Security Risks Exist in Chinese Mobile Apps

By Xiaoxu Sean Lin
Xiaoxu Sean Lin
Xiaoxu Sean Lin
February 27, 2019 Updated: May 19, 2019


Many recent studies related to cybersecurity have addressed the vulnerability and threats in mobile devices, such as the current hot topic of banning Huawei and ZTE equipment.

Yet, not many reports have focused on the security risks associated with Chinese mobile apps. Most people think that mobile apps’ security issues are often related to the underlying security practices, such as choosing a secure password and updating the privacy setting. However, Americans should also be on high alert about the risks associated with popular Chinese mobile apps and national-security risks related to Beijing’s mobile expansion worldwide.

On the topic of Chinese infiltration in the United States, there’s been one large omission for policymakers: Tencent’s WeChat app, the most popular app in China, which claimed to have 1 billion users in 2018. This Chinese social-media platform/messaging app/payments channel/retailer is the dominant digital player on the mainland, and such reliance on WeChat is accentuated because WhatsApp and Facebook Messenger are blocked in China.

Epoch Times Photo
A man walks past an advertisement for the WeChat social media platform owned by China’s Tencent company at Hong Kong’s international airport on Aug. 21, 2017.  (Richard A. Brooks/AFP/Getty Images)

However, WeChat has deep and well-documented security flaws. In an October 2016 report, Amnesty International looked at the effectiveness of the encryption systems used by 11 global technology players and ranked WeChat last. While Facebook Messenger, WhatsApp, and FaceTime scored more than 60 points out of 100, WeChat scored an astonishing zero.

The most prominent flaw is that WeChat didn’t provide essential end-to-end encryption—the gold standard for privacy. This vulnerability means that its messaging system could be easily accessed via a “back door.” Also, WeChat didn’t publish transparency reports on government requests for information.

Moreover, WeChat could be used for surveillance and peddling influence not only within China, but also outside its borders.

“China has effectively extended its oversight of the internet outside its borders,” said Fergus Ryan, a cybersecurity analyst at the Australian Strategic Policy Institute (ASPI) in Canberra. “Tencent will always comply with every request for information from Chinese authorities.”

That means people should understand clearly that nothing they say on WeChat is private and safe, whether they are inside or outside of China. This brings about a common China dilemma: Is the price of engaging with China worth what may have to be given up? The dilemma is made more difficult as foreign businesses (including media, academic, and government delegations) are often asked to download the WeChat app when they first arrive in China, in the name of better communication.

While Tencent always denies that its operation violated users’ privacy, one recent case would suggest otherwise. In September 2018, a man in Beijing was sentenced to nine months in prison because of a joke he made about the terrorist group ISIS in a WeChat group. Although in other countries, people are also imprisoned for joking about terrorism online, the key issue in this case is that Zhang’s comment was not made in a public forum but in a private group. His messages in this private chat were later tendered in court and used to convict him.

“There are enough cases like this and other evidence to suggest Chinese authorities are able to dip into WeChat data and sneak around,” said Ryan.

Another serious concern about WeChat is that users’ metadata might be shared with Chinese authorities. Metadata reveals far more about users’ jobs, lives, and habits than any messages. Once installed, WeChat’s app could be used as a back door to access a user’s phone. The Minghui website of the largest Chinese dissident group, Falun Gong, recently instructed all members to uninstall WeChat and reformat or return to the original factory status for all mobile phones that once had WeChat installed.

China’s Cybersecurity Law, introduced in June 2017, requires network operators to store select data on servers within the country, monitor and record network operations, and maintain related logs for not fewer than six months. As messaging platform operators, Tencent’s WeChat and Sina Corp.’s Weibo are also required to warn users against breaking relevant laws, restrict the publication of posts, and suspend or close accounts while preserving related records for the authorities, according to a policy statement posted on the website of the regulator Ministry of Industry and Information Technology.

The lack of privacy and the potential for Chinese apps to contain spyware or malware also led to the important decision made by the Indian Intelligence Bureau in December 2018 to prohibit military personnel from using WeChat and other similar services on their phones: “Use of these apps by our force personnel can be detrimental to data security having implications on the force and national security.”

According to this decision, all Indian military personnel were instructed to delete WeChat and more than 40 other apps with ties to China.

So, how can the U.S. government (USG) improve the protection of data privacy, metadata, and intellectual property when facing threat from Chinese mobile apps and its desire for America’s big data? Here are some policy recommendations:

• USG should identify WeChat or any other dangerous mobile apps developed by Chinese companies and make a public announcement to ban the usage of these apps on any government phones, not just of military personnel.
• USG should require employees to store their personal mobile phones outside their working areas during working hours if these phones were installed with Chinese apps, such as WeChat.
• Collect, evaluate, and publish a list of social apps, search engines and websites that have insecure back doors or deliberate insecurity, to educate the public on mobile security to protect privacy data.
• A reciprocal approach: If Chinese mobile payment systems are allowed to operate in the United States, China should open its market to allow U.S. mobile payment systems to work in China as well.

Dr. Xiaoxu Sean Lin is a former U.S. Army officer with expertise on infectious diseases, surveillance and global public health. He was the co-founder and former executive vice president of Sound of Hope Radio Network, and hosted talk shows on China’s current affairs on New Tang Dynasty TV. Currently, he is the founder and general manager of WQER-LP radio station. He is also a frequent news analyst and commentator for Sound of Hope Radio Network, with a focus on global public health, national security and foreign relations related to Asian affairs.

Views expressed in this article are the opinions of the author and do not necessarily reflect the views of The Epoch Times.

Xiaoxu Sean Lin
Xiaoxu Sean Lin