The Chinese Communist Party released an app earlier this year titled "Study the Great Nation," which promotes and encourages large-scale use by many citizens. While at first glance, it may look like a propaganda tool and act as a source of news and facts for Chinese President Xi Jinping and his party, it appears to be designed to monitor its users and even a super-user backdoor that could use it Collect more data.
In light of China's extensive human rights abuses, the Open Technology Fund commissioned German security research firm Cure53 to review the product developed by Alibaba. The first obstacle faced by the researchers can already be read as proof of the unclear intentions of the app: The code is equipped with antireverse techniques. For healing reasons 53, it is likely that this malicious coding practice conceals more malicious or inquisitive instructions than the company might find among the decrypted parts of the app, though. A certain "backdoor-like code" gives the app superuser privileges. Although Cure53 states that no credentials could be identified during this test and further investigation is required, an app such as this one should not have a company with root access. Apparently, Alibaba was not only involved in the maintenance of the app itself, but also charged with building the backdoor, as the company name can be found in the respective code.
Other evidence includes file transfer of user data and information on the device, deliberately weak cryptographic credential and personal data algorithms, and similarities with other Chinese spy apps. It could be argued that the former is for statistical purposes only, but along with the other evidence it should raise some alarm bells.
The results are not surprising for a country that does not care about privacy. The app is not available in the Play Store. It is only officially available in China and is aimed exclusively at its citizens. However, since Alibaba is an international player, foreign oversight authorities could exercise some control.
Picture: Hanson Lu at Unsplash