
Cure53 Audit of Chinese ‘Police App’ - ericdanielski
https://cure53.de/#chinese-police-app
======
yorwba
This is the same app as discussed in
[https://news.ycombinator.com/item?id=20335816](https://news.ycombinator.com/item?id=20335816)

That Motherboard article also links to a repository with the APK:
[https://github.com/motherboardgithub/bxaq](https://github.com/motherboardgithub/bxaq)

~~~
jaxbot
If that's the case, it's worth noting (since it's often lost here, on reddit
and in the news) that is app is only required at border checkpoints in
Xinjiang. Putting Xinjiang on your itinerary would likely result in your visa
being refused anyway. If you are traveling to China for business or pleasure,
you won't need to worry about this.

Source: Was in Shenzhen within the past month. Normal customs/border control
practices. Nobody asked for personal devices. Only surveillance that was
obvious was biometric checkpoint at customs, and some sort of face scan (?) at
the subway queue.

~~~
gruez
>Putting Xinjiang on your itinerary would likely result in your visa being
refused anyway

1\. get a multiple entry visa

2\. say you're going to shanghai or whatever on the application

3\. go to Xinjiang on your second visit

~~~
jaxbot
Right. There's no enforcement of visa itineraries so long as your first one
has valid flights & hotel. After that, you get 10 years of multiple entry with
no required itineraries. I just brought it up as a point, that Xinjiang is not
a place you would normally be going. People seem to assume that Xinjiang is
just a normal crossing into China that has heightened security. That's not the
case at all. You would never accidentally end up there on a trip to China.

~~~
lmm
Xinjiang province is 1.6 million km^2. It's larger than France and Germany put
together. There are plenty of reasons to want to go there.

~~~
yorwba
Most of that area is covered by mountains or desert, and there are only about
22 million people living there. The economy also isn't terribly developed
(although IIRC it's the fastest-growing among all Chinese provinces) and it's
not exactly popular as a tourist destination.

That doesn't mean there's no reason to ever visit, just that there aren't very
many more reasons than for e.g. visiting the neighboring Kazakhstan. Most
people crossing the border and getting subjected to the surveillance are
probably ethnic Kazakhs living on either side, visiting relatives on the
other.

------
hnarn
Direct link to the report (PDF): [https://cure53.de/analysis-
report_bxaq.pdf](https://cure53.de/analysis-report_bxaq.pdf)

------
cltsang
Uncovered CCP internal document said they oppose "universal values" as a
concept established by western civilizations [0][1].

So human rights violations is not a thing in China. Under the current Chinese
government's rule, the people do not have rights, unless, of course, when the
"rights" are beneficial to the longevity of the CCP.

[0]:
[https://en.wikipedia.org/wiki/Document_Number_Nine](https://en.wikipedia.org/wiki/Document_Number_Nine)

[1]:
[https://cn.nytimes.com/china/20130820/c20document/dual/](https://cn.nytimes.com/china/20130820/c20document/dual/)

~~~
cljs-js-eval
This is kind of an interesting cultural difference between Europe/America and
China. While we talk about universal rights, they talk about universal duties,
and this only sometimes converges on the same values.

For example:

Both the West and China believe that old people deserve care in their old age.
The West would justify this by saying that the elderly have fundamental human
rights, which would be neglected without care. Chinese would justify this by
saying that the young have a duty of care to the old.

Both the West and China (at least superficially) believe that rulers should
treat their subjects with respect. In the West, this is because each subject
has human rights. In China, this is because the ruler has a duty to treat
their subjects respectfully.

So I would not make the mistake of thinking that the Chinese are somehow
amoral because they do not subscribe to the doctrine of human rights. It must
honestly seem to them like a Western concept that clashes with their view of
morality (or at least it would if I were in their shoes). But the Chinese
government must have a set of duties to their people. I would love to read a
document where they outline those, I'm sure it must exist somewhere.

~~~
nickbauman
The "Duty" vs "Right" thing is ancient. You can see the earliest form of this
"duties" concept underpinning the all the abrahamic religions, even in all
salvation-oriented religions. You have a duty ultimately to the "godhead",
from which all other duties derive.

The concept of universal rights was the refinement of this and only fully
emerged during the enlightenment era in Europe. But it was there in a less
explicit, more rudimentary form in classical Greece, too.

It's a choice, really. What kind of world do you want to live in? A world
where we recognize basic human rights as x-y-z (from which we can determine
what duties we have toward each other, for sure) Or a world that we left
behind for very good reasons.

~~~
CPLX
These are not the only two choices.

For example a Buddhist might argue that the fundamental concept is realizing
that there is no difference between the concept of you, and myself, that we
are all one thing, and from this determine that one should not inflict
suffering on other sentient beings.

~~~
nickbauman
Uh, covered in salvation-oriented religions. Buddhism is just another one of
those.

------
wiz21c
I'm going to be downvoted but... Android has access to all my files and is
installed on my phone even before I reach the USA. Since the US government
seems to have close ties (1) with Google, this makes me a bit nervous as well.

So I'm not sure the chinese are more evil than our occidental countries...

Moreover, it seems that chinese authorities force people to install their
software on the phones. But, last time I checked, I was forced to accept the
EULA on my phone as soon as I turned it on (Nokia One for the record). I'm
sure that I'm just as "forced" to install Android on my phone as I'm forced to
install the chinese software : basically I can refuse, but it means that I
have to throw the phone away...

Obviously I make a kind of caricature here, but my point is : whatever the way
it is installed, the software on your phone is controlled by a powerful
entity, controlled maybe by a powerful government which has, like most of
them, some blood on its hands. There's nothing wrong with that, that's
history; but we don't need to look to far away to see problems with privacy...

[1] [https://wikileaks.org/google-is-not-what-it-
seems/](https://wikileaks.org/google-is-not-what-it-seems/)

~~~
tcbawo
Except, Google is accountable to shareholders and US legal code. The US
government has accountability through elections and the judicial system. What
accountability does the Chinese government have?

~~~
logicchains
A lot of good that accountability did Kim Dotcom, or the brown-skinned people
being blown up by drones, or the hundred thousand civilians killed in Iraq
after America brought about regime change. Over the past century America has
interfered far more in other countries' affairs than China ever has. A cynical
way of putting it: China's government oppresses its own people, America's
government oppresses everybody but its own people. As someone neither American
nor Chinese I feel China's far less likely to come along and bother me when
I'm minding my own business than America is.

~~~
chibg10
>As someone neither American nor Chinese I feel China's far less likely to
come along and bother me when I'm minding my own business than America is.

Well no shit, only one of these two countries has had the capability to
project power globally for six decades. To say China hasn't intervened in e.g.
Ireland's affairs is to say pretty much nothing about its (un)desirability as
a global leader.

Within each country's sphere of influence though, I don't agree with the above
statement in any sense though. China is far more active/aggressive (and
amoral) in the affairs of its people domestically and in its regional sphere
of influence than the US generally is.

~~~
logicchains
>China is far more active/aggressive (and amoral) in the affairs of its people
domestically and in its regional sphere of influence than the US generally is.

That's the point; it's aggressive in the affairs of _its people_. That being
said, I'd disagree that the US generally leaves countries in its sphere of
influence alone: the war on drugs for instance resulted in a massive amount of
violence and suffering in Mexico, America's southern neighbour. America
installed Pinochet in Chile, and also created various other banana republics
in South America
([https://en.wikipedia.org/wiki/Banana_republic](https://en.wikipedia.org/wiki/Banana_republic)).
America is one of the only countries in the world to tax its citizens
regardless of whether they live, and imposes so much bureaucracy on dealing
with them that there are even European banks that refuse to serve US
customers: [https://www.spiegel.de/international/business/reaction-to-
us...](https://www.spiegel.de/international/business/reaction-to-us-tax-law-
european-banks-stop-serving-american-customers-a-803742.html). US intelligence
agencies somehow convinced the New Zealand spy agency to illegally wiretap Kim
Dotcom (NZ is a close US ally):
[https://www.telegraph.co.uk/technology/internet/9569986/Kim-...](https://www.telegraph.co.uk/technology/internet/9569986/Kim-
Dotcom-NZ-Prime-Minister-apologises-over-unlawful-spy-operation.html). The US
embargoed Cuba for decades; China trades peacefully with Taiwan.

------
gibba999
I don't quite see much difference between Chinese government surveillance and
US corporate surveillance at this stage. The power structures are different,
but the result is the same.

Google knows everywhere I am and reads all my email.

~~~
learc83
The difference is that Google can't throw you into a camp without trial for
what they discover.

~~~
gibba999
I'm guessing you're a Googler (or similar) who missed the point. Privacy has
value even without the threat of being thrown into a camp, and mass
surveillance is a human rights violation even without that. But just to get
facts straight:

The US government can and does get data from Google through both instruments
like national security letters and subpoenas. If it decides you're in need of
prison:

* There may be a trial before one gets thrown into a prison camp. That's true. The Justice System is relatively fair to anyone who can afford to spend $300,000 on lawyers without worrying about the cost. That's the top-1-percenter population. If you're a Googler, you're probably at the lower-end of this.

* For most middle-class families, a criminal prosecution is guaranteed bankruptcy. Whether or not you defend yourself successfully depends on how quickly you run out of money.

* For most lower-class families, the outcome is usually a plea bargain, where you do get thrown into a prison without trial.

Before making comments like yours, you might want to read a book like "The New
Jim Crow," and look up statistics on what your own power structures are doing
(and specifically, both statistics on the number of people in prison and
anecdotes for how they got there).

------
14
Well didn’t I read somewhere that if I cross the US border I could be forced
to allow a search of my electronics? Actually think I only need to be within
100miles of the border and they are allowed to do that in the name of
security. My point is who cares that the Chinese are doing this when I can
look to my neighbors to the south doing the exact same thing. Well I care but
I am not about to look down on the Chinese because they do it too. So much “do
as I say not as I do” with the US it’s rediculous.

------
dfcmt
>All extracted information is bundled as a ZIP file, without applying any
protection like a password. The ZIP file is then sent via an HTTP POST request
to [http://192.168.43.1:8080/](http://192.168.43.1:8080/). This shows that not
only no transport security (e.g. [https://](https://)) is in place, but also
that an internal IP address is used.

Unless they're expecting a MITM from the police network (or wherever they use
this app) why is no https a problem?

>BXAQ uses the default icon for Android apps, which means there is no attempt
at being covert or discreet about it.

...or maybe they didn't put an icon because it's optional and unnecessary for
what essentially is an internal app.

I mean really they are not trying to be unbiased or anything about the
analysis.

~~~
cal5k
MITM? You don't need to MITM something that isn't even encrypted... anyone
with a modicum of technical ability can use WireShark to grab these files if
they're transmitted over public Wi-Fi. And probably cellular connections, too.

~~~
dfcmt
But they aren't transmitted over public wifi. They are transmitted inside of
some kind of private network, given that they are transmitted to a server in
the 192.168/24 range

~~~
yorwba
You can have servers with an IP in that range available on public WiFi, no
problem at all. If the network is _not_ public, whoever installs the app still
needs to connect to it, so you can intercept any credentials they enter, or
even run Wireshark on the device.

