Can You Trust A Chinese-Made Android Phone?

Can You Trust A Chinese-Made Android Phone?

We know that Chinese apps like WeChat are notorious for extensively carrying out censorship and surveillance on users.¹ We’ve also heard increasing reports that Tibetans in Tibet are made to install surveillance apps on their phones². But what about the risks posed by Chinese-made mobile devices that Tibetans in Tibet – and increasingly more people globally – are using. What risks do they pose to users? Popular Chinese-made Android devices include Vivo, Redmi, Oppo, and others.

First off, TibCERT advises against using Chinese-made android devices whenever possible. There is a lot we still don’t know about these phones and the more unknown variables that exist with technology, the less confident we can be about its security. There is a distinct lack of research on Chinese-made Android phones even though they make up over 60% of the market share in India³ and almost 50% of the global⁴ mobile market.

For Tibetans in Tibet, Chinese-made Android devices are a reality. Many Tibetans use Chinese-made android phones. Elsewhere, these phones are dominating the market because they are relatively inexpensive as compared, for example, to an iPhone or Android Google Pixel device. As a community on the frontlines of mobile attacks, it is critical that Tibetans understand the potential risks and vulnerabilities of using these devices. This knowledge will help us better mitigate mobile risks.

To carry out our research, the TibCERT team conducted tests on Vivo, Redmi and Oppo devices. Additionally, we did initial tests into the popular Chinese app stores frequently used to download apps on these phones. Our key findings are outlined below. We have also compiled five tips based on these findings to help mitigate potential risks. In fact, these tips are useful for all android mobile phone users!

What We Learned

Chinese-made Android phones come with built-in browsers that don’t support full functionality of Progressive Web Apps (PWA).

What’s a PWA? PWAs are web-based applications designed to replicate the functionality of regular apps within a web browser. A common example is using https://app.starbucks.com/ to order your coffee instead of downloading the Starbucks Android or iOS app on your phone. This is an example of a simple PWA. A fully functional PWA, however, is more advanced and can implement more advanced features like end-to-end encryption, for example, to enable secure access and communication via the browser.

All of the phones we tested or [Vivo, Oppo, and Redmi] do not support full functional PWA. Users of these phones should download a browser that supports fully functional PWAs – like Google Chrome, Apple’ Safari, Firefox and Brave – in order to take advantage of privacy and security enhancing PWAs.

Chinese-made Android phones include built in browsers that leak sensitive data, have poor encryption, and give risky permissions to third parties.

We collaborated with researchers at Arizona State University to reverse engineer several browsers built into the phones including UC Browser, Baidu Searchbox, OPPO Browser, Redmi Browser, and VIVO Browser. This research revealed sensitive data leaks, insufficient encryption, and risky permissions granted to third-party software development kits (SDKs) from these browsers. If you use these browsers, even in incognito mode, you are potentially sharing your browsing history, personally identifiable information, and geolocation data – essentially it’s a big privacy risk, Bottom line – users should make informed choices about what browser they chose to use on Chinese-made Android phones and should not trust the default browser.

Oppo and Redmi Android phones have bundled apps with suspicious permissions

Bundled apps are apps that come pre-installed on a phone. We tested these apps and found that both Oppo and Redmi phones had bundled apps that were flagged as suspicious,

To better understand bundled app behavior, we looked carefully at what kinds of permissions these bundled apps had for accessing other data on the device. The results varied – the calculator app on the Vivo phone for example, did not have suspicious permission to view data. However on the Redmi phone, the same app requested permission to location data and on the OPPO phone, the calculator app requested several permissions to SMS, lock screen cover, sending MMS messages, create home screen, and shortcuts. While this does not necessarily mean the app is malicious, it raises concerns around misuse of permissions. This finding also highlights how permissions vary across Chinese-made android phones.

Chinese Android App Stores have limited selection of secure communication apps

We tested 18 common Chinese Android App Stores, for the availability of a trusted list of secure apps identified by our organization as essential apps to enhance users security and secure communication. This trusted list includes apps which provide users with improved digital safety and privacy tools. We found that only one secure app was available in two of the app stores we tested. The app on one store was legitimate, however, in the second app store, we discovered it to be a fake app that, once downloaded, installed two other apps on the phone instead. This highlights the risks associated with malicious activity, where a secure app is re-packaged in unofficial distribution channels, exploiting the lack of transparency and clear disclosure policies.

Based on our findings we have the following tips for users of Chinese-made Android phones:

5 Important TIPS:

1. Avoid Default Browsers: UC Browser, Baidu Searchbox, OPPO Browser, Redmi Browser, and VIVO Browser contain vulnerabilities which could severely compromise users’ privacy. At the same time, these browsers can enable user tracking by network operators due to their weak transport-layer security. Use browsers such as Google Chrome, Safari, Firefox, and Brave.

2. Use Browsers that are security enhancing: Google Chrome, Safari, Firefox, Brave support full functionality of progressive web applications (PWAs) which enable users to access secure apps on a browser (no downloading needed from an app store!) This feature allows users to access these apps without needing to download them from the Chinese version of the App Store or Android App Stores that are blocked in China.

3. Check your phones’ built-in Apps: If possible, disable or uninstall apps that come pre-installed with Chinese-made Android phones but are not critical for use of the phone (e.g. the built-in calculator app. These ‘bundled’ apps carry security risks and some request permissions that could reveal your data to unwanted sources (e.g. the phone manufacturer.)

4. Use Netguard for protection: Certain bundled apps can not be uninstalled (tip 4), but you can use the Netguard app⁵ to restrict the network access you are granting to these apps. This stops an app from sharing the data it collects on the phone to unwanted sources.

5. Avoid creating accounts on build-in app stores. Download Android apps from the official Google Play store (if possible). If Google Play is not accessible (as is the case in Tibet), we recommend against creating accounts in the phone’s built-in app store (e.g. on Oppo it’s the App Market). We recommend using the “Sideload Apps” functionality to install apps via APK which can be obtained through trusted contacts. For more information on sideloading apps and getting secure APKs, contact TibCERT to learn more about sideloading and verifying that APKs are genuine.

6. Avoid using Chinese Android in-built default browsers: As part of the browser vulnerability research, we collaborated with Arizona State University(ASU), where we worked on reverse engineering on various browsers including UC Browser, Baidu Searchbox, OPPO Browser, Redmi Browser, and VIVO Browser. Our finding revealed sensitive data leaks, insufficient encryption, and risky permissions granted to third-party software development kits (SDKs). Even when in incognito mode, these browsers expose browsing history, personally identifiable information (PII), and geolocation data. Such practices present significant privacy risks, underscoring the importance of making informed browser choices to protect personal information. Moreover, weak transport-layer security could enable user tracking by network operators, potentially compromising privacy and censorship-resistant features, particularly in regions with app store restrictions such as China.

7. Use browsers compatible with Progressive Web Apps(PWAs): PWAs are web-based applications designed to replicate the functionality of native apps within a browser environment. By using browser capabilities, PWAs offer a seamless app-like interface and functionality. During our research on the Chinese made Android phones revealed that many of these default browsers lack full PWA support. Given the Chinese government’s restriction on secure communication and VPN apps, users experience limitations in accessing secure apps via traditional app stores. When users utilize PWAs on their browsers, they effectively circumvent censorship enforced by the app store, gaining access to features such as secure communication. This quality proves especially advantageous for Tibetans living under Chinese authority, enabling them to communicate securely and privately without the risk of detection by Chinese authorities. Although the default browsers on the Chinese-made android phones do not support these features, numerous browsers, including Google Chrome, Apple’s Safari, and Firefox, do support PWAs.

8. SIDELOAD APPS: We recommend users do not create an account with the phone manufacturer to install apps as you give away lots of personal information during the account set up. This information can then be shared with other entities – such as Chinese authorities – without the user’s consent. Instead, we recommend installing and running apps on phones from a source other than the official manufacturer’s app store or Chinese marketplace. This typically involves downloading app installation files from a website, email or other external source and manually installing them onto the device. This process is also known as sideloading apps. To do so, Tibetan mobile users can obtain the desired app’s APK (it is like a package containing all the files needed to install and run the app on the phone) from a reliable source to mitigate the risk of downloading harmful software or malware. Additionally, using alternative app stores like F-Droid, which provide free and open-source software(FOSS) applications, can provide an alternative option for accessing apps.
   Important note to consider: Above tip is particularly valuable for individuals lacking access to secure communication tools via their app store, as well as Tibetan users living inside Tibet. Global users are advised to download apps from reputable sources such as Google PlayStore, Apple’s App Store to mitigate the risk of downloading malicious applications.

9. Use Netguard to restrict network access for selected Apps: During our research, we discovered that pre-installed apps on the phones we studied actively exchanged information with their servers over HTTPS. We were unable to determine the exact nature of the exchanged information, but did note that these apps were communicating with their servers on a regular basis. Additionally, Chinese authorities in Tibet sometimes forcibly install surveillance apps on the phones of Tibetan in Tibet. These apps are then used by Chinese authorities to collect personal information while monitoring online activities and even physical movements. Removing such surveillance apps carries risks, as it may raise suspicion and alert the authorities. Many preinstalled apps on Chinese-made phones can not be uninstalled. This is where NetGuard can help! NetGuard is like a traffic cop for your phone’s internet connection. It lets you choose which apps are allowed to use the internet and which ones are not. So if you don’t want a certain app to access the internet, you can use NetGuard to block it.

HOW TO DO IT

• Open NetGuard: Once installed, open the NetGuard app on your device. You may need to grant it certain permissions to function properly.
  • Grant VPN Permission: NetGuard works by creating a virtual private network (VPN) connection on your device. Follow the on-screen instructions to grant NetGuard permission to set up a VPN connection.
  • View App List: In the NetGuard app, you’ll see a list of all installed apps on your device. Apps with a Wi-Fi or mobile data icon next to them are currently allowed to access the internet.
  • Block App Access: To block internet access for a specific app, simply tap on the app’s name in the NetGuard app list. This will bring up a menu with various options.
  • Toggle Off Wi-Fi and Mobile Data: In the menu, you’ll see options to toggle Wi-Fi and mobile data access for the selected app. Tap on both options to disable internet access for the app.
  • Confirm Changes: After toggling off Wi-Fi and mobile data access, you may see a confirmation dialog. Confirm the changes to block internet access for the selected app.

10. Disable or uninstall apps that are not in use. Every app installed on your phone represents potential security risks. Unused apps that are not regularly updated can contain vulnerabilities that could be exploited against your privacy and security. Therefore removing them reduces the attack surface and minimizes the risk of security attacks or unauthorized access.
    • HOW TO DO IT
      • Disable Apps
        • Go to your device’s Settings.
        • Scroll down and select “Apps” or “Applications.”
        • Locate the app you want to disable from the list and tap on it.
        • Tap on the “Disable” or “Turn off” button. You may need to confirm your action.
        • The app will be disabled and removed from the app drawer, but its data and cache may still remain on the device.
      • Uninstall Apps:
        • Go to your device’s Settings.
        • Scroll down and select “Apps” or “Applications.”
        • Locate the app you want to uninstall from the list and tap on it.
        • Tap on the “Uninstall” button. You may need to confirm your action.
        • The app will be completely removed from your device, including its data and cache.
      • Uninstall Apps from Home Screen:

        • Long-press on the app icon on your home screen or app drawer.

        • Drag the app icon to the “Uninstall” or “Remove” option at the top or bottom of the screen.

        • Release the app icon when the “Uninstall” or “Remove” option is highlighted.

        • Confirm the uninstallation when prompted.

Footnotes

1. https://citizenlab.ca/2020/05/wechat-surveillance-explained/ ↩

2. https://turquoiseroof.org/weaponising-big-data-decoding-chinas-digital-surveillance-in-tibet/ ↩

3. https://gs.statcounter.com/vendor-market-share/mobile/india ↩

4. https://gs.statcounter.com/vendor-market-share/mobile/worldwide ↩

5. https://netguard.me/ ↩