for “illegal” images, prevent the installation of other applications and send details about the device to a government server. Such techniques could be easily extended across the Chinese population or to other repressive environments.
We utilized the OTF Red Team Lab to support third-party researchers to take a deeper look at this app that is being used as a means to repress an entire ethnic group in mainland China. Key results of the security audit are as follows:
The app extracts a phone’s IMEI, MAC Address, manufacturer, model, phone number, subscriber ID, and filenames with hashes for all files stored on the person’s device
These identifiers serve to easily identify and track any mobile device and its contents
The app scans the device’s external storage for files looking for those it deems as “dangerous” by recording the name, path, size, MD5 hash of the file and comparing it to a list of file hashes received from the server. If a file is identified as “dangerous” it prompts the user to delete the file.
An MD5 hash is a unique file identifier that can locate any file on a mobile device
The app specifies the types of file types it looks for which primarily includes audio, video, photos and html. The app then sends all the filenames with hashes back to the server, not just what may have been identified as dangerous, hashes for every single file on a person’s device.
Any user with this app installed will have every file stored on their device sent to a unknown entity for monitoring
Lastly, nothing is transmitted from the individuals device to the receiving server over HTTPS — all in plaintext via HTTP — and updates are unsigned.
This means all the data the app collects is transmitted to the unknown entity on the receiving end in a way that allows someone with a trivial amount of technical knowledge to intercept and potentially manipulate
While the forced installation of this mobile app serves to monitor the activities of an entire population, the broad scope of the app combined with its lack of basic security only further harms those required to use it. In an effort to provide more transparency on what these individuals are being forced to install on their phones, we are making the full technical report publicly available. We are also providing the full MD5 hash list (see attachment below) in the hopes that others can attempt to determine the types of content the app has deemed “dangerous”. The OTF Red Team Lab will continue to monitor government required mobile apps and support the conduct of professional audits when appropriate.