China’s National Anti-Fraud Center – Security Assessment

Editor’s Note: The auditors did not go through a coordinated disclosure process regarding the vulnerabilities discovered in this report due to the risks involved with engaging a potentially sensitive adversary.…
Wed, 2022-09-21 13:47

The National Anti-Fraud Center app is a multi-platform mobile application developed by China’s Ministry of Public Security. Designed and advertised as a utility to help detect and alert users to fraudulent calls, texts and applications, the “Anti-Fraud” app has become ubiquitous due to the Chinese government’s stringent requirements for users to have the app downloaded on their smartphones. According to many reports, users have been forced to download the app to access things such as apartment complexes, concerts, driving tests, and more.

The application is marketed as a utility to help detect fraudulent activity from 3rd parties, requiring high-level permissions from a user’s device. It’s noteworthy that the application’s privacy policy is forthright with the amount of data required from users. This means that the application is allowed to perform actions such as access call logs, query all applications, view location data, and view other personally-identifiable and sensitive information, and all under the guise of user consent.

The application is only available for Apple accounts with China-based locations and cannot be downloaded from accounts in other countries.

Open Technology Fund’s Red Team Lab reviewed and analyzed the application to assess the privacy and security implications for users. The analyzed application’s feature goals are to perform various “anti-fraud checks” based on a large amount of data that the user shares with the application itself granted through the application’s permissions manifest. When this data is shared, it is sent to private backend servers, at which point it is not possible to know if this information is processed solely and exclusively for the purpose of anti-fraud, or for any other purpose.

The presence of a large number of software components in the application, including facial and voice recognition, is an important point of attention. These technologies can be used for the application’s purpose, but may also be used for malicious purposes without the user being notified. Since the application has functionality that cannot be accessed without a China-based phone number, auditors were unable to verify how these technologies are used within the application.

The report highlights several anomalies in the use of obsolete and particular software libraries that could further facilitate the corruption of data from different apps of the same developer. Because of the application features and data that users voluntarily decide to share, it is difficult to understand and evaluate the risks for users who use the application. This means that trust falls solely on the publisher of the application as there were no major indicators that would show any strong red or green flags regarding the usage of the application.

OTF acknowledges that further investigation into the National Anti-Fraud Center app is necessary. The auditors faced several limitations, including regional blocks pertaining to not having access to a China-based phone number.

The full security assessment can be viewed through the link below.

National AntiFraud Center