Hacker News new | past | comments | ask | show | jobs | submit login
Line app allowed Chinese firm to access personal user data (therecord.media)
100 points by walterbell on March 17, 2021 | hide | past | favorite | 32 comments



I purchased an Alcatel smartphone several years back and about a week after the device received a firmware update I started getting weird pop-ups with fake virus warnings that led to some bogus cleaner app on the Play Store.

I started examining the apps on my phone and saw that all the preinstalled system apps had been modified to siphon off social media data to Chinese servers.

I collected as much information as I could to report the manufacturer to the Facebook.

Several months later the New York Times reported that Facebook had been allowing cellphone manufacturers (including Alcatel) to access users social media data regardless of what privacy settings the user had set because FB considered them “Trusted partners”

Alcatel has been found to have placed backdoors with root access and hard coded credentials in TCL branded televisions and their smartphones have been reported for DNS rebinding attacks to TCL clouds and also having packet sniffers in their low-end smartphones.


This is where the Android security model really falls apart: The assumption that the ROM publisher/device manufacturer is trustworthy (or even just not pathologically hostile) is often false and the immutable OS means even technical users struggle to remove malware.

IMO: this sort of stuff means the pinephone actually has a better UX than the cheaper android phones despite calls and SMS often not working because the basic "computer with cellular data" works exactly the way you would expect.


This doesn't apply to the Pixel phones. If one wants not too expensive, Pixel 4a seems good.


There's a reason why iPhones are so popular.

Hint: it's not marketing.


iPhones are popular because of a monolithic product that doesnt try and depart from the core brand and feel of the OS with manufacturer quirks (ie. Why Samsung and Huawei feel so different). Their marketing is very much the reason:

iPhones are pitched and priced to appeal to the highest social status possible, the rest bleeds down from there.

The percentage of people who buy iPhones specifically because of debated security benefits is substantially smaller. People who may have heard this but dont know/understand it will find it simply reinforces their existing preference for an iPhone on the earlier grounds.


no it's marketing


> Most of Line’s 86 million userbase is made up of Japanese users

The app is also ubiquitous in Taiwan and Thailand from my personal experience. It's very bad news for Taiwan if the PRoC has been snooping on its citizens.


It's very bad news for LINE if the Taiwanese people view it as a tool for the PRC...


Sigh. This is all not surprising at all, and I'm certain that the government officials and the company high-ups are helpless. There's a great division between the geeks and suits in Japan (this division certainly exists in the US but it's much bigger here). Experts are proud of not stepping into other fields (that'd be insolent), and managements tend to boast not knowing the technical details (too mundane to them). There were a few notable high-stake failures in the past weeks (including nationwide ATM glitch and COVID tracking app bugs), and I'd bet there will be a few more to be revealed. Sadly Japan is such a backward nation now.


We use LINE here in Thailand for business and personal - more than any other chat app. If you don't have LINE, you really can't communicate very well in Thailand.

But their technology sucks.

They don't have typing indicators. Vietnam, Japan, Thailand are separate fiefdoms, there are certain things you can't do across countries.

To open a business account you have to pay a secondary firm in Thailand who barely has anything to do with LINE.

The whole UI is super-clunky and has many bugs.

We get the feeling that they do not really care about the product itself. They keep adding lots of features for business that don't really work.

But everyone here uses it, so you really have to get on board.


I recall LINE having indicators similar to WhatsApp for conversations stating that they were end-to-end encrypted - was that all a complete lie? Or are there side-channels enough that it's technically true but practically meaningless?

Also, for anyone who doesn't know, LINE is ubiquitous in East Asia and parts of South East Asia. In Japan and Korea, everyone and their grandmother are there. Not being on LINE here is "worse" than not being on FB in the west.


According to the other story on the front page earlier today about this, the messages are encrypted but the firm had access to user information - name, email phone number. That kind of stuff.

https://news.ycombinator.com/item?id=26488445

On a different note: Has KakaoTalk gone out of fashion in korea? I thought line was mostly Japan and Taiwan and korea was KakaoTalk, China WeChat and everywhere else WhatsApp.

But I have noticed line appearing in some never kdramas.


LINE has never had any significant market share in Korea, it's 100% Kakaotalk. LINE does have a large amount of development going on in Korea, however.


That's interesting. I recently noticed LINE showing up in a number of Korean shows on Netflix and I wondered how popular it was over there.


I wonder if it's actually an indication of how unknown it is. Korean media is usually very precise with showing brands - if you can see a logo it's almost definitely product placement. Using a relatively unknown app allows them to avoid showing something recognizable.

This is just an idea though, I have no real basis for the claim. I have noticed the same thing, though.


They prominently displayed the line characters, Brown and Cony in a message chat between the two main characters in 2015s "Hyde Jekyll Me" on Netflix.

I doubt you'd do that as a mean to show a generic chat. I think that is more of an attempt to make inroads in Korea (or perhaps pandering to viewers outside Korea)


It's a couple of years since I spent extended time there, but if there's anything I know it's that Koreans move fast, so I wouldn't be surprised if I'm slightly off there.

It's absolutely the case in Japan, though.

LINE is bigger than WhatsApp in Taiwan and I think Thailand, though.


I’ve never met anyone in Thailand or Taiwan who don’t use LINE.

It’s also my primary messaging app. What’s App is only used for business stuff in Singapore.


I recall LINE having indicators similar to WhatsApp for conversations stating that they were end-to-end encrypted - was that all a complete lie? Or are there side-channels enough that it's technically true but practically meaningless?

The metadata - who talks to who and when - in many cases is more valuable to an adversary than the actual content of the messages. All the crypto in the world doesn't help once the identity of one person you associate with becomes "of interest" you are of interest too and old-fashioned methods can be used.


Messages are E2E encrypted by default. When a user reported abuse, messages are sent to LINE corp without E2E encryption so their employee or contracted company can read only reported message


End-to-end encryption doesn't matter, if the app itself is backdoored.


icons!


IMO it’s increasingly obvious that regardless of how a company is structured, tech companies situated in a nation are inescapably related to geopolitical security matters.

They are all easy targets for intel and manipulation, and any nation that cannot manage its own tech faces uncomfortable strategic vulnerability.


There are zero (0) secure chat apps that are centralized. Use jabber with OMEMO or delta chat if you really need an IM style UI.


Isn't Signal both secure and centralized?


They can easily force updates that exfiltrate keys. You have no choice but to use a recent version of the only client and you have no good way of verifying that the it was built from what's on github.


If you want to trust that go ahead. There's been quite a few changes within the past year and a half that lead people to believe otherwise. All their servers are also US based. Remember Lavabit?


How is this possible? Aren't app stores supposed to protect us from this?


I have been using Line app for the last few weeks and I am not surprised. Line itself sends me a ton of spam per day and you aren’t allowed to delete message once sent. The general feel I get is that they aren’t too focused on security or code quality. I am pretty sure none of the text messages are encrypted and any employee can browse at anytime.


[flagged]


I just assume every thing from a big tech company is spyware, data is way to valuable.


Grab a random Chinese app, do a tiny bit of static analysis, and you will see that is quite justified...


they definitely need team, azure, github, windows server and office 365/decade




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: