Chinese Mobile App Encryption is Suspiciously Awful

Written by

Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray . It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Corelight .

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed .

In this special edition of the Seriously Risky Business podcast Patrick Gray speaks with former NSA Cybersecurity Director Rob Joyce and former director of the CIA's Center for Cyber Intelligence Andy Boyd.

A new paper , from researchers at Princeton and The Citizen Lab , has found that apps from the Xiaomi's Mi Store, which services mainland China, are an encryption horror show. Compared to apps found in Google's Play Store, Mi Store apps send significantly more unencrypted traffic. And the encrypted traffic they do send is typically vulnerable to decryption by eavesdroppers.

The researchers examined the top 1,699 apps from the Google Play Store and the Mi Store (more than 800 from each store) and ran them through a measurement pipeline they called WireWatch. The researchers developed WireWatch to automatically identify non-standard encryption. 

It found that nearly half of the top Mi Store apps used proprietary encryption. Only 3.51% of the top Google Play Store apps do the same. The authors then reverse-engineered the nine most popular cryptosystems identified by WireWatch. They found that eight of them sent network traffic that was vulnerable to decryption by adversaries. 

These eight systems suffered from a variety of faults including using hard-coded symmetric keys whereby anyone with the key can decrypt any communication; flaws in key generation that allow them to be brute-forced; and the use of vulnerable implementations of standard encryption algorithms. Almost half the apps did not properly validate TLS certificates, making them vulnerable to man-in-the-middle attacks.  

The data that could potentially be exposed varied per cryptosystem and included device and network metadata and browsing data. All good stuff if you are looking to surveil a population.

Interestingly, the more popular an app is in the Mi Store, the more likely it is to use one of these vulnerable proprietary cryptosystems. Curious!

One thing the paper doesn’t address is how an entire ecosystem with poor encryption practices arises in the first place. Is it occurring just because the Mi Store does not actively enforce stricter standards compliance? Do Chinese companies just have a predilection for developing their own cryptosystems? Does the Chinese government not trust overseas encryption standards? Or is there a government directive we are not aware of that encourages insecure practices as a surveillance enabler?

We've seen examinations of individual Chinese apps before, but this big picture analysis of hundreds of apps at once raises some interesting questions. 

Whether it's insecurity by design or not, the average Chinese netizen is worse off because of it. But perhaps that's just the way the Chinese government likes it. 

Congress Should Bring Back the CSRB

The Trump administration does not yet have any plans to recreate the Cyber Safety Review Board (CSRB). It's a shame, because although the board's structure wasn't perfect, its work was important and necessary . It should be reformed, not dumped. 

The CSRB was set up under the Biden administration to review significant cyber incidents. Its work addressed significant security problems and drove real improvements . The Trump administration disbanded the CSRB in January. 

Speaking at the RSA conference earlier this month Alexei Bulazel, the National Security Council's Senior Director for Cyber, said the CSRB was "an interesting initiative" but passed the buck on deciding the board's future to the next CISA Director. Sean Plankey's nomination for the position is currently held up in the Senate . 

Bulazel raised two specific issues with the board's functioning: that incidents are usually deliberate attacks and conflicts of interest are difficult to manage.  

On the deliberate nature of cyber incidents, he noted that while the CSRB was modelled on the National Transportation Safety Board (the NTSB, which investigates civil aviation accidents), cyber incidents have "a very different dynamic" to plane crashes. 

With aviation accidents, he said the root cause was often mechanical in nature. For example: "The screw was loose on the wing and the screw came off and the wing started wiggling". 

"And then it's the laws of physics… and we can take lessons for future aeronautical engineering, for future safety protocols…" 

By contrast, he says, cyber incidents are often the result of malicious action from "an adversary country or a hacker or criminal gang".

Nonetheless, Heather Adkins, Vice President of Security Engineering at Google and the former deputy chair of the CSRB maintains that CSRB-style reviews are still worthwhile.

Writing on X , she said "while on CSRB I pushed hard for us to look at the things that would eliminate classes of problems". She cited infostealers and backdoors in open source software as examples where "a CSRB should approach the software and hardware engineering problem with the diligence NTSB has tackled window shapes and material science". Infostealers are a type of malware that steal information like passwords to facilitate illegitimate access to accounts.

Adkins told Seriously Risky Business there were a range of approaches that would help mitigate that particular problem. She cited security keys and passkeys , binding session cookies to clients so they can't be stolen and used elsewhere, and also more robust isolation in operating systems to stop non-browser processes from stealing authentication cookies.

To us, this doesn't sound all that different to recommending design improvements to the bolts that caused the wiggly wings. 

Because implementing these solutions isn't necessarily straightforward or easy, Adkins thinks official reviews are important because they "carry a lot of weight". A formal government report saying "do this thing" can encourage organisations to actually do that thing.   

See, for example, Microsoft's Secure Future Initiative , which was given a firm boost after the CSRB lashed the company for a " cascade of security failures ". 

One former CSRB member, and friend of Risky Business, Dmitri Alperovitch also shared his views on the defunct board in a keynote at RSA . He described it as an "interesting experiment… [and] we've learned a lot". But its members were squeezing their CSRB work around their full-time jobs, making it unsustainable.

The fact that those full-time roles were a mix of government cyber leads including from CISA, FBI, NSA as well as private sector luminaries from Google and Microsoft leads us to Bulazel's second concern: Conflict of interest. But Alperovitch and Adkins believe the expertise required means these conflicts are inevitable.

The government members were necessary, Adkins said, because they understood government processes and "the various ways to turn the levers of law enforcement, public policy, legislation, and the voice of the government". Alperovitch told Seriously Risky Business that government members also ensured the CSRB received "unbelievable cooperation" from intelligence agencies during its reviews into Log4J and Lapsus$ . 

The private sector members are also necessary. They bring technical expertise, make sure that the right questions are asked and know what is practical for industry to achieve. 

Conflicts of interest were not limited to either private or public sector board members. Each group had roughly equal numbers of recusals over the lifetime of the CSRB. 

Alperovitch told us the Biden-era CSRB "succeeded in spite of how we were formed". The board was essentially an NTSB-lite because it was created by executive order. He'd like to see a future iteration of the CSRB that more closely resembles the NTSB. This would mean making it an independent organisation separate from CISA and Homeland Security, with the power to compel testimony and a Senate-confirmed Commissioner as its head.

Alperovitch said the CSRB's investigation into the Salt Typhoon Chinese espionage campaign that has compromised US telecommunications companies was hampered because the board was part of CISA and did not have subpoena power . Some victim telcos told CISA they were unwilling to share information about the compromises and their remediation steps with it because of the CSRB investigation. 

A fully independent, more empowered CSRB would require legislation, so the ball's in Congress's court. They should grab it and run with it. 

In this special edition of the Seriously Risky Business podcast Patrick Gray speaks with former NSA Cybersecurity Director Rob Joyce and former director of the CIA's Center for Cyber Intelligence Andy Boyd.

The talk about what offensive cyber could look like under Trump 2.0, and the shake-up the intelligence community is going through under various White House initiatives.

Three Reasons to Be Cheerful This Week:

1. Ransomware actors are suffering: Ransomware incident response firm Coveware's latest quarterly report says the ecosystem is "fractured and uncertain". It says that there are several factors contributing to this. These include an increasing risk of financial sanctions, law enforcement agencies effectively unmasking previously anonymous criminals, and the disruption of services that ransomware actors need, such as bulletproof hosting and money laundering. Bad news for ransomware is good news in our books.  
2. EU launches the European Vulnerability Database: ENISA, the European Union's cyber security agency, has launched its own vulnerability database. In isolation, we are not convinced yet another vulnerability database is a good thing , but for Europe, given recent funding issues at the US's CVE program, having sovereign capability is. Risky Bulletin and Dark Reading have further complementary coverage.
3. Advanced Protection for Android: Google has officially announced that its Advanced Protection Program is coming to Android 16. One of the features is 'Intrusion Logging', which the company says "backs up device logs in a privacy-preserving and tamper-resistant way, accessible only to the user. These logs enable a forensic analysis if a device compromise is ever suspected." 

Sponsor Section

In this Risky Bulletin sponsor interview, James Pope, Director of Technical Enablement, talks to Tom Uren about his experience running networks and security centers at Black Hat conferences around the world. Pope talks about the challenges of running a SOC at a hacker conference, how conference networks around the world have a different character and talks about all the weird and wonderful security snafus he has found.

https://risky.biz/RBNEWSSI82/

Email embed

Volt Typhoon, a Chinese APT targeting critical infrastructure, is exploiting unmanaged appliances and evading EDR. Learn how the best defense against this and other advanced attacks is your network. Learn more .

https://corelight.com/cp/volt-typhoon

Shorts

ZOMG MSTIC! 

Bloomberg has an interesting, albeit a little bit breathless, profile of MSTIC , the Microsoft Threat Intelligence Center. 

It credits the outfit with the initial detection of Chinese state-backed hackers Volt Typhoon (which it found near telecommunications infrastructure and US naval bases in Guam) and the first detection of Salt Typhoon within US telecommunications infrastructure. 

Microsoft has visibility that, for good reasons, the US government doesn't have, so it makes sense that it occasionally collaborates with them. Per Bloomberg :

Over the past decade, Microsoft has built MSTIC into a cornerstone of America’s cyber defenses, working closely with the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency and other departments to help ferret out state-backed hackers bent on espionage or disrupting government and corporate networks.

Despite it being a "cornerstone", Bloomberg also says it is a "somewhat ad hoc structure, assembled by people with sometimes diverging interests, [and] relies heavily on personal relationships that require constant maintenance".

The author wonders whether this cooperation will continue under the Trump administration after layoffs and the downsizing of CISA. Our bet is yes. Microsoft's visibility fills a gap that US cyber security agencies will always have.  

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed ( RSS , iTunes or Spotify ).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq examine whether the US should steal intellectual property from Chinese companies.

Or watch it on YouTube!

From Risky Bulletin :

Kaleidoscope ad fraud network infects 2.5mil new devices each month: Security researchers have discovered a new ad fraud operation named Kaleidoscope that uses the "evil twin app" technique to disguise the origin of its ad impressions.

The botnet consists of clean apps uploaded to the official Play Store and doppelgangers distributed through third-party stores.

These clones are the heart of the botnet and use a malicious advertising SDK to bombard users with unwanted and unskippable ads.

Both the legitimate apps and their rogue clones use the same advertising IDs as a way to disguise the origin of the ad impressions and generate revenue through behavior that isn't tolerated by the ad industry.

Researchers at Integral Ad Science (IAS) have linked the Kaleidoscope botnet to 130 app IDs, which are bringing in around 2.5 million installs every new month.

[ more on Risky Bulletin ]

France says Russian influence operations are getting better, achieving results: VIGINUM, the French government's agency that hunts down and exposes foreign disinformation networks, says that Russian influence operations have now reached a mature level and are often achieving notable results.

The agency published a report this week on Storm-1516 —what appears to be one of the Russian government's most sprawling and active disinformation clusters.

Unlike many previous disinformation reports that tend to play down the effectiveness of such operations, VIGINUM doesn't mince words and describes Storm-1516's efforts as successful and "a significant threat to French and European public debate."

[ more on Risky Bulletin ]

Nissan LEAF hacking: Security researchers from Hungarian security firm PCAutomotive have discovered eight vulnerabilities in Nissan LEAF car models. The bugs allow control over the car's telematic unit, the infotainment systems, and even its most sensitive component, the CAN bus. An attacker could track and geolocate vehicles and record conversations inside the car. They could also control core vehicle features, such as opening doors, starting wipers, and even turning the wheel while the car is in motion. [Additional coverage in Electrek ]