
Chinese authorities install app on phones of people entering Xinjiang - el_duderino
https://www.vice.com/en_us/article/7xgame/at-chinese-border-tourists-forced-to-install-a-text-stealing-piece-of-malware
======
rwmj
Before I went to China I bought a burner phone, mainly to install WeChat
(which is also a kind of malware and also "required" in China). Basic Android
phones are not too expensive these days - I wonder if it will become
commonplace to own several and physically separate your life across them?

FWIW I got a Huawei phone (Honor 10 Lite) for under 200 EUR, but much cheaper
phones than that are available.

 _Edit:_ To be clear this is not to avoid Chinese surveillance. That's
unavoidable whatever you do because China is a police state. It's to separate
out that surveillance from my contacts and my regular life at home. (I also
think it's at least arguable that the Chinese government has a duty to look
closely at what foreigners are up to. It's not an argument that I agree with
myself very much because it infringes freedom while also making the wrong
trade-offs, but given we live in a world of nation states it follows logically
from that.)

~~~
mfatica
Kind of ironic you bought a burner phone to avoid Chinese surveillance then
turn around and buy a Huawei phone

~~~
ericye16
I read that as the Huawei phone being the burner phone, which is the point.

~~~
jandrese
Maybe he can save a little time at the border by buying the phone that already
reports back to the Communist Party, avoiding the hassle of having the border
agents install the spyware while you wait.

------
mLuby
>"China is using technology for the perfection of dictatorship." -Pete
Buttigieg, 2020 US presidential candidate

PRC may be blazing the trail, but as the tech becomes proved and available, I
won't be surprised to see creeping adoption in more "free" countries
(especially following crises).

~~~
Ididntdothis
Exactly. People are already used to much more surveillance than they used and
this trend just keeps going. Sometimes it's China taking the lead, sometimes
the US, sometimes other countries. But they all look at each other and slowly
adopt what the other country is doing.

I am pretty sure the next generation will never see anything other than
complete surveillance by countries or corporations. And for them it will seem
normal.

~~~
SubiculumCode
If your whole argument is based on fatalism, you might as well say
so....because right now you assume the conclusion.

~~~
mLuby
It doesn't look like fatalism to me; the argument is based on the bandwagon
effect and how dramatic outcomes can be arrived at through incremental
changes.

~~~
Ididntdothis
It's the slow erosion of values. I remember a time when people would "never do
online banking", now pretty much everybody does it. Some years ago nobody
would have thought it possible that the border agent may ask for social media
accounts or decrypt your phone. Now they do it. It's a very slow progression
that may take decades but it's happening everywhere.

------
mdorazio
This bit is important: "Foreigners crossing certain Chinese borders into the
Xinjiang region"...

I'm not aware of Chinese authorities getting quite that draconian (yet) at the
normal border entry points in Beijing, Shanghai, etc. However, I think it's
still worth following the general advice that if you have sensitive data on
your devices, leave them at home and use a burner phone/laptop + restore from
the cloud later.

~~~
BurningFrog
OK, Xinjiang is basically a low level war zone/prison camp.

Quite different from the rest of China.

~~~
dirtyid
Rest of China is captured by wechat anyways. This is only really useful for
foreign reporters travelling in XinJiang. China could technically just ban
foreigners from travelling there but somehow thinks the optics of this is
better.

~~~
seanmcdirmid
It is weird because there are no travel restrictions for foreigners going to
Xinjiang (mostly, some places are off limits), you just buy a plane or train
ticket. Going to Tibet is a lot harder for foreigners.

~~~
dirtyid
I think Tibet still very much has Western imagination captured whereas Uyghar
Muslims... do not. Even more cynical analysis, Xinjiang is fundamentally an
exercise in reducing the real problem of Islamic radicalization and the non
response from many countries (including Muslim ones) is that they are quietly
observing to see if the experiment pays off. The danger of Xinjiang is that
surveillance state + "vocational" reintegration camps might actually be a
productive model that can be exported elsewhere.

~~~
seanmcdirmid
Xinjiang is also much larger population (21 million+) wise than Tibet (3
million+), along with the former having a much larger Han population, making
restrictions much harder (and less appealing) to implement logistically.

~~~
QuercusMax
I hope you mean population, not ovulation.

~~~
seanmcdirmid
Yikes! Fixed.

------
ce4
Here's the original article from Süddeutsche Zeitung (in German):

[https://www.sueddeutsche.de/politik/china-app-
ueberwachung-t...](https://www.sueddeutsche.de/politik/china-app-ueberwachung-
touristen-1.4508470)

------
phy6
""What you’ve found goes beyond that: it suggests that even foreigners are
subjected to such mass, and unlawful surveillance."" Pretty bold for them to
call it unlawful in two places when it was not shown to be against that
country's laws. Distasteful, yes. Unlawful? Hard to tell from just this
article. Personally, I'm more worried about exported android devices.

~~~
johnzim
Indeed. For something to be unlawful you must have a society beholden to the
rule of law, which the PRC is most definitely not.

------
erdo
Given China's expansive attitude to industrial espionage (all foreign
companies are fair game), if I were in charge of security for a large
multinational, what's my security policy going to be for my employees who
travel to China for meetings? Does this change anything? or is behaviour like
this from China or indeed anyone else, already priced in?

~~~
braythwayt
Others can chime in, but I believe that most serious companies doing business
with China have a burner-device policy for employees travelling to China.

Your devices will all be hacked with industrial espionage malware, and just in
case you don't have anything on those devices, you will be given devices as
"gifts"—like flash drives and WiFi-equipped smart home devices--that will
exploit any devices you didn't bring with you.

INAE, but I believe the usual policy is to accept the gifts but discard them
at the first opportunity.

~~~
schoen
I'm always confused when I hear this about why malware researchers don't
obtain a huge trove of malware samples (and/or zero-day exploits) by obtaining
some of these "gifts" and then connecting them to honeypot devices. If all you
have to do to receive one is travel to China as an employee of a major U.S.
company, they must be quite easy to get ahold of.

~~~
yazan94
I imagine the average Joe working at MSFT/AAPL/GOOG/etc. doesn't get such
gifts unless they are worth hacking - in which case I imagine the gift-givers
would have done their due diligence. Also corporate policies can be pretty
specific and strict regarding gifts to eliminate potential conflicts of
interests.

~~~
schoen
Due diligence about whether the gift recipient is likely to to use it
personally rather than passing it along to a malware researcher?

------
bovermyer
The title is a little misleading, as it's a region of China and not the
entirety.

However, the implications are still ominous.

I'm curious, how did China develop into such a police state? Anyone able to
point me to some reading on the subject?

~~~
jandrese
Basically China is too big and doesn't have good natural internal borders so
throughout history it has only held together when the central government was
especially ruthless. It's just too easy to steamroll off of some early
military victories, so all insurrection needs to be quashed before it ever
really gets started. This means you need a brutal police state.

In modern times the traditions of the past remain even after the natural
barriers of communication time and mobilization speed have been eradicated by
modern technology. The rules of the past become a part of the culture,
language, and customs of the people, even after they are theoretically
obsolete. Finally, there is a natural fear of retribution you see when a
minority oppresses the majority for a long time. The minority doesn't want to
be treated as they treated the majority for so long, and are terrified that if
they give an inch they'll find themselves hanging from a pole just like so
many of their victims.

~~~
xenospn
China is also working very hard to get rid of its minorities by simply
distributing Han Chinese everywhere.

~~~
malandrew
It's basically ethnic cleansing by dilution. In Xinjiang and Tibet it appears
to go beyond just dilution, but that is the primary mechanism. When I was
living there, there were tons of incentives to encourage Han Chinese to
migrate to both Xinjiang and Tibet to completely dilute the local minorities
to the point of irrelevancy.

~~~
jandrese
In the US we called this "the melting pot". It doesn't matter what your
ethnicity was before you moved here, your traditions and beliefs get
integrated into American society so you are just an American.

This sort of thing has had a lot of pushback lately from well meaning but IMHO
misguided folks who complain about "cultural appropriation".

You aren't asked to forget your cultural traditions, you're asked to bring
your neighbors into them. To share the culture. But also to admit that the
edges are probably going to be sanded off and you're going to see people from
outside of your group participating.

------
motohagiography
Does Signal prevent this or not?

If the malware roots the device, probably not, but if it takes read.sms
permissions, it should only get ciphertext. if it replaces the main SMS
messenger, then it breaks, but you'd know.

I just did a rough threat model on this exact scenario and worked with the
assumption that Signal's MasterSecret covered it in the sms DB - but haven't
done a thorough code review yet.

------
mortivore
Yet another reason not to visit China.

~~~
archy_
Or just bring a burner phone that you can throw out before leaving.

~~~
quickthrower2
Or no phone

------
dangus
The headline is really alarmist, implying China in general is applying this
practice, while the reality is that this is a practice limited to sensitive
regions. It's pretty much in line with the status quo in Western China. China
has been very protective of the Xinjiang region for a long time, and very
restrictive on travel in and out, especially for foreigners.

But here we go, we've started an alarmist comment thread where we've extended
this out way beyond the current implementation, extending it into some kind of
dystopian future where this kind of thing is universal. Time to get a burner
phone and lock ourselves at home with our tin foil hats tightly in place!

All countries have always been paranoid when it comes to more contested and
less stable regions. It's nothing new nor a surprise. Is this situation a good
thing? No. It's been a human rights problem for decades.

Still, we should stop freaking out, that would be great.

This is not the customs and border process in China as a whole. It's not a
reason to cancel a trip to Shanghai or Beijing or Xi'an.

~~~
prepend
What is a sensitive region? Are there any similar regions in Western Europe?

~~~
Mediterraneo10
"Sensitive region" in this context means a region historically populated by a
different ethnicity than which dominates the central government, and which
would like to be free of that central government. In China these are
specifically the Uighurs in Xinjiang versus the overwhelmingly Han Chinese
central government.

States of emergency have been called in the past for various regions in
Western Europe where violent separatist movements were active, but those
moments have mainly abated, and besides, Western European governments these
days are not so fond of mass surveillance as China.

Just across the strait of Gibraltar, however, one does encounter a similar
situation in Morocco, namely in the region of Western Sahara which Morocco
occupied back in the 1970s. Western Sahara is historically populated by a
different ethnicity (the Saharawis) who chafed at Moroccan control of the
region. Foreigners traveling on the roads through the region will encounter a
long series of police roadblocks, and police do occasionally demand social-
media accounts and passwords from travelers. The situation is vaguely like
Xinjiang, although the Moroccan police are much more laidback, so a person can
refuse to give them information and just bullshit about not having Facebook or
Whatsapp. Compared to the very organized and rigorous Chinese police state,
the Moroccan forces are pretty amateur.

------
baybal2
Urumqi is a quite big transit hub, but I opt to never buy flights through it
for the chance of winning a free cavity search. That's another reason to keep
away from that place.

~~~
seanmcdirmid
I don’t think you would have much problems in Urumqi these days, the problems
only start when you leave the big city.

Is Urumqi really an international hub? I can’t imagine anyone flying through
that city for any trip that didn’t originate or terminate in China. Chengdu is
much more of the hub these days.

~~~
baybal2
Well, it is. The airport is past gigantic for the city of its size, and
landing fees are said to be quite low. I think nearly all companies flying
narrowbodies from Europe to China do stopover here, except for Central Asian
airlines who have a natural option of doing stopover in home countries.

I flew through it once, and now I will never do it ever again...

I do feel that bigger name European airlines opting to reroute flights to
China through Chengdu had all of above in mind

~~~
seanmcdirmid
Who is flying narrow bodies between Europe and China? Moscow (via Aeroflot or
whatever) works better for trips to Europe given earth curvature. The only
nonstops I can find are Moscow, St Petersburg, Novosibirsk, Baku, Astana,
Tbilisi, which all makes sense, most of those are Central Asia or almost so,
and then Russia. What am I missing?

~~~
baybal2
Russia is one of few countries not giving a "freedom of air." Overflight
rights are only given to flag carriers at extortionate rates, most EU-China
flights have to take rather weird routes.

There used to be flights through Urumqi on EU-China routes just 2 years ago
with stops just in it or in Almaty by quite a number of airlines.

The accursed flight I was on was done by China Southern

~~~
seanmcdirmid
Unless someone else is paying, I always fly Aeroflot via Moscow when going
between Beijing and Europe. Not only are the fares very reasonable, but Moscow
airport is a fairly nice lay over (they serve beer at Burger King).

I’ve flown out of Urumqi once on a domestic. Even that domestic flight
required a one night layover in Xian. Annoying.

------
apeace
> The Süddeutsche Zeitung reporter said they saw machines that appeared to be
> for searching iPhones at the border.

Is this known to be possible? I would've thought it isn't (at least without
the user entering their passcode and "trusting" the device).

~~~
lucb1e
> without the user entering their passcode and "trusting" the device

Right, do you want to enter the country or not? Click that button, sir.

------
xmly
Why not do it at carrier level? much simpler.

NSA could monitor all of us without installing any spyware.

China should improve its surveillance techniques!

~~~
acomjean
Probably encryption makes that harder

------
la_barba
This is bad PR for the Chinese government, but only in the West. They will
probably stop doing this when they can get some NSA type organization to do
this. Its much easier to vacuum up the data behind the scenes.

------
chvid
The journalists also asked researchers at ... Open Technology Fund, an
initiative funded by the United States government under Radio Free Asia ... so
the CIA basically?

------
mg794613
If its just text stealing I guess it's better than having to give your login
details?

------
x2f10
I fear backlash from this comment, but is this a case against side-loading
apps?

~~~
Crinus
No, because if it is mandated by law then it will need to be available region
locked in app stores for China.

So with this stance (ie. against "side-loading" \- what a crappy term) not
only you make things worse for everyone (not being able to use their own
devices as they see fit) even though they wouldn't be visiting China, you also
validate region locking (another shitty practice that has no place in a global
internet and only serves whoever wants to divide people) including any tech
necessary for it (and thus monetary incentives for whoever implements it)
_and_ not solve the issue at hand (people being forced to install malware)
since it can be done just as easily through normal routes.

No, if you do not want such stuff then speak against it and do not put
yourself in a position to be affected by it (do not visit China, use burner
phones, whatever).

~~~
saagarjha
Note that the software does not currently appear on online marketplaces; it
seems to be installable exclusively via sideloading. I don't think anyone has
really tested what would happen when a government legally mandates for app
stores to carry state-sponsored malware.

~~~
scohesc
We'll definitely see it once Huawei releases their own app-store and ecosystem
for China.

------
JumpCrisscross
> _This is yet another example of why the surveillance regime in Xinjiang is
> one of the most unlawful_

This is hyperbolic. It's potentially reprehensible and almost certainly
oppressive. But it's not unlawful in a state without the rule of law.

------
implying
Is there any way to get a copy of the application? I'm sure there are some of
us that would love to take it apart and look for URLs / file hashes it is
looking for.

~~~
vulkd
From the VICE article:
[https://github.com/motherboardgithub/bxaq](https://github.com/motherboardgithub/bxaq)

------
redwards510
What I don't understand is why they leave the app installed on the person's
phone after the scan if it does not do any further scanning in the background.

~~~
plussed_reader
I wouldn't be surprised if the app is a visa requirement while visiting.

------
Tepix
Looks like there are ways to block sideloading of apps:

[https://www.brianmadden.com/opinion/How-do-you-block-
sideloa...](https://www.brianmadden.com/opinion/How-do-you-block-sideloaded-
app-installation-on-iOS-or-Android)

Basically you create an enterprise profile for your phone and block
sideloading of apps as a policy ("Disallow_Install_Unknown_Sources). Same with
iOS.

------
csyszf
I'll never open HN again. I talked with some American/EU/Australian folks, in
twitter and my company, and they're very nice. I just couldn't understand, why
so many people in HN are so arrogant and self-righteous.

I just can't stand those comments, they remind me of Trump- “No one knows
China better than me” Although they basiclly know nothing, just as Trump.

------
z2
Android needs an incognito mode or some way to set up a secondary user that
looks as if it's the only user on the device. Maybe this mode/user can be
triggered with a different passcode or finger.

------
saagarjha
> The Süddeutsche Zeitung reporter said they saw machines that appeared to be
> for searching iPhones at the border.

I'm curious if anyone managed to grab a look at these as well.

------
tedsuo
The article only mentions Android. Does anyone know what the process is for
iPhones at the border?

~~~
xenospn
My guess is they force you to hand over your pin code/unlock your phone and
extract it manually.

------
olliej
So it’s android only?

~~~
xenospn
iOS is probably looked at as well, but has to be done manually since there's
no way to just do it with a simple app.

~~~
z33k
I'd wager that they have a enterprise certificate to sign the iOS app with.
Then it's a matter of sending the spy victims to a URL, installing the app and
granting access to photos/ location/ whatever.

~~~
tomovo
Nope.. the user would also have to open Settings and explicitly mark the
vendor certificate as trusted.

~~~
LocalH
It says the devices were unlocked then the device was connected. I would
assume the device is in the custody of the Chinese authority at this point.
Thus, they can just go into Settings and trust the cert.

~~~
olliej
Changing trust settings on device requires the password.

Better question is: what are they able to pull off the device while it's
unlocked?

------
murbard2
The US is forcing its tourists to give away a list of all their social media
accounts and all their email accounts. If you're a foreign journalist writing
pseudonymously for your safety, you must now share that information with the
US government to enter the country. This isn't quite on the level of forcing
people to install malware on their phone yet, but give it a couple years.

~~~
panarky
_> The US ..._

This style of argument is deflection, and it gets us nowhere.

It's very effective in redirecting the focus away from one bad actor and onto
another bad actor, though.

~~~
bduerst
Call it what it is:
[https://en.wikipedia.org/wiki/Whataboutism](https://en.wikipedia.org/wiki/Whataboutism)

~~~
theslurmmustflo
Can you explain what's wrong with whataboutism?

~~~
TheGRS
Other than being a logical fallacy it's also a race to the bottom in terms of
what we (as a society) deem appropriate. "Oh what I did was wrong? Well what
about that guy over there? Why aren't you judging him first?" The argument is
usually in bad faith as if one problem can't be solved until we've dealt with
everything else that's worse.

------
dang
Comments moved to
[https://news.ycombinator.com/item?id=20336920](https://news.ycombinator.com/item?id=20336920),
since the guidelines call for original sources.

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

Edit: a user emailed to point out that this article is itself one of the
original sources, because vice.com aka Motherboard was one of the
investigating parties. That was my mistake! Sorry.

------
neves
How long till USA start doing the same?

Ops, maybe it comes pre-installed :-)

~~~
vokep
Yes there are two variants for US citizens, iOS and Android.

------
redwards510
If the US started doing this (scanning phones for islamic terrorism files) to
foreigners at the border, would you care? If it was just a scan and no data
was harvested?

I believe strongly in the right to privacy, but I have to admit, I do not want
anyone coming into my country who has beheading videos on their phone. Unless
they are a journalist or something, obviously.

~~~
bongobongo
You may not know this, but the Constitution guarantees the same rights to
foreigners on US soil as it does to US citizens. (This is a pretty basic part
of civic education, but civic education in the US these days is terrible.)

So, no, I would not be OK with the government violating the Constitution.

~~~
thebooktocome
This isn't actually true. The majority of constitutional rights apply to
foreigners, but some don't.

[https://www.learnliberty.org/blog/t-he-constitutional-
rights...](https://www.learnliberty.org/blog/t-he-constitutional-rights-of-
noncitizens/)

