Last year, authorities told residents of a Muslim-populated part of China to install JingWang, an app that scans for certain files. Now, researchers have found it transfers the collected data with no encryption.
去年当局告诉中国穆斯林居民安装 JingWang(净网),这是一款扫描某些文件的应用程序。现在研究人员已经发现它在不加密的情况下传输收集到的数据。这个应用程序是中国监视和压迫维族人的进一步举措。
该应用程序是被政府强迫下载的,去年当局通过微信向维人发送了一个 QR 码,要求扫描下载 JingWang 应用程序。JingWang 通过比较手机内容和 MD5 哈希列表,扫描设备上存储的特定文件,包括 HTML,文本和图像。
根据当时 Mashable 发布的 JingWang 公告消息,该应用程序会“自动侦测恐怖分子和非法宗教视频,图像,电子书和电子文档”……用户将被告知删除一切违规内容,以最多10天的拘留相威胁。
目前还不知道 JingWang 正在扫描哪些具体文件。 OTF 的公共博客文章显示,包括 47,000 个文件的哈希列表,或文件指纹。该应用程序还有一个截图功能来捕获发现文件列表的图像。
OTF的报告称,JingWang 还会发送设备的电话号码,设备型号,MAC地址,唯一的IMEI号码和外部存储器中发现的任何文件的元数据,这些文件对于远程服务器而言是非常危险的。
OTF支持的研究人员发现,JingWang 没有任何加密方式就将数据泄露出来,而是以明文形式进行传输。应用程序更新也未进行数字签名,这意味着它们可以在没有设备注意的情况下交换其他内容。
“该应用程序技术上的不安全性不仅让用户被中国政府窥视,并且容易被第三方进一步攻击。足见官方所称的保护公民信息是胡扯,只有利用这些信息来对付他们“。
设计用于广泛监控人群的应用程序并不令人吃惊,更广泛的问题是当局迫使居民首先安装一个监控软件。但该应用程序仍然强调了中国几十年来普遍开展的监视工作。
正如我们一贯强调的:当权者正在用技术对付老百姓,而技术才能对抗技术:老百姓如果持续拒绝对技术的掌握,将必输无疑。
The app extracts a phone’s IMEI, MAC Address, manufacturer, model, phone number, subscriber ID, and filenames with hashes for all files stored on the person’s device
These identifiers serve to easily identify and track any mobile device and its contents
The app scans the device’s external storage for files looking for those it deems as “dangerous” by recording the name, path, size, MD5 hash of the file and comparing it to a list of file hashes received from the server. If a file is identified as “dangerous” it prompts the user to delete the file.
An MD5 hash is a unique file identifier that can locate any file on a mobile device
The app specifies the types of file types it looks for which primarily includes audio, video, photos and html. The app then sends all the filenames with hashes back to the server, not just what may have been identified as dangerous, hashes for every single file on a person’s device.
Any user with this app installed will have every file stored on their device sent to a unknown entity for monitoring
Lastly, nothing is transmitted from the individuals device to the receiving server over HTTPS — all in plaintext via HTTP — and updates are unsigned.
This means all the data the app collects is transmitted to the unknown entity on the receiving end in a way that allows someone with a trivial amount of technical knowledge to intercept and potentially manipulate