The Washington Post is reporting that a Chinese state propaganda app appears to contain root exploit code in it along with some lengths being taken to obscure that code. Root, for the newbies, allows an app to do anything and access any other app’s data.
We’ll talk about my understanding of the report in a minute. It’s not along the lines of the Post and was formulated after I wrote this.
According to the Washington Post understanding of the report from Cure53, the security firm that dissected it, some lengths have been taken to obfuscate code and the app appears to be able to execute arbitrary code. This on top of you having to grant it access to almost all permissions as it stands upon install.
Use of the app is not exactly voluntary. To be licensed as a reporter, according to the Post, you’ll be required to make a passing grade in the app and State employees are required to use it and pass the tests of knowledge or potentially receive pay cuts. Modern version of the Little Red Book.
Interesting part – the part they discovered that could run arbitrary code was not encrypted in such a way as that it was successfully hidden. Other portions of the app which do things we don’t know about are hidden in such a way that the researchers were unable to decompile them.
Seems a bit sloppy, but then again maybe the whole Huawei debacle is requiring some diversionary tactics to get people to stop thinking about carrier backdoors and attack Google for a week for having an exploit that’s been around for long enough for this app to have it.
Perhaps the story is they put this out simply to attract attention, or maybe the Chinese government is simply working with Matt and Trey on the next episode of South Park since season 23 seems to be entirely based on getting SP banned in China on a weekly basis.
Whatever the case, appears at this point if it’s government mandated it’s time for state employees to get a second phone, which will have the hardware backdoors.
One man’s admittedly tired read of the report
After reading the Cure53 report, although admittedly on one cup of coffee and not enough sleep, it appears “heavy” obfuscation, bad cryptography, extensive logging, and a check for root (in the form of looking for “su”,) were the primary findings
Checking for the existence of root, it should be mentioned, is not the same as using a root exploit or accessing a backdoor. Many games check for root and never use it. In most cases you have to explicitly tell a Superuser Manager app to grant root to an app.
The main issue appeared to be extensive logging which is transmitted via a relatively insecure DES. There’s a section about how this format can be broken in about a week, but what’s weird is this is getting sent to the Chinese government so what’s the issue here – that they’re getting data in a slightly less secure format?
They mention that the connection for the data is insecure, meaning if it got uploaded at a coffee shop a third party could intercept and in a week or two decrypt what the government is harvesting putting users at risk of having their photos, emails, data stolen by multiple entities.
Page 9 of the report details that arbitrary commands could be run, however none were during testing.
Page 11 has a proven obfuscation for hiding functionality section… and the comment that it prevented most decompilers from being able to decode many of the files. Not really a smoking gun here, a lot of commercial entities use the same to prevent knockoffs.
Paged 13-15 details some of the apps the State app is looking for.
So, unless I’m reading the report wrong, the Washington Post’s lead of “The Chinese Communist Party appears to have “superuser” access to the entire data on more than 100 million Android-based cellphones through a back door in a propaganda app that the government has been promoting aggressively this year.” should be more along the lines of “The Chinese Communist Party’s app might do something worse than we already know, reports don’t really say”
Post: “the Cure53 auditors found code that amounts to a back door into the phone that is able to run arbitrary commands with “superuser” privileges.” Report (as understood by Paul): Researchers found a check for SuperUser, a line to run code with or without SU access, bad practices transmitting collected information.
Also appears the function to run arbitrary code is this:
In this case, the smoking gun is a subroutine that executes something. The only way to determine if it’s a backdoor or arbitrary is to look at what calls it.
There’s nothing in the report that indicated they found it executing anything, requesting superuser, etc. You might wonder then why the capability is there to run code, or run it with superuser… so do I, but it’s not really a backdoor. Just a line of code that for some reason was not obfuscated to the point of being unreadable.[Washington Post]