The Chinese Communist Party published an app called 'Study the Great Nation' earlier this year which it heavily advertises and even mandates many citizens to use. While it looks like a mere propaganda tool at first glance and seems to function as a news and factoid resource on Chinese President Xi Jinping and his party, it appears to be engineered to monitor its users and even sports a superuser backdoor which it could use to gather more data.
With the country's extensive human rights violations in mind, the Open Technology Fund tasked German security research firm Cure53 to audit the product developed by Alibaba. The first obstacle the researchers faced can already be read as proof of the app's unpure intentions: The code is equipped with anti-reversing techniques. Cure53 reasons it's likely there are more malicious or nosy instructions hidden behind this unusual coding practice than what the firm could find among the deciphered parts of the app.
The evidence the security researchers did find is significant enough, though. Some "code resembling a backdoor" gives the app superuser privileges. Though Cure53 says "no evidence of usage could be identified during this test and further investigation is required," an app like this shouldn't have any business with root access. Apparently, Alibaba isn't only involved in maintaining the app itself but was also tasked with building the backdoor, as the company's name can be found in the respective code.
Further evidence includes file transmission of user data and information on the device, purposely weak cryptographic algorithms for login credentials and personal data, and similarities to other Chinese spy apps. You could argue that the former is merely meant for statistical purposes, but coupled with the other evidence, it should set off some alarm bells.
The findings aren't surprising for a country that doesn't value privacy in any form. The app isn't on the Play Store; it's only officially available in China and solely targets its citizens, but since Alibaba is an internationally acting company, some scrutiny from regulators abroad might be headed its way.
- Washington Post
- Jeffry Dubinsky