An app developed by the Chinese Communist Party to "educate" Chinese citizens about President Xi Jingping's leadership can spy on and track its users. It even contains a "backdoor" to install new functions, according to a new report (PDF).
The app, released in January and called "Study the Great Nation," or Xuexi Qiangguo in Mandarin, is available in the Apple App Store and third-party Android app stores. However, it's not available in the Google Play app store.
The app has been downloaded nearly 500 million times, according to the Open Technology Fund, which is part of the U.S. government's Radio Free Asia.
The New York Times reported in April that government employees and students are being pressured to install Study the Great Nation, which quizzes users on the fine points of socialist theory and President Xi's activities, then posts the resulting scores on social media for all to see. The Chinese government will soon require Chinese journalists to pass a loyalty test administered through the app.
Now it turns out that the app can log user activity and report those activities to the app's administrators — possibly even more. Even the best Android antivirus apps won't be able to protect you from it.
It is "evident and undeniable that the examined application is capable of collecting and managing vast amounts of very specific data," said the report from German information-security firm Cure53.
"While the CCP advertises Study the Great Nation as a way for citizens to prove their loyalty and study their country, the app's maintainers are studying them right back," said the Open Technology Fund, which commissioned the Cure53 study, in a news posting this past weekend.
The Cure53 researchers analyzed the Android version of Study the Great Nation and found that it used deliberately weak encryption when handling biometric data, scanned devices to see which other apps were installed and sent detailed logs of user activity to the app's servers every day.
The researchers suspected the app had other spying features, but parts of its code were encrypted and could not be analyzed.
Furthermore, if an Android phone is already "rooted," then the app can also act as a "superuser," allowing the program to do anything on the device. This includes installing other apps or changing system functions and features — a classic "backdoor."
"It seems difficult to justify why an educational app requires code that looks like a backdoor," said the Cure53 report. "Especially if such backdoor could potentially run arbitrary commands on citizen phones with superuser privileges."
Study the Great Nation is developed and maintained by Chinese internet giant Alibaba, but it also has some interaction with rival company Tencent.
The Cure53 researchers found that much of the app's communications were encrypted with secure cryptographic algorithms — except when it came to securing biometric data, and the storage and communication of email messages.
Fingerprints, facial recognition and email messages were secured using the old, weak DES algorithm.This form of encryption dates back to the 1970s and was conclusively "broken" in 1999. Now, cryptographers can reverse it in a matter of days, or even hours.
The Cure53 report said that there's no way this usage of weak encryption can be a mistake, and that this practice permits "a government agency [to] be able to decrypt emails and biometric data on a mass scale.
"It appears that Alibaba, the official maintainer of the Xuexi Qiangguo app, is the driving force behind the questionable coding practices analyzed for this report," said the Cure53 report. "The fact that insecure cryptographic algorithms like DES are used in a package provided by Alibaba suggests that Alibaba is actively participating in weakening the security of the Xuexi Qiangguo app."
Study the Great Nation is available for both iOS and Android, but the Cure53 researchers did not analyze the iOS version, presumably because it is very difficult to analyze iOS apps. (Apple recently announced it would let approved security researchers use "pre-jailbroken" iPhones.)
Apple told The Washington Post that the Android superuser function of Study the Great Nation would be impossible to replicate on an iPhone. However, other spying features, such as logging user activity, and weak encryption of biometric data and email messages, would presumably still be possible on iOS.
In August, Google researchers disclosed a mass espionage campaign against iPhone users that appeared to be carried out by the Chinese government in the historically Muslim province of Xinjiang.