Can You Trust A Chinese-Made Android Phone?

Can You Trust A Chinese-Made Android Phone?

We know that Chinese apps like WeChat are notorious for extensively carrying out censorship and surveillance on users.¹ We’ve also heard increasing reports that Tibetans in Tibet are made to install surveillance apps on their phones². But what about the risks posed by Chinese-made mobile devices that Tibetans in Tibet – and increasingly more people globally – are using. What risks do they pose to users? Popular Chinese-made Android devices include Vivo, Redmi, Oppo, and others.

First off, TibCERT advises against using Chinese-made android devices whenever possible. There is a lot we still don’t know about these phones and the more unknown variables that exist with technology, the less confident we can be about its security. There is a distinct lack of research on Chinese-made Android phones even though they make up over 60% of the market share in India³ and almost 50% of the global⁴ mobile market.

For Tibetans in Tibet, Chinese-made Android devices are a reality. Many Tibetans use Chinese-made android phones. Elsewhere, these phones are dominating the market because they are relatively inexpensive as compared, for example, to an iPhone or Android Google Pixel device. As a community on the frontlines of mobile attacks, it is critical that Tibetans understand the potential risks and vulnerabilities of using these devices. This knowledge will help us better mitigate mobile risks.

To carry out our research, the TibCERT team conducted tests on Vivo, Redmi and Oppo devices. Additionally, we did initial tests into the popular Chinese app stores frequently used to download apps on these phones. Our key findings are outlined below. We have also compiled five tips based on these findings to help mitigate potential risks. In fact, these tips are useful for all android mobile phone users!

What We Learned

Chinese-made Android phones come with built-in browsers that don’t support full functionality of Progressive Web Apps (PWA).

What’s a PWA? PWAs are web-based applications designed to replicate the functionality of regular apps within a web browser. A common example is using https://app.starbucks.com/ to order your coffee instead of downloading the Starbucks Android or iOS app on your phone. This is an example of a simple PWA. A fully functional PWA, however, is more advanced and can implement more advanced features like end-to-end encryption, for example, to enable secure access and communication via the browser.

All of the phones we tested or [Vivo, Oppo, and Redmi] do not support full functional PWA. Users of these phones should download a browser that supports fully functional PWAs – like Google Chrome, Apple’ Safari, Firefox and Brave – in order to take advantage of privacy and security enhancing PWAs.

Chinese-made Android phones include built in browsers that leak sensitive data, have poor encryption, and give risky permissions to third parties.

We collaborated with researchers at Arizona State University to reverse engineer several browsers built into the phones including UC Browser, Baidu Searchbox, OPPO Browser, Redmi Browser, and VIVO Browser. This research revealed sensitive data leaks, insufficient encryption, and risky permissions granted to third-party software development kits (SDKs) from these browsers. If you use these browsers, even in incognito mode, you are potentially sharing your browsing history, personally identifiable information, and geolocation data – essentially it’s a big privacy risk, Bottom line – users should make informed choices about what browser they chose to use on Chinese-made Android phones and should not trust the default browser.

Oppo and Redmi Android phones have bundled apps with suspicious permissions

Bundled apps are apps that come pre-installed on a phone. We tested these apps and found that both Oppo and Redmi phones had bundled apps that were flagged as suspicious,

To better understand bundled app behavior, we looked carefully at what kinds of permissions these bundled apps had for accessing other data on the device. The results varied – the calculator app on the Vivo phone for example, did not have suspicious permission to view data. However on the Redmi phone, the same app requested permission to location data and on the OPPO phone, the calculator app requested several permissions to SMS, lock screen cover, sending MMS messages, create home screen, and shortcuts. While this does not necessarily mean the app is malicious, it raises concerns around misuse of permissions. This finding also highlights how permissions vary across Chinese-made android phones.

Chinese Android App Stores have limited selection of secure communication apps

We tested 18 common Chinese Android App Stores, for the availability of a trusted list of secure apps identified by our organization as essential apps to enhance users security and secure communication. This trusted list includes apps which provide users with improved digital safety and privacy tools. We found that only one secure app was available in two of the app stores we tested. The app on one store was legitimate, however, in the second app store, we discovered it to be a fake app that, once downloaded, installed two other apps on the phone instead. This highlights the risks associated with malicious activity, where a secure app is re-packaged in unofficial distribution channels, exploiting the lack of transparency and clear disclosure policies.

Based on our findings we have the following tips for users of Chinese-made Android phones:

5 Important TIPS:

1. Avoid Default Browsers: UC Browser, Baidu Searchbox, OPPO Browser, Redmi Browser, and VIVO Browser contain vulnerabilities which could severely compromise users’ privacy. At the same time, these browsers can enable user tracking by network operators due to their weak transport-layer security. Use browsers such as Google Chrome, Safari, Firefox, and Brave.

2. Use Browsers that are security enhancing: Google Chrome, Safari, Firefox, Brave support full functionality of progressive web applications (PWAs) which enable users to access secure apps on a browser (no downloading needed from an app store!) This feature allows users to access these apps without needing to download them from the Chinese version of the App Store or Android App Stores that are blocked in China.

3. Check your phones’ built-in Apps: If possible, disable or uninstall apps that come pre-installed with Chinese-made Android phones but are not critical for use of the phone (e.g. the built-in calculator app. These ‘bundled’ apps carry security risks and some request permissions that could reveal your data to unwanted sources (e.g. the phone manufacturer.)

4. Use Netguard for protection: Certain bundled apps can not be uninstalled (tip 4), but you can use the Netguard app⁵ to restrict the network access you are granting to these apps. This stops an app from sharing the data it collects on the phone to unwanted sources.

5. Avoid creating accounts on build-in app stores. Download Android apps from the official Google Play store (if possible). If Google Play is not accessible (as is the case in Tibet), we recommend against creating accounts in the phone’s built-in app store (e.g. on Oppo it’s the App Market). We recommend using the “Sideload Apps” functionality to install apps via APK which can be obtained through trusted contacts. For more information on sideloading apps and getting secure APKs, contact TibCERT to learn more about sideloading and verifying that APKs are genuine.

Footnotes

1. https://citizenlab.ca/2020/05/wechat-surveillance-explained/ ↩

2. https://turquoiseroof.org/weaponising-big-data-decoding-chinas-digital-surveillance-in-tibet/ ↩

3. https://gs.statcounter.com/vendor-market-share/mobile/india ↩

4. https://gs.statcounter.com/vendor-market-share/mobile/worldwide ↩

5. https://netguard.me/ ↩