Hacker News new | past | comments | ask | show | jobs | submit login
Cure53 Audit of Chinese ‘Police App’ (cure53.de)
115 points by ericdanielski 72 days ago | hide | past | web | favorite | 53 comments

This is the same app as discussed in https://news.ycombinator.com/item?id=20335816

That Motherboard article also links to a repository with the APK: https://github.com/motherboardgithub/bxaq

If that's the case, it's worth noting (since it's often lost here, on reddit and in the news) that is app is only required at border checkpoints in Xinjiang. Putting Xinjiang on your itinerary would likely result in your visa being refused anyway. If you are traveling to China for business or pleasure, you won't need to worry about this.

Source: Was in Shenzhen within the past month. Normal customs/border control practices. Nobody asked for personal devices. Only surveillance that was obvious was biometric checkpoint at customs, and some sort of face scan (?) at the subway queue.

A friend was in China on business recently and the local corporate It department told him they were installing government required monitoring software so that he could vpn back to the US office. This might have been a misunderstanding as that guy isn't very technical, have you heard of this?

I'm not sure and I don't want to misspeak. I know that my company does not do such a thing, and my phone when roaming (Project Fi) bypasses the GFW. However, I do know there are specific different IT infra requirements when connecting from China but none that are gov-monitoring related. It may be a misunderstanding, or it may be a procedure that your friends' IT was following that we aren't.

That being said, foreigners accessing the normal WWW is really not a major concern if you think about it.

>Putting Xinjiang on your itinerary would likely result in your visa being refused anyway

1. get a multiple entry visa

2. say you're going to shanghai or whatever on the application

3. go to Xinjiang on your second visit

Right. There's no enforcement of visa itineraries so long as your first one has valid flights & hotel. After that, you get 10 years of multiple entry with no required itineraries. I just brought it up as a point, that Xinjiang is not a place you would normally be going. People seem to assume that Xinjiang is just a normal crossing into China that has heightened security. That's not the case at all. You would never accidentally end up there on a trip to China.

Xinjiang province is 1.6 million km^2. It's larger than France and Germany put together. There are plenty of reasons to want to go there.

Most of that area is covered by mountains or desert, and there are only about 22 million people living there. The economy also isn't terribly developed (although IIRC it's the fastest-growing among all Chinese provinces) and it's not exactly popular as a tourist destination.

That doesn't mean there's no reason to ever visit, just that there aren't very many more reasons than for e.g. visiting the neighboring Kazakhstan. Most people crossing the border and getting subjected to the surveillance are probably ethnic Kazakhs living on either side, visiting relatives on the other.

In this specific case a single entry visa was used. The visa paper in the passports doesn’t show the itinerary stated in the visa application. Also all itinerarys and the flight tickets were made with either booking.com and immediately cancelled or with a fake flight ticket generator. Worked like a charm..

Direct link to the report (PDF): https://cure53.de/analysis-report_bxaq.pdf

cltsang 72 days ago [flagged]

Uncovered CCP internal document said they oppose "universal values" as a concept established by western civilizations [0][1].

So human rights violations is not a thing in China. Under the current Chinese government's rule, the people do not have rights, unless, of course, when the "rights" are beneficial to the longevity of the CCP.

[0]: https://en.wikipedia.org/wiki/Document_Number_Nine

[1]: https://cn.nytimes.com/china/20130820/c20document/dual/

This is kind of an interesting cultural difference between Europe/America and China. While we talk about universal rights, they talk about universal duties, and this only sometimes converges on the same values.

For example:

Both the West and China believe that old people deserve care in their old age. The West would justify this by saying that the elderly have fundamental human rights, which would be neglected without care. Chinese would justify this by saying that the young have a duty of care to the old.

Both the West and China (at least superficially) believe that rulers should treat their subjects with respect. In the West, this is because each subject has human rights. In China, this is because the ruler has a duty to treat their subjects respectfully.

So I would not make the mistake of thinking that the Chinese are somehow amoral because they do not subscribe to the doctrine of human rights. It must honestly seem to them like a Western concept that clashes with their view of morality (or at least it would if I were in their shoes). But the Chinese government must have a set of duties to their people. I would love to read a document where they outline those, I'm sure it must exist somewhere.

There is haggling to be done on the specific words though; I'm going to dispute that care of the elderly is tied to the Western conception of rights. The Western concept, particularly in places like France and the Anglosphere, is tied freedom of action and from interference that came about when the monarchies were de-toothed. A good classic benchmark of what rights look like, the US Bill of Rights, only guaranteed a level of protection from government and law enforcement as opposed to saying that people deserved some standard of comfort or whatever.

Care of the elderly is a recognition of the fundamental importance of individual dignity and the value of character. This is an inherent quality of individuality, as opposed to a right which is somewhat granted by an external entity [^]. Claiming people have a 'right' to someone else taking a positive action on their behalf isn't a universal Western value, or if it is it is reasonably modern. The idea is old, but historically it probably had a different name (likely tied in with religious community, for example).

[^] You can be denied your rights, but you can't be denied the fact that you are in individual with dignity and importance.

> ...the US Bill of Rights, only guaranteed a level of protection from government and law enforcement as opposed to saying that people deserved some standard of comfort or whatever.

See https://en.wikipedia.org/wiki/Negative_and_positive_rights for more on this.

A right implies a duty on others. A duty implies a right of the person you have to the duty to.

The duty formulation is good because it makes clear the cost of the right - it's like avoiding the passive voice in writing (compare 'everyone has the right to food' with 'those with food have a duty to feed those without' - the first is meaningless without the second). The rights formulation emphasizes that the reason for the duty resides in the person to whom the duty is owed, not the person who must perform the duty, and even if the performer changes, the duty will remain.

Elsewhere in the thread, the point is made that the prevalence of right formulations in western society mainly came about as western society went through successive limitings of the power of monarch and government, and the rights of the people against all governments present and into the future were enumerated. I don't know if this is true, but it seems plausible. It also provides a possible explanation for why authoritarian regimes might prefer a duty based view, and would certainly try to avoid accepting a philosophy that limited their power over their people.

Having said all that, big chunks of chapter 2 of the Chinese constitution read just like a Bill of Rights. http://en.people.cn/constitution/constitution.html

https://en.wikipedia.org/wiki/Mandate_of_Heaven. The idea hasn't changed much in two thousand years: the ruler that rules well is the ruler that deserves to govern. If the ruler rules badly enough, they'll be overthrown.

The "Duty" vs "Right" thing is ancient. You can see the earliest form of this "duties" concept underpinning the all the abrahamic religions, even in all salvation-oriented religions. You have a duty ultimately to the "godhead", from which all other duties derive.

The concept of universal rights was the refinement of this and only fully emerged during the enlightenment era in Europe. But it was there in a less explicit, more rudimentary form in classical Greece, too.

It's a choice, really. What kind of world do you want to live in? A world where we recognize basic human rights as x-y-z (from which we can determine what duties we have toward each other, for sure) Or a world that we left behind for very good reasons.

These are not the only two choices.

For example a Buddhist might argue that the fundamental concept is realizing that there is no difference between the concept of you, and myself, that we are all one thing, and from this determine that one should not inflict suffering on other sentient beings.

Uh, covered in salvation-oriented religions. Buddhism is just another one of those.

True. I do like aspects of the "duties > rights" mindset, though - it becomes clear that the person with a duty is responsible for the whole job, and not just the parts that line up with specific rights.

For example, in the U.S. there's a culture that if a government is not infringing on the rights of its citizens, it has done enough. For example, the secretary of state that runs my DMV does a good job of respecting the human rights of the disabled, and a good job of respecting the human rights of their employees, but I don't get the feeling they feel compelled to provide good service.

If they had a duty to be the best administrator of a DMV around, they would need to be focused on accessibility, their employees, and the level of service provided to their customers. An administrator who did not focus on providing great service could be chastised for that in a way I don't see happening (in my state, at least).


Duties precede rights. In the African savannah of 50,000 years ago, our obligations to each other saved us from extinction. As hunter gatherers in tiny bands of ten people, we had to do everything as one. There was only “we”, no “I”, unless you were the leader. You either went with the group or died.

A deeper article: http://bostonreview.net/books-ideas/samuel-moyn-rights-dutie...

China is hardly alone in not subscribing to these universal values, in fact plenty of Western countries that nominally do subscribe to these in fact when reviewing their actions do not. The CCP being that up-front about it is the strange thing.

I stopped subscribing to universal human rights, at least as defined by the UN, when the lobbyists got a hold of them and began adding things like IP protections as "human rights."

We now need DRM and can't have fair use because it violates the new human rights....

Even Western countries will disagree with what is a human right.

For example, universal healthcare.

I'm going to be downvoted but... Android has access to all my files and is installed on my phone even before I reach the USA. Since the US government seems to have close ties (1) with Google, this makes me a bit nervous as well.

So I'm not sure the chinese are more evil than our occidental countries...

Moreover, it seems that chinese authorities force people to install their software on the phones. But, last time I checked, I was forced to accept the EULA on my phone as soon as I turned it on (Nokia One for the record). I'm sure that I'm just as "forced" to install Android on my phone as I'm forced to install the chinese software : basically I can refuse, but it means that I have to throw the phone away...

Obviously I make a kind of caricature here, but my point is : whatever the way it is installed, the software on your phone is controlled by a powerful entity, controlled maybe by a powerful government which has, like most of them, some blood on its hands. There's nothing wrong with that, that's history; but we don't need to look to far away to see problems with privacy...

[1] https://wikileaks.org/google-is-not-what-it-seems/


In my book, both the USA/corporate style of surveillance and the Chinese way are bad and need to be defeated. Don't buy the rhetoric that you have to choose a side in a fight between these two bullies.

We can argue on the one that uses its surveillance for the worst, we can argue on the rights that users have to disassemble and protect their devices on either side. The point is that we need tool to protect our freedoms, because they are attacked by powerful actors, like China.

And indeed, being China's competitor does not automatically makes USA a champion of privacy and user rights.

>> And ?

There's no "and". According to what you wrote, we're thinking the same thing :-)

Except, Google is accountable to shareholders and US legal code. The US government has accountability through elections and the judicial system. What accountability does the Chinese government have?

A lot of good that accountability did Kim Dotcom, or the brown-skinned people being blown up by drones, or the hundred thousand civilians killed in Iraq after America brought about regime change. Over the past century America has interfered far more in other countries' affairs than China ever has. A cynical way of putting it: China's government oppresses its own people, America's government oppresses everybody but its own people. As someone neither American nor Chinese I feel China's far less likely to come along and bother me when I'm minding my own business than America is.

>As someone neither American nor Chinese I feel China's far less likely to come along and bother me when I'm minding my own business than America is.

I'd rather be "bothered" by the US than "bothered" by China because in the former you can at least make the case that they shouldn't be bothering you and expect it to be considered. Government as the sum of all the bits that make it up behaves like a power hungry sociopath. Given the choice I'll take the sociopath that at least nominally respects human rights.

People in Vietnam and other SE Asian countries might disagree with this wholeheartedly. They have certainly felt the oppression from China.

>As someone neither American nor Chinese I feel China's far less likely to come along and bother me when I'm minding my own business than America is.

Well no shit, only one of these two countries has had the capability to project power globally for six decades. To say China hasn't intervened in e.g. Ireland's affairs is to say pretty much nothing about its (un)desirability as a global leader.

Within each country's sphere of influence though, I don't agree with the above statement in any sense though. China is far more active/aggressive (and amoral) in the affairs of its people domestically and in its regional sphere of influence than the US generally is.

>China is far more active/aggressive (and amoral) in the affairs of its people domestically and in its regional sphere of influence than the US generally is.

That's the point; it's aggressive in the affairs of _its people_. That being said, I'd disagree that the US generally leaves countries in its sphere of influence alone: the war on drugs for instance resulted in a massive amount of violence and suffering in Mexico, America's southern neighbour. America installed Pinochet in Chile, and also created various other banana republics in South America (https://en.wikipedia.org/wiki/Banana_republic). America is one of the only countries in the world to tax its citizens regardless of whether they live, and imposes so much bureaucracy on dealing with them that there are even European banks that refuse to serve US customers: https://www.spiegel.de/international/business/reaction-to-us.... US intelligence agencies somehow convinced the New Zealand spy agency to illegally wiretap Kim Dotcom (NZ is a close US ally): https://www.telegraph.co.uk/technology/internet/9569986/Kim-.... The US embargoed Cuba for decades; China trades peacefully with Taiwan.

There's the question of culture. I'd be really happy to have an opinion about my country from a China inhabitant...

I should travel there once, just to see it for myself...

Very importantly an independent and strong judicial system.

Hard to say from an outside perspective. https://en.wikipedia.org/wiki/Elections_in_China

Certainly worth a read and would be very interesting to compare what we class as democracy and accountability country by country from a neutral perspective. Though I'm not aware of any such articles of comparison.

> What accountability does the Chinese government have?

Presumably, they need to answer to their president.

And their president answers to whom? Doesn’t Xi have a lifetime appointment?

> I'm going to be downvoted but...

From the Hacker News Guidelines:

> Please don't comment about the voting on comments. It never does any good, and it makes boring reading.

Please try to avoid sensationalist or dishonest language when commenting.

It's sometimes helpful, actually. Virtually any comment critical of Google gets downvote aggressively. I suspect that's a lot of Googlers reading Hacker News (who drank the coolaid) rather than an intentional astroturf campaign, but in either case, I've noticed a comment like that tends to help. It prevents the kneejerk "You criticised my employer/community/ego, so I'll downvote you" reaction, and sometimes leads to a bit more critical thought.

The phone situation is very unfortunate since there is basically no widespread phone operating system that isn't developed by a big corporation with possible ties to the US government.

I for one use an Android fork (LinageOS) and I trust the maintainers to remove any malicious features from stock Android but I can also never say for sure.

I don't quite see much difference between Chinese government surveillance and US corporate surveillance at this stage. The power structures are different, but the result is the same.

Google knows everywhere I am and reads all my email.

The difference is that Google can't throw you into a camp without trial for what they discover.

I'm guessing you're a Googler (or similar) who missed the point. Privacy has value even without the threat of being thrown into a camp, and mass surveillance is a human rights violation even without that. But just to get facts straight:

The US government can and does get data from Google through both instruments like national security letters and subpoenas. If it decides you're in need of prison:

* There may be a trial before one gets thrown into a prison camp. That's true. The Justice System is relatively fair to anyone who can afford to spend $300,000 on lawyers without worrying about the cost. That's the top-1-percenter population. If you're a Googler, you're probably at the lower-end of this.

* For most middle-class families, a criminal prosecution is guaranteed bankruptcy. Whether or not you defend yourself successfully depends on how quickly you run out of money.

* For most lower-class families, the outcome is usually a plea bargain, where you do get thrown into a prison without trial.

Before making comments like yours, you might want to read a book like "The New Jim Crow," and look up statistics on what your own power structures are doing (and specifically, both statistics on the number of people in prison and anecdotes for how they got there).

Google does not operate re-education camps which kill people now and then. Correct me if I am wrong. If I am, let's go liberate the people it's holding with the help of the US military.

You mean the one which (still) runs Gitmo?

Or perhaps we should get our law enforcement to help out. But then who would we have to do the very important work of putting kids in cages on the border?

I think you're making the mistake of viewing Google and the US military as autonomous entities. We have 7 billion people in the world. Organizational structures, whether governmental, corporate, or otherwise are abstractions generally designed to keep people happy, healthy, organized, and productive. Systems define how those abstractions interact.

Most bad systemic behaviors come from those interactions.

It makes sense to understand good and bad behavior on an individual level (e.g. an person who spends 3 years at Google and then moves on to Facebook for 6 months, finds it doesn't work out, and gets a job at Apple). It makes sense to understand how organizational structures interact to cause healthy behavior or oppressive behavior at an overall level. It usually makes very little sense to look at individual organizations without looking at the overall systems they operate in.

At this point, Google seems to do a lot of bad in the world. That's not a criticism of Google the organization. It legally can't do otherwise. The CEO of Google has a fiduciary duty to maximize shareholder value, while the regulatory regime makes the behavior it's engaging in do exactly that. The trick is to fix the ecosystem around Google so it can do good. That's actually a place where Googlers and similar could do a lot of good, if they can get past the ego issues which lead to defensiveness like from the post like yours.

Well didn’t I read somewhere that if I cross the US border I could be forced to allow a search of my electronics? Actually think I only need to be within 100miles of the border and they are allowed to do that in the name of security. My point is who cares that the Chinese are doing this when I can look to my neighbors to the south doing the exact same thing. Well I care but I am not about to look down on the Chinese because they do it too. So much “do as I say not as I do” with the US it’s rediculous.

>All extracted information is bundled as a ZIP file, without applying any protection like a password. The ZIP file is then sent via an HTTP POST request to This shows that not only no transport security (e.g. https://) is in place, but also that an internal IP address is used.

Unless they're expecting a MITM from the police network (or wherever they use this app) why is no https a problem?

>BXAQ uses the default icon for Android apps, which means there is no attempt at being covert or discreet about it.

...or maybe they didn't put an icon because it's optional and unnecessary for what essentially is an internal app.

I mean really they are not trying to be unbiased or anything about the analysis.

MITM? You don't need to MITM something that isn't even encrypted... anyone with a modicum of technical ability can use WireShark to grab these files if they're transmitted over public Wi-Fi. And probably cellular connections, too.

Exactly, sit outside the police station/wherever just nearby spin up wireshark in monitor mode and you have a stream of personal info on the owners of those scanned phones

But they aren't transmitted over public wifi. They are transmitted inside of some kind of private network, given that they are transmitted to a server in the 192.168/24 range

You can have servers with an IP in that range available on public WiFi, no problem at all. If the network is not public, whoever installs the app still needs to connect to it, so you can intercept any credentials they enter, or even run Wireshark on the device.

Someone could theoretically use a modified version of Android to capture the police wifi login even after they forget the network, and then use that to connect and log all captures in the future.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact