This photo illustratration taken on February 20, 2019 shows a phone app called “Xuexi Qiangguo” with an image of China’s President Xi Jinping in Beijing.
Greg Baker | AFP | Getty Images
An app promoting Chinese leader Xi Jinping’s ideology has flaws that could potentially allow Beijing to control hundreds of millions of users’ smartphones, a new report claims.
“Study the Great Nation” or “Xuexi Qiangguo” in Chinese is billed by China’s Communist Party as an educational tool and it contains videos and articles about Xi’s ideology, as well as the ability for users to earn points by doing quizzes or commenting on pieces. It is developed by the Chinese government.
But a teardown of the Android version of the app by German cybersecurity firm Cure53, which was commissioned by the U.S. government-backed Open Technology Fund, highlighted security holes that could let Beijing snoop on users.
Cure53 found code in the app “resembling a backdoor which is able to run arbitrary commands with superuser privileges.”
If that code was deployed, it would grant a person system-wide administrative access, meaning they could download software, modify data or even install a keylogger to see what people were typing.
“And while the investigative method utilized does not allow us to observe the ways in which that backdoor is being exploited (if at all), the audits could find no legitimate reason why an app of this nature would seek to run commands on users’ phones with high privileges levels,” Cure53 noted.
The Xi ideology app also scans for other apps installed on a person’s device which the researchers note is “no way relevant to the purported purpose of the app, which leads us to speculate as to why this mass data collection is needed by the CCP (Communist Party of China).”
The State Council Information Office, responding on behalf of the Chinese government’s propaganda department, told the Washington Post that the app did not have the functions the report suggests.
“We learned from those who run the Study the Great Nation app that there is no such thing as you have mentioned,” the office said.
A spokesperson for the State Council Information Office wasn’t immediately available for comment when contacted by CNBC.
The Open Technology Fund and Cure53’s analysis alleges that Alibaba is complicit in allowing weak security on the app. The Chinese e-commerce giant acknowledged earlier this year that the app was built using DingTalk’s software. DingTalk is Alibaba’s instant messaging service.
Cure53 said the code it alleges amounts to a backdoor could be linked back to Alibaba or Alibaba Cloud.
A DingTalk spokesperson denied that this is the case.
“DingTalk is an open technology platform, and its suite of technology tools can be used for independent development of other applications and does not have any ‘backdoor code’ or scanning issues,” the spokesperson said.
Mass user base
“Study the Great Nation” has been pushed aggressively by Beijing. Communist Party members are encouraged to download it.
And journalists working for state media will use the app to sit a test to prove their loyalty to President Xi, the South China Morning Post reported last month.
The app has had a huge number of downloads. Huawei’s app store shows it has been downloaded 300 million times while on Wandoujia, another app store, the download number is 199,000. Google’s app store, known as the Play Store, is blocked in China.
“What’s clear is that while the CCP advertises Study the Great Nation as a way for citizens to prove their loyalty and study their country, the app’s maintainers are studying them right back,” the OTF report concluded.