Editor’s Note: The auditors did not go through a coordinated disclosure process regarding the vulnerabilities discovered in this report due to the risks involved with engaging a potentially sensitive adversary. However, due to their commitment to privacy and security transparency, the auditors still wish to share their findings.
The National Anti-Fraud Center app is a multi-platform mobile application developed by China’s Ministry of Public Security. Designed and advertised as a utility to help detect and alert users to fraudulent calls, texts and applications, the “Anti-Fraud” app has become ubiquitous due to the Chinese government’s stringent requirements for users to have the app downloaded on their smartphones. According to many reports, users have been forced to download the app to access things such as apartment complexes, concerts, driving tests, and more.
The application is only available for Apple accounts with China-based locations and cannot be downloaded from accounts in other countries.
Open Technology Fund’s Red Team Lab reviewed and analyzed the application to assess the privacy and security implications for users. The analyzed application’s feature goals are to perform various “anti-fraud checks” based on a large amount of data that the user shares with the application itself granted through the application’s permissions manifest. When this data is shared, it is sent to private backend servers, at which point it is not possible to know if this information is processed solely and exclusively for the purpose of anti-fraud, or for any other purpose.
The presence of a large number of software components in the application, including facial and voice recognition, is an important point of attention. These technologies can be used for the application’s purpose, but may also be used for malicious purposes without the user being notified. Since the application has functionality that cannot be accessed without a China-based phone number, auditors were unable to verify how these technologies are used within the application.
The report highlights several anomalies in the use of obsolete and particular software libraries that could further facilitate the corruption of data from different apps of the same developer. Because of the application features and data that users voluntarily decide to share, it is difficult to understand and evaluate the risks for users who use the application. This means that trust falls solely on the publisher of the application as there were no major indicators that would show any strong red or green flags regarding the usage of the application.
OTF acknowledges that further investigation into the National Anti-Fraud Center app is necessary. The auditors faced several limitations, including regional blocks pertaining to not having access to a China-based phone number.
The full security assessment can be viewed through the link below.