Chinese Mobile App Encryption is Suspiciously Awful

Chinese Mobile App Encryption Is Suspiciously Awful

A new paper, from researchers at Princeton and the Citizen Lab, has found that apps from the Xiaomi's Mi Store, which services mainland China, are an encryption horror show. Compared to apps found in Google's Play Store, Mi Store apps send significantly more unencrypted traffic. And the encrypted traffic they do send is typically vulnerable to decryption by eavesdroppers.

The researchers examined the top 1,699 apps from the Google Play Store and the Mi Store (more than 800 from each store) and ran them through a measurement pipeline they called WireWatch. The researchers developed WireWatch to automatically identify nonstandard encryption.

It found that nearly half of the top Mi Store apps used proprietary encryption. Only 3.51 percent of the top Google Play Store apps do the same. The authors then reverse-engineered the nine most popular cryptosystems identified by WireWatch. They found that eight of them sent network traffic that was vulnerable to decryption by adversaries.

These eight systems suffered from a variety of faults including using hard-coded symmetric keys whereby anyone with the key can decrypt any communication; flaws in key generation that allow them to be brute-forced; and the use of vulnerable implementations of standard encryption algorithms. Almost half of the apps did not properly validate TLS certificates, making them vulnerable to man-in-the-middle attacks. 

The data that could potentially be exposed varied per cryptosystem and included device and network metadata and browsing data. All good stuff if you are looking to surveil a population.

Interestingly, the more popular an app is in the Mi Store, the more likely it is to use one of these vulnerable proprietary cryptosystems. Curious!

One thing the paper doesn’t address is how an entire ecosystem with poor encryption practices arises in the first place. Is it occurring just because the Mi Store does not actively enforce stricter standards compliance? Do Chinese companies just have a predilection for developing their own cryptosystems? Does the Chinese government not trust overseas encryption standards? Or is there a government directive we are not aware of that encourages insecure practices as a surveillance enabler?

We've seen examinations of individual Chinese apps before, but this big-picture analysis of hundreds of apps at once raises some interesting questions.

Whether it's insecurity by design or not, the average Chinese netizen is worse off because of it. But perhaps that's just the way the Chinese government likes it.

Congress Should Bring Back the CSRB

The Trump administration does not yet have any plans to recreate the Cyber Safety Review Board (CSRB). It's a shame, because although the board's structure wasn't perfect, its work was important and necessary. It should be reformed, not dumped.

The CSRB was set up under the Biden administration to review significant cyber incidents. Its work addressed significant security problems and drove real improvements. The Trump administration disbanded the CSRB in January.

Speaking at the RSA conference earlier this month Alexei Bulazel, the National Security Council's senior director for cyber, said the CSRB was "an interesting initiative" but passed the buck on deciding the board's future to the next director of the Cybersecurity and Infrastructure Security Administration (CISA). Sean Plankey's nomination for the position is currently held up in the Senate.

Bulazel raised two specific issues with the board's functioning: that incidents are usually deliberate attacks and conflicts of interest are difficult to manage. 

On the deliberate nature of cyber incidents, he noted that while the CSRB was modeled on the National Transportation Safety Board (the NTSB, which investigates civil aviation accidents), cyber incidents have "a very different dynamic" from plane crashes.

He said that with aviation accidents, the root cause was often mechanical in nature. For example: "The screw was loose on the wing and the screw came off and the wing started wiggling."

"And then it's the laws of physics … and we can take lessons for future aeronautical engineering, for future safety protocols[.]"

By contrast, he says, cyber incidents are often the result of malicious action from "an adversary country or a hacker or criminal gang."

Nonetheless, Heather Adkins, vice president of security engineering at Google and the former deputy chair of the CSRB, maintains that CSRB-style reviews are still worthwhile.

Writing on X, she said, "[W]hile on CSRB I pushed hard for us to look at the things that would eliminate classes of problems." She cited infostealers and backdoors in open-source software as examples where "a CSRB should approach the software and hardware engineering problem with the diligence NTSB has tackled window shapes and material science." Infostealers are a type of malware that steal information like passwords to facilitate illegitimate access to accounts.

Adkins told Seriously Risky Business there were a range of approaches that would help mitigate that particular problem. She cited security keys and passkeys, binding session cookies to clients so that they can't be stolen and used elsewhere, and also more robust isolation in operating systems to stop nonbrowser processes from stealing authentication cookies.

To us, this doesn't sound all that different from recommending design improvements to the bolts that caused the wiggly wings.

Because implementing these solutions isn't necessarily straightforward or easy, Adkins thinks official reviews are important because they "carry a lot of weight." A formal government report saying "do this thing" can encourage organizations to actually do that thing.  

See, for example, Microsoft's Secure Future Initiative, which was given a firm boost after the CSRB lashed the company for a "cascade of security failures."

One former CSRB member, and friend of Risky Business, Dmitri Alperovitch, also shared his views on the defunct board in a keynote at RSA. He described it as an "interesting experiment … [and] we've learned a lot." But its members were squeezing their CSRB work around their full-time jobs, making it unsustainable.

The fact that those full-time roles were a mix of government cyber leads including from CISA, the FBI, the National Security Agency (NSA), as well as private-sector luminaries from Google and Microsoft leads us to Bulazel's second concern: conflicts of interest. But Alperovitch and Adkins believe the expertise required means these conflicts are inevitable.

The government members were necessary, Adkins said, because they understood government processes and "the various ways to turn the levers of law enforcement, public policy, legislation, and the voice of the government." Alperovitch told Seriously Risky Business that government members also ensured the CSRB received "unbelievable cooperation" from intelligence agencies during its reviews into Log4J and Lapsus$.

The private-sector members are also necessary. They bring technical expertise, make sure that the right questions are asked, and know what is practical for industry to achieve.

Conflicts of interest were not limited to either private- or public-sector board members. Each group had roughly equal numbers of recusals over the lifetime of the CSRB.

Alperovitch told us the Biden-era CSRB "succeeded in spite of how we were formed." The board was essentially an NTSB-lite because it was created by executive order. He'd like to see a future iteration of the CSRB that more closely resembles the NTSB. This would mean making it an independent organization separate from CISA and Homeland Security, with the power to compel testimony and a Senate-confirmed commissioner as its head.

Alperovitch said the CSRB's investigation into the Salt Typhoon Chinese espionage campaign that has compromised U.S. telecommunications companies was hampered because the board was part of CISA and did not have subpoena power. Some victim telcos told CISA they were unwilling to share information about the compromises and their remediation steps with it because of the CSRB investigation.

A fully independent, more empowered CSRB would require legislation, so the ball's in Congress's court. They should grab it and run with it.

Three Reasons to Be Cheerful This Week:

1. Ransomware actors are suffering: Ransomware incident response firm Coveware's latest quarterly report says the ecosystem is "fractured and uncertain." It says that there are several factors contributing to this. These include an increasing risk of financial sanctions, law enforcement agencies effectively unmasking previously anonymous criminals, and the disruption of services that ransomware actors need, such as bulletproof hosting and money laundering. Bad news for ransomware is good news in our books. 
2. EU launches the European Vulnerability Database: ENISA, the European Union's cybersecurity agency, has launched its own vulnerability database. We are not convinced that, in isolation, yet another vulnerability database is a good thing, but for Europe, given recent funding issues at the United States’s Common Vulnerabilities and Exposures (CVE) program, having sovereign capability is. Risky Bulletin and Dark Reading have further complementary coverage.
3. Advanced Protection for Android: Google has officially announced that its Advanced Protection Program is coming to Android 16. One of the features is Intrusion Logging, which the company says "backs up device logs in a privacy-preserving and tamper-resistant way, accessible only to the user. These logs enable a forensic analysis if a device compromise is ever suspected."

Shorts

ZOMG MSTIC!

Bloomberg has an interesting, albeit a little bit breathless, profile of MSTIC, the Microsoft Threat Intelligence Center.

It credits the outfit with the initial detection of Chinese state-backed hackers Volt Typhoon (which it found near telecommunications infrastructure and U.S. naval bases in Guam) and the first detection of Salt Typhoon within U.S. telecommunications infrastructure.

Microsoft has visibility that, for good reasons, the U.S. government doesn't have, so it makes sense that it occasionally collaborates with them. Per Bloomberg:

Over the past decade, Microsoft has built MSTIC into a cornerstone of America’s cyber defenses, working closely with the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency and other departments to help ferret out state-backed hackers bent on espionage or disrupting government and corporate networks.

Despite MSTIC being a "cornerstone," Bloomberg also says it is a "somewhat ad hoc structure, assembled by people with sometimes diverging interests, [and] relies heavily on personal relationships that require constant maintenance."

The author wonders whether this cooperation will continue under the Trump administration after layoffs and the downsizing of CISA. Our bet is yes. Microsoft's visibility fills a gap that U.S. cybersecurity agencies will always have. 

Risky Biz Talks

In a special edition of the Seriously Risky Business podcast, Patrick Gray speaks with former NSA Cybersecurity Director Rob Joyce and former director of the CIA's Center for Cyber Intelligence Andy Boyd. The talk about what offensive cyber could look like under Trump 2.0, and the shake-up the intelligence community is going through under various White House initiatives.

In our latest "Between Two Nerds" discussion, Tom Uren and The Grugq examine whether the U.S. should steal intellectual property from Chinese companies.

From Risky Bulletin:

Kaleidoscope ad fraud network infects 2.5 million new devices each month: Security researchers have discovered a new ad fraud operation named Kaleidoscope that uses the "evil twin app" technique to disguise the origin of its ad impressions.

The botnet consists of clean apps uploaded to the official Play Store and doppelgangers distributed through third-party stores.

These clones are the heart of the botnet and use a malicious advertising SDK to bombard users with unwanted and unskippable ads.

Both the legitimate apps and their rogue clones use the same advertising IDs as a way to disguise the origin of the ad impressions and generate revenue through behavior that isn't tolerated by the ad industry.

Researchers at Integral Ad Science (IAS) have linked the Kaleidoscope botnet to 130 app IDs, which are bringing in around 2.5 million installs every month.

[more on Risky Bulletin]

France says Russian influence operations are getting better, achieving results: VIGINUM, the French government's agency that hunts down and exposes foreign disinformation networks, says that Russian influence operations have now reached a mature level and are often achieving notable results.

The agency published a report this week on Storm-1516—what appears to be one of the Russian government's most sprawling and active disinformation clusters.

Unlike many previous disinformation reports that tend to play down the effectiveness of such operations, VIGINUM doesn't mince words and describes Storm-1516's efforts as successful and "a significant threat to French and European public debate."

[more on Risky Bulletin]

Nissan LEAF hacking: Security researchers from Hungarian security firm PCAutomotive have discovered eight vulnerabilities in Nissan LEAF car models. The bugs allow control over the car's telematic unit, the infotainment systems, and even its most sensitive component, the CAN bus. An attacker could track and geolocate vehicles and record conversations inside the car. They could also control core vehicle features, such as opening doors, starting wipers, and even turning the wheel while the car is in motion. [Additional coverage in Electrek]