Chinese Paranoia

China adds Pinterest to list of banned sites

by Sherisse Pham

China's Great Firewall is cracking down on Pinterest, the social media platform popular for letting users share, or pin, items of interest to a virtual board.
For years, Pinterest has been freely accessible in China, most likely because its users typically don't share content that would rattle Chinese censors. 

People mostly use the site to pin images and tips on home decor, hair styles, cooking, wedding planning and fashion.
The Pinterest block started earlier this month, according to watchdog group Greatfire.org, which monitors censorship and accessibility of websites in China.
The timing coincided with China's annual National People's Congress, a sensitive time in Beijing when China's top leadership and thousands of delegates gather to set the country's political and economic course for the year.
Pinterest did not respond to a request for comment outside of business hours. 

China's Cyberspace Administration did not respond to a request for comment.
Pinterest's ban fits a pattern of China blocking sites that compete with emerging local rivals.
China's censorship has effectively "become a tool of industrial policy to discriminate against foreign competitors," wrote Cho-Wen Chu, a professor at Taiwan's Chinese Culture University, in a paper published in January.
A crackdown on Google, YouTube, Twitter and Facebook helped domestic companies such as Baidu, Youku, Weibo and Renren flourish.
The Western sites were widely used to share content China would deem highly sensitive, like the 1989 crackdown on Tiananmen Square protests, Tibet, or the Dalai Lama.
But Pinterest, Facebook's Instagram, or even Snapchat, are not known for their political content.
"China's 'national security' concerns may be only a convenient excuse to favor domestic dotcoms by impeding fair competition," according to Chu.
Banning Western rivals gives Chinese tech companies, including Alibaba's Pinterest rival Faxian, and Instagram imitator Meitu a huge advantage.
China has 731 million internet users, and 95% of them access the web on mobile devices, according to data from the China Internet Network Information Centre.
With that many mobile users tapping into apps and shopping on their smartphones, China is a lucrative market for any social media platform, a fact not lost on Pinterest President Tim Kendell.
Pinterest's position as a "catalogue of ideas" rather than a social network gives the company a big push in areas of the world like China, Kendell said in an interview with Fox News last year.
Pinterest users "are not there to share things with their friends and family, they are not there to find out what their friends and family are doing. So it's not this community planning tool," he said.

China's Espionage Tools

Foreign users are staying away from Chinese apps

By Viola Zhou

Chinese technology companies with global ambitions still share one common hurdle: they can not protect users’ private data, thanks to Beijing’s pathological internet controls.
From cellphone makers to social media platforms to photo-editing apps, Chinese internet products stir up privacy controversies when they tap overseas markets.
The latest to come under the spotlight is an app that applies virtual makeup on selfies.
Meitu has been popular in China for years with its parent company launching a US$630 million initial public offering in Hong Kong last year.
Its recent rise to fame in the west, however, was followed by media reports denouncing the beauty app selling people’s personal and phone information.
The company has refuted the claims, but knowing their data was being sent to China was enough to scare off consumers abroad.
“They have prejudices against China,” Meitu’s chairman Cai Wensheng said at a media briefing earlier this month. 

“Our company is in China. Of course our servers are based there.”
Meitu’s experience highlights a deep distrust in Chinese IT products among foreign consumers, especially as Chinese government continues to tighten its grips in the cyberspace.
To get past this global perception of the country’s censorship paranoia, analysts say mainland tech companies must try to commit themselves to more transparency, to win over the hearts and minds of overseas users.
Security concerns are not new to China’s tech sector, of course.
Telecom gears made by Huawei and ZTE were labelled national security threats by the US government in 2012, while phonemaker Xiaomi faced data privacy investigations in Taiwan and Singapore. 

New internet regulations issued by Beijing only added to the worries that mainland products pose privacy threats.
A controversial cyber security law passed in November requires internet operators to store internet logs for at least six months and provide “technical support” to any investigations involving potential crime or national security.
During the Meitu controversy, technology bloggers and security commenters based their accusations on a Chinese regulation issued in June last year requiring China’s app developers to verify users’ identities and save their activity logs for 60 days.

Both rules state they apply to those that provide internet services within China, without specifying how data from foreign users of Chinese companies is handled.
Foreign businesses said that such laws will be used to force tech firms to hand over data.
Joel Snyder, senior partner at US IT consulting firm Opus One, said western consumers remain worried that Chinese companies do not follow the moral code in protecting users’ privacy.

Spying for China

“US and European consumers know that the Chinese government has its hands in every software and hardware company and that there are numerous ways in which private information might be compromised in favour of the Communist Party,” Snyder said in an email to the South China Morning Post.

Heavy online censorship by Beijing has also hurt the image of Chinese tech companies.

The country’s most popular instant-messaging app WeChat was blocking keywords that Beijing deemed "harmful", according to a November study by the University of Toronto’s Citizen Lab.

Its parent company Tencent has insisted it "complies with" the local laws and regulations in which is operates.
Although the study also shows censors do not act on accounts registered with overseas phone numbers, people outside of China are concerned what they say to their friends on WeChat are filtered out and monitored.
Queenie Wong, 22, who works for an accounting firm in Hong Kong, said she uses Whatsapp and Facebook’s Messenger instead of WeChat to avoid censorship.
“Overall I’m not confident about mainland apps,” Wong said. 

“The Chinese government controls the internet. I don’t want my private information to be sent there.”
Wong’s concerns are shared by her family and friends.
In Hong Kong, Tencent used to give out freebies and have local celebrities star in advertisements to boost the popularity of WeChat.
But it has so far failed to beat Whatsapp, which promises that messages cannot be read by third-parties with its end-to-end encryption.
Some have taken action to address such concerns. 

Xiaomi in 2014 shifted some of its data on non-Chinese customers from servers in Beijing to those in the US and Singapore.
Its vice president Hugo Barra at the time said on his blog that the data migration “better equips us to maintain high privacy standards and comply with local data protection regulations”.
“This is a very high priority for Xiaomi as we expand into new markets over the next few years.”
Following the most recent accusations against Meitu, it issued a statement explaining how it uses customer phone data to track app performances and customise in-app advertisements.

Its chairman said the company is also considering setting up servers in Hong Kong and the US.
“We pay great attention to privacy,” Cai said. 

“If a company fails in this area, it will not be able to develop, especially when targeting overseas users.”

Internet experts say mainland tech companies can change the negative perception with stronger and more transparent security practices.
Lam Kwok-yan, cyber security researcher at the Nanyang Technological University in Singapore, says Chinese apps or mobile phones put their users at risk because they contain malware or fail to ensure secure data transmission.
Lam said to convince overseas users their products are safe, Chinese firms should adopt international security standards in developing the apps, testing them and handling user’s information.
Snyder also said mainland internet companies should exercise transparent security measures to gain the trust of western consumers.
“The key factor here is reputation,” he said.
“Chinese companies have made no great effort in building their reputation as developers and as trusted sources in US and European markets.”

Nation of Spies

Popular Selfie App Meitu Sending User Data to China, Researchers Say
By Jenna McLaughlin

MEITU, A CHINESE selfie editing app, has amassed billions in downloads since launching in 2008; it’s been trendy in Asia for several years, and just recently began gaining popularity in the United States. 

The anime-style photo-editing tool, which is available through the Apple and Android app stores, features airbrushed, fairylike depictions of people.
But there’s a serious privacy and security issue with the app, according to mobile security researchers who performed tests running the application, primarily on Android phones. 

The code instructs users’ phones to send a large amount of data back to China, and possibly around the world.
That information could potentially be used to spy on users and their communications.
Some of the application’s permissions, presented before users download the app, include access to the calendar, camera, geolocation data, contacts, screen resolution, photos, the contents of the phone’s USB storage, and other data.
The application also appears to be collecting the unique ID, the IMEI number, of users’ phones, according to Greg Linares, a security researcher who examined the application. 

The IMEI is a 15-digit long serial number that can pinpoint the phone’s country of origin and individual model.
Linares says the information being collected would allow someone “to pair a phone with an individual and then, with the right equipment, you can clone the phone and intercept calls, SMS.”
Cloning phones, which is illegal in most countries, is a relatively easy and inexpensive way to enable spying, according to Linares.
“The information is nice to have, good to sell to other individuals or organizations who would readily have the tools, means, and interest of cloning devices,” he wrote. 

“I doubt the company behind the app is doing it themselves…[but] there is the potential for individuals intercepting stolen information in transit as well.”
Meitu published a statement on Friday in response to concerns about the application’s privacy and security, saying that the company takes “personal data very seriously” and only collects information to improve performance of the app.

Meitu “does not sell user data in any form,” the statement says.
However, if hackers got ahold of this data, it would provide them a lot of detailed information on millions of people who have downloaded the app, according to Linares. 

“Imagine pairing this data with other compromised data,” he said, noting the massive theft of security clearance information from the Office of Personnel and Management announced in 2015—a breach tied to China.
China’s Cyberspace Administration also recently issued new rules requiring apps to collect data to authenticate users by tying them to verified phone numbers or other information.
Nick, an independent security researcher who goes by “FourOctets” on Twitter, performed a forensic analysis on an Android phone in his lab to confirm the findings. 

His tests captured the traffic as it left the device on its way to China.
The Intercept ran an additional report that revealed “information leakage” from the network: the app sent strings of numbers, including what appeared to be an IMEI number, to many different IP addresses in China.
Jay Bennett, another independent security researcher interviewed by The Intercept, decompiled the application’s source code entirely and shared it, confirming that Meitu gets the IMEI number and information like your time zone, MAC address, screen resolution, and information about your SIM Card for “business analytics.”
While the code might seem like a purposeful security flaw designed to covertly gather personal information without users being aware, Bennett and other researchers caution against calling it a backdoor, because Meitu does ask for permission to access at least some of the data. 

Users might not understand or read what they are approving, however.
“Meitu’s permissions are seriously long, and if unsuspecting users are allowing these permissions, Meitu can get this information,” Bennett wrote in a message to The Intercept.
The application now has a privacy policy published on its website that mentions IMEI data—information not previously included on the app store, according to @FourOctets. 

It’s unclear when the page was updated or published. 

But other applications created by the same company, like MakeupPlus, collect the same type of information as Meitu—but those privacy policies have not been updated, according to @FourOctets. 

Some of the company’s applications don’t have terms of service at all.
Android apps are notorious for having long laundry lists of permissions, which people rarely read let alone understand. 

Apple’s operating system has tighter restrictions and doesn’t allow apps to request such a large amount of information without a clear purpose for its use.
However, the iPhone app behaves strangely, too. 

Zdiarski, the iOS forensics researcher, ran a forensics test on an iPhone and tracked Meitu’s code. 

According to his work, which he documented in a series of tweets, the code “checks” whether or not the phone is jail broken, and allows the developer to “use undocumented APIs”—insecurities that allow it to gather information about the phone it wouldn’t be allowed to otherwise. 

It retrieves information about your cellphone provider, and appears “to build a unique device ID profile,” he says.
The worst thing Zdiarski say he found is code that could track your location from your photo’s geolocation tags, if certain permissions are granted. 

“This app has a lot of ways to track you,” he said.
However, he said he believed the application was more of a poorly coded “cute” app with a ton of ad trackers built in, designed to generate revenue—something he sees a lot.
Matt Green, a cryptographer at Johns Hopkins University, agreed that the data being gathered by Meitu was concerning.

“Regardless,” he said, “the lesson here is: if you want to have secrets, don’t download Chinese Android apps.”

Chinese Espionage

The cost of hot selfie app Meitu? A healthy dose of your personal info

By Kate Conger

You’ve probably seen a Meitu selfie in your Instagram or Facebook feed in the past 24 hours. 

The app smoothes skin, slims down faces, and even applies a layer of virtual blush and lipgloss, adding a beautifying effect to your photos. 

And although the app has been popular in China for years — Meitu went public in Hong Kong last month — it only recently caught on with American users.
But security experts quickly pointed out that Meitu, which is free to download in Google Play and the App Store, requires way more data from users’ phones than is necessary for a simple photo app and contains some sketchy code. 

To be fair, Meitu isn’t the only app that allows users to download it for free in exchange for their data. But privacy-conscious users might want to think twice about the data they let apps collect.
It’s normal for a photo app to require permission to access a phone’s camera and camera roll, so that it can take pictures or edit ones already on the device. 

But, as information security researcher Greg Linares notes, the Android version of Meitu wants a lot more than that: the app can access information about what other apps users are running, their precise locations, their unique device identifier numbers (IMSIs), call information, carrier information and wifi connections.

The iOS version is similarly data-hungry, according to forensic expert Jonathan Zdziarski. 

Although Apple takes steps to block apps from capturing users’ IMSIs, Zdziarski points out that Meitu is grabbing information about your cell carrier and whether or not your iPhone is jailbroken. 

Zdziarski notes that some of Meitu’s code violate App Store policies on data collection. 

Apple did not respond to a request for comment about Meitu.

Will Strafach, the president of Sudo Security Group, also analyzed Meitu’s iPhone app. 

“The iOS version is extremely tame with regards to analytics collection. It does obtain information which is ‘partially sensitive’ such as mobile carrier, but this is not uncommon within analytics packages. Many do this,” he says. 

Strafach runs Verify.ly, a service that lets users check the privacy protections of their favorite apps.

“People are not really aware how common this sort of thing is, I believe. Additionally, many are saying that the Android version is more invasive than the iOS version. I think it’s very good that a discussion has been started though, and I hope it will encourage infosec folks to crack open more apps and see what they do,” Strafach says.

The problem of abusing app permissions isn’t unique to Meitu — lots of free apps require users to hand over more data than necessary for the app’s core functions. 

The information could be sold to marketers, or otherwise repurposed to turn a profit.
“It’s becoming the new normal,” Linares says of invasive free apps. 

“It’s because we’re at this point in society, people want to generate their likes and retweets. People download this app and put security in the backseat to make sure they have their social media presence.”
Although Meitu says it will only use customers’ data for identity protection, service upgrades, criminal investigations and customer feedback, Linares cautions that the data could be put to use for other purposes as well. 

The IMSI number that is sent to Meitu in the Android version of the app could be used to track users across the web, as they use other apps and browsers.
“We have noticed the reports and it’s such a nice problem to have with our App being noticed by the media, celebrities, and consumers,” a Meitu spokesperson told TechCrunch in an email. 

Meitu did not respond to questions about why it requires certain types of user data, and what it does with the information. 

“The real question is, would you willingly give that data to a company you don’t know? The answer is no, I wouldn’t have. If I had the choice to not give that data, I would have said no,” Linares says.