Introduction
“Study the Great Nation,” or Xuexi Qiangguo (学习强国 in Chinese) is an app billed by the Chinese Communist Party (CCP) as an educational tool. Earlier this year, it became the most downloaded app on the Chinese App Store and the Chinese government claims that it now has over 100 million users. The numbers are sky-high, with the Huawei store reporting 300 million downloads, and Wadoujia 195 million downloads. ‘Study the Great Nation’ features content like news articles and quizzes alongside a leaderboard where users’ scores can be viewed alongside those of their coworkers.
This app is part of a larger effort by the CCP to strengthen its ideological grip through digital means onto all parts of society. For instance, CCP members and Chinese citizens more broadly are pressured to download and use it to study CCP dogma and Xi Jinping Thought. In April 2019, the New York Times reported that the app in fact tracks and “keeps user data,” though it remains “unclear how closely the government tracks users of Study the Great Nation.” In addition, the Chinese government recently announced that the app would fulfill a new role: all Chinese journalists will soon have to take an exam testing their loyalty to the Party in order to have their press credentials renewed, and the test will be administered through the app. Finally, Reuters and others have revealed that the CCP’s Propaganda Department developed the app in collaboration with Chinese tech giant Alibaba.
Audit and Findings
With that in mind, the OTF Red Team Lab partnered with Cure53 to dive into the code, and find out what are the exact capabilities of this app. The insights from our security audit (pdf) were gleaned despite Cure53 finding that the app’s developers employ anti-reversing techniques that attempt to hide the app’s code, limiting the ability of external auditors to fully assess the app’s functionalities. The audit specifically focused on Android operating systems, which accounts for close to 80% of the mobile OS market in China.
The audit, carried out in August 2019, found that Study the Great Nation:
- Contains code that amounts to a backdoor to rooted devices, essentially granting complete administrator-level access to a user’s phone. No evidence of if or how exactly this access is being used could be identified;
- Actively scans to find other apps that are running on the user’s device, drawing from a list of 960 specific applications;
- Purposely employs the use of weak cryptographic algorithms in areas containing sensitive user data; and
- Collects and sends detailed app log reports on a daily basis, containing a wealth of user data and app activity.
1- Superuser Privileges
Most importantly, the fact that the app could obtain the level of access noted is highly problematic. Study the Great Nation “contains code resembling a backdoor which is able to run arbitrary commands with superuser privileges,” Cure53 found. The packages that contain the “backdoor” code are all in the package namespace containing the values “aliyun and alibaba,” suggesting that these packages were created and are maintained by Alibaba or Alibaba Cloud.
On a rooted device, having superuser privileges would grant someone system-wide administrative access to everything in the operating system and the ability to change it. In other words, having superuser privileges gives you the power to do anything, such as download any software, modifying files and data, or install a keylogger. In the case of this app, the code scans for the ability to access the root of the phone (which isn’t always a given). If successful, it would be able to receive and potentially execute commands.
The app’s code, if successfully deployed, would amount to a backdoor. And while the investigative method utilized does not allow us to observe the ways in which that backdoor is being exploited (if at all), the audits could find no legitimate reason why an app of this nature would seek to run commands on users’ phones with high privileges levels.
2- Scanning Apps
Study the Great Nation actively scans to find other apps that are running on the user’s device, drawing from a list of 960 applications. The list includes a wide variety of app types, including travel apps like Tripadvisor and Airbnb; chat apps like WhatsApp, Kakao Talk, Facebook Messenger, and Skype; navigation apps like Baidu maps and Uber; Amazon Kindle; various payment apps; and a Disney game called Temple Run, for example. While this may seem trivial, it is also in no way relevant to the purported purpose of the app, which leads us to speculate as to why this mass data collection is needed by the CCP.
3- Weak Encryption by Design
While Study the Great Nation collects and transmits large amounts of personal user data, the app’s security is weakened – seemingly by design – through the use of weak cryptographic algorithms in areas containing information linked to users’ biometric data and emails. “The fact that insecure cryptographic algorithms like DES [Data Encryption Standard] are used in a package provided by Alibaba suggests that Alibaba is actively participating in weakening the security of the Xuexi Qiangguo app,” Cure53 found. This type of encryption can be broken through a brute-force attack in “less than a week,” and potentially allows easy third-party access to this information. As Cure53 notes, “this could provide the opportunity to efficiently collect, map and analyze personal information, biometric data and private messages in a centralized database.”
4- Detailed Log Reports
Cure53 also found that the app collects general information such as the device’s unique IMEI number, connection information, information about app usage sessions, and location. Information, once logged, is transmitted to xuexi.cn (the app’s domain), which is owned by Alibaba. Log files are created daily, so it would appear that this information is collected and sent on a daily basis. Some information is also sent to servers that are likely controlled by Tencent, as they go to a qq.com domain. Very detailed app log reports are also sent to various entities which, given what had already been discovered, wasn’t all that surprising.
Conclusion
For something that the Communist Party of China bills as an educational app – a game for studying and learning – Study the Great Nation boasts technical capabilities that go well beyond what it purports to do, and maintains a level of access that no app would normally have over a user’s device. Aside from the app’s extensive user data collection and transmission, it is deeply concerning and alerting that the app could possibly obtain a pervasive level of access and the ability to run arbitrary commands on a user’s device, obfuscate its full functionalities and employ strong anti-reversing techniques, while also purposely using weak encryption around user’s privacy. What’s clear is that while the CCP advertises Study the Great Nation as a way for citizens to prove their loyalty and study their country, the app’s maintainers are studying them right back.
Read the full Cure53 report (pdf) here.
Media coverage: Washington Post, Wall Street Journal, BBC, CNBC, Quartz, Fast Company, The Information, NDTV, Sky News, Android Police, Coda Story, AFP.
Note: This post was updated on 10/13/19 to 1) explicitly state that the audit looked only at the app’s Android version, and 2) clarify the conditions in which superuser privileges could be exploited.