Reinforcing and building on what Chinese users discovered when the app was launched last year, in its report OTF says JingWang scans for specific files stored on the device, including HTML, text, and images, by comparing the phone’s contents to a list of MD5 hashes. A hash is essentially a digital fingerprint of a piece of data.According to a translation of the JingWang announcement message published by Mashable at the time, it said JingWang would “automatically detect terrorist and illegal religious videos, images, e-books and electronic documents.” Users would be told to delete any offending content with the threat of detention for up to 10 days, Mashable added.It’s not immediately known which specific files JingWang is scanning for. OTF’s public blog post includes a list of the hashes, or the fingerprints of the files—OTF shared a list of some 47,000 hashes from the app with Motherboard. The app also has a screenshot function to capture images of the list of discovered files, OTF adds.OTF’s report says JingWang also sends a device’s phone number, device model, MAC address, unique IMEI number, and metadata of any files found in external storage that it deems dangerous to a remote server. Motherboard found this server, unsurprisingly, is based in China, according to online records.
Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on firstname.lastname@example.org, or email email@example.com.
As for handling that data, researchers supported by OTF found JingWang exfiltrated data without any sort of encryption, instead transferring it all in plaintext. The app updates are not digitally signed either, meaning they could be swapped for something else without a device noticing.“The app’s technical insecurity only opens its users up to further attacks by actors aside from the Chinese government. It seem there is zero interest in protecting citizens’ information, only in using it against them,” Lynn said.Of course, it may not be all that surprising an app designed for wide surveillance on a population doesn’t take security all that seriously, and the much broader issue is authorities forcing residents to install a piece of monitoring software in the first place. But the app still highlights China’s pervasive surveillance efforts developed over decades.“It may also be helpful to keep in mind that this app is not first of its kind. Crime reporting/scanning apps have been introduced in smaller counties in China before they were used in Xinjiang,” Lotus Ruan, a researcher focused on China at The Citizen Lab from the Munk School of Global Affairs and the University of Toronto, and who reviewed the OTF research for Motherboard, wrote in an email.Human Right Watch’s Richardson said, “This is really just the Orwellian, highly technical version of that same impulse; to gather massive amounts of information.”Correction: This piece has been updated to clarify that the researchers who investigated JingWang were not from OTF itself, but that OTF supported the work of the external researchers.
“This is really just the Orwellian, highly technical version of that same impulse; to gather massive amounts of information.”