Cybersecurity Company Cure53 Issues Report on Surveillance Capacities of Chinese “Study the Great Nation” App

On October 11, Cure 53, a German-based cybersecurity firm, issued a report on a mobile application, called “Xuexi Qiangguo” (“Study the Great Nation”), that Chinese technology firm Alibaba reportedly developed for the Chinese government’s propaganda department.  Since its release in February 2019, The Times reported, the app “has been downloaded more than 100 million times and has been pushed aggressively by the Chinese government.”  As Cure 53 noted, various sources indicate that the app “is getting heavily promoted by various powerful stakeholders, such as Chinese state media, universities, schools and similar parties.”

On its face, the app appears to be an educational app that “pushes out official news and images and encourages people to earn points by reading articles, commenting on them and playing quizzes about China and its leader, Xi Jinping.”  Use of the app, however, “is mandatory among party officials and civil servants and it is tied to wages in some workplaces.” In addition, as of October 2019, Chinese journalists “must pass a test on the life of President Xi, delivered via the app, in order to obtain a press card which enables them to do their jobs.”

The 18-page report, which Cure53 prepared at the behest of the Open Technology Fund, focused on whether the app “contained unadvertised features which could be seen as aiding the maintainers of the app in data collection,” and by extension, whether the app is collecting data “in a manner that violates human rights,” such as the European Convention on Human Rights (ECHR).  In brief, the report included the following findings:

• “The app stores multiple files insecurely in the SD card, from which other apps can read them.”
• “The app contains code resembling a backdoor which is able to run arbitrary commands with superuser privileges,” although “further investigation is required to unequivocally determine whether this code is used to perform malicious activities such as running arbitrary commands on the phones of citizens.” In addition, “[w]ithout context, it seems difficult to justify why an educational app requires code that looks like a backdoor,” especially if that backdoor “could potentially run arbitrary commands on citizen phones with superuser privileges.”
• The app tries to find specific running applications for 960 other popular apps that include games, navigation, travel and trips, credit cards, and payments.
• The app “avails of significant, privacy-sensitive permissions and functionality, such as location, face recognition, microphone and camera access, call log and contact processing,” and in fact requires sharing many of these features. Yet “the broader context of the evaluated coding practices remains unknown due to extensive obfuscation measures in the affected [coding] classes,” which the report attributes to Alibaba as the official maintainer of the app.

The report concluded that it is

evident and undeniable that the examined application is capable of collecting and managing vast amounts of very specific data. It is certain that the gathered material can become a basis for further actions concerning a specific group (or groups) of citizens. Although some of the collection of meta-data and device information could be legitimized as being aggregated for statistical reasons or software improvement, it is questionable if this is necessary for an app that claims to be educational in nature.

It also concluded that “[i]n a broader sense, the application’s functionality leads Cure53 to believe that violations of human rights are indeed taking place.”  At the same time, it cautioned that Cure53 “operated as a purely technically-driven team and an unbiased investigating entity,”  and therefore “is not a party in any way involved in making final judgements as to whether human rights violations take place from legal, social or political standpoints.”

N.B.:  Cybersecurity and compliance teams at companies doing business in China should read this report closely, with a view to identifying potential cyber-vulnerabilities if their companies allow employees in China to use their personal mobile devices for business under a “Bring Your Own Device” (BYOD) policy.  As the Cure 53 report indicates, the capacity of the app to access and collect such vast amounts of information raises substantial questions about the interest of Chinese police and security authorities in also accessing business and proprietary data.  Cybersecurity and compliance officers may therefore need to pursue appropriate revisions in their BYOD policies.