An app that appears to be used by security forces in China scans for and collects a large amount of information from tourists or other travelers’ phones, with that data then uploaded to a local file server “over clear-text HTTP without any protections,” an OTF-supported security audit finds.
The audit (pdf), conducted by OTF Red Team Lab partner Cure53 in March 2019, analyzed the “Feng Cai” app to assess its functionality, security features, and whether it appears to violate users’ basic human rights. Cure53’s assessment found that the app gathers information including all phone contacts, stored text messages (SMS), call log history, calendar entries, phone hardware information, all information for various installed apps, and specific data from certain China-specific apps. All of this data is then uploaded to a local server unencrypted. A collaborative reporting effort by Motherboard, the New York Times, The Guardian, and Süddeutsche Zeitung further uncovered some of the specific content the app searches for, including parts of the Quran, a photo of the Dalai Lama, and music from a Japanese metal band.
Compared with previous assessments conducted by Cure53 of known similar apps like JingWang and IJOP, Feng Cai is different in both fashion and function. Feng Cai appears to be used surreptitiously – installed, used, and uninstalled in a single session, at a border crossing. The app is very simple in terms of its user interface, with just three available functions: Scan, Upload, and Uninstall. Unlike JingWang or IJOP, the Feng Cai app features no branding, using the default Android icon, for example. This, along with the app’s core functions, informs Cure53’s view that the app is likely used in one-off encounters by security forces.
In terms of functionality, Feng Cai serves a different purpose than the aforementioned apps. The Feng Cai app “requires more permissions than JingWang,” which similar to Feng Cai performs a scan for certain files. However, unlike Feng Cai, JingWang’s design suggests that “it is meant to remain” on a user’s phone. Cure53 assesses that Feng Cai “is more intrusive than JingWang” in part because available evidence suggests that the app is used without the user’s knowledge or consent. “IJOP is the least similar” of the three apps, “merely by being a reporting tool for the police and not a scanning/spy tool,” Cure53 says.
In terms of human rights violations, Cure53 found it “evident and undeniable that the application is capable of collecting and managing vast amounts of very specific data.” Between the large amounts of data collected, the transmission of that data to “a local police file server,” and the apparent scanning of files for specific, “forbidden” content, Cure53’s audit suggests that “violations of human rights indeed take place.” Cure53 relied upon the legal framework of the European Convention on Human Rights (ECHR) in making judgements regarding the app’s potential human rights violations.
OTF’s Red Team Lab will continue to monitor government-required mobile apps and support audits of them when appropriate, along with security audits of Internet freedom technologies. We accept requests for security audits on a rolling basis via the Red Team Lab page.
Read the full report here (pdf).
*The original blogpost mistakenly labeled the mobile app which was analyzed by Cure53 as BXAQ. BXAQ appears to stand for Baixing Anquan and purportedly serves the function of a ‘neighborhood watch’ mobile app. The correct name of the mobile app analyzed is Feng Cai. OTF regrets the error and extends its gratitude to Matthew Hart for notifying OTF.
Media coverage: Motherboard, New York Times, The Guardian, Süddeutsche Zeitung.
Additional coverage by The Verge, MIT Technology Review, Business Insider, Forbes, The Hill, Engadget, The Register, CNET, Epoch Times, RFA Uyghur.