Police forcing me to install Jingwang spyware app, how to minimize impact?

Question

Chinese police are forcing whole cities to install an Android spyware app Jingwang Weishi. They are stopping people in the street and detaining those who refuse to install it.

Knowing that I may be forced to install it sooner or later, what are my options to prepare against it?

Ideally:

Make it appear like the app is installed and working as intended,
without having it actually spy on me.

The app is downloadable and documented. It basically sends the IMEI and other phone metadata, as well as file hashes, to a server. It also monitors messages sent via otherwise secure apps. I don't know whether it includes sophisticated anti-tempering features or not.

I can't afford two phones nor two contracts, so using a second phone is not a viable option for me.

How do police check whether or not the application is installed? — forest, Sep 24 '18 at 13:49
@forest: They just take the phone, find the app, open it, and check some status screen, I presume. — Citizen, Sep 24 '18 at 13:52
Then it is very possible that you could use a dummy program which mimics the interface/behavior of this spyware. Perhaps you could even use the spyware itself, but "crippled" (i.e. use a firewall to prevent it from accessing the internet, assuming its status screen won't give away the fact that it is unable to contact the server). — forest, Sep 24 '18 at 14:04
The status screen will almost certainly give away any attempts to firewall the app, drawing more attention to you when they see that your internet connection is working. — flerb, Sep 24 '18 at 15:43
@trogdor of course the problem is the risk of doing things wrong (or not fully understanding the ecosystem and getting caught as a result). I imagine the consequences for getting caught trying to fool the police/app are not going to be small... — Conor Mancone, Sep 24 '18 at 16:14
Isn't the cliche in the security world that, if an attacker has physical access to your device, it isn't your device anymore? It's not hard to imagine that some clever attempts to evade the spyware might work in the short-term (at the risk of provoking law enforcement), but if they're really going around forcing everyone to convert, they'll likely just get more adept and aggressive about it in the near future. — Nat, Sep 24 '18 at 17:37
Most of the people here's primary experience with security will be in a corporate setting. The attitudes, adversaries, and resulting threat models are pretty fundamentally different from those of a citizen in a totalitarian setting. Professional infosec thinking can usually rely on law enforcement as an ally or at least as non-hostile; the rules are very different when they are your adversary. None of the existing answers address how to deal with an adversary who can make you disappear if they discover attempts to resist them. That's simply not a threat faced by most security professionals. — user371366, Sep 24 '18 at 18:45
None of the answers mention this. It's a pretty bad idea to present a solution as universal when it could be devastatingly insufficient to some people. This is meant to be a reference site, that presents canonical answers to questions. None of these answers limit their scope appropriately. Also, the camps are only one risk. The Chinese government takes very poorly to activism of any sort, and if someone's interested in preventing government spyware from being installed on their phone then chances are they don't view their government with very high regard. — user371366, Sep 24 '18 at 18:59
@dn3s no one is presenting a "universal answer". They are all ideas. And while the site strives to be canonical, no one can assume that all accepted answers are. — schroeder, Sep 24 '18 at 19:16
When contemplating circumvention measures always keep in mind the resources and possible responses of those imposing whatever you're trying to get around. No matter how clever and tech savvy you are you're unlikely to be better than the combined capabilities of a state funded security team looking for people circumventing monitoring measures. Don't make the mistake of assuming that your opposition is stupid or incompetent and that they will remain that way. — fencepost, Sep 24 '18 at 21:19
If you have a potential answer, please post as answers. If you wish to discuss details in other comments, please take to chat. If you want to discuss philosophy, [there's a Stack Exchange for that](https://philosophy.stackexchange.com/). — schroeder, Sep 25 '18 at 12:48
Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/83627/discussion-on-question-by-citizen-police-forcing-me-to-install-jingwang-spyware). — schroeder, Sep 25 '18 at 15:34
What if you don't have an Android phone? What if you had a feature phone instead? Or an iPhone / Windows Phone / FireFox / Blackberry? (this may be a stupid question, but I don't know anything about phone providers in China) — Dark Hippo, Sep 27 '18 at 13:52
I can't leave an answer due to the protection element (been lurking, don't have enough non-bonus points). You need to work out how they validate or prove it's been installed. If you can create a 'dummy' copy of the spyware, install that, so when it's physically checked it appears to be working, then you can say 'it's already been installed officer', but that takes a great risk (if they verify it technologically, it'd need to be a working version). You also need to ask yourself what you need the phone for (I presume it isn't just for calls) - is there something else that could do it's job? — SE Does Not Like Dissent, Sep 27 '18 at 13:59
While not an answer, since this might vary from phone to phone, on my Samsung S8 I have a "My Safe" (or however it's called in English) - part of Samsung Knox security suite, an isolated part of the phone where non-authorized apps don't have access. It can be used to take pictures and data securely (data is encrypted) - this data SHOULD be safe from the prying "eyes" of other installed apps (unless explicitly given access to the safe). That said, if your phone is rooted and / or you don't have this feature, then this solution (obviously) won't work. — Shaamaan, Sep 30 '18 at 17:58
You, or someone with experience, can: 1. Download the app (.APK) 2. Decode the app and read the code 3. Remove API calls / bad functionality / etc. 4. Build app and run it on you phone (you can send the file on mail) Now you have the exact same app without the bad things. It looks the same both icon and functionality, but it doesn't send your info to the "bad" guys. :) — Otziii, Oct 02 '18 at 10:51
It would be helpful to know why Citizen wants to avoid being spied on, and how much time and effort they are willing to put in to do so. If the goal(s) and how important they are, absolutely and relatively, are clarified, the answers can be more tailored. Citizen, are you still around to answer? — WHO's NoToOldRx4CovidIsMurder, Oct 08 '18 at 00:10
Is this happening only in Xinjiang (and possibly Tibet)? Or also even in the "Han heartland" cities (Beijing, Shanghai, etc.)? — user20311, Feb 20 '19 at 01:54

wha7ever · Answer 1 · 2018-09-26T12:54:01.130

This may not be the answer you will be happy with but how about abstaining from having any undesirable data inside your phone in the first place and instead using the right tool for the job?

According to Wikipedia:

The app records information about the device it is installed on, including its [...] IMEI, the phone's model and manufacturer, and the phone number. The app searches the phone for images, videos, audio recordings, and files [...]

So, instead of trying to tamper with this spyware in any way (which can get you in a much bigger trouble), simply don't do anything suspicious on this phone and let this app do its job. Prepare against it by not having any photos, videos, audios, file, etc., and instead use the right tool for the job. Use some other secure software/hardware to connect to internet, use encrypted email provider and do all of your communication through the computer where you can do communication safely, and store all of your files somehow in a safe place (encrypted, somewhere on computer or USB, etc). Pretend to be an obedient citizen and use the right tool for the job to do whatever it is you don't want your government to find out.

Some people may wonder why bother having a phone in the first place (and FYI, I asked the same question under OP's question, for clarification). My answer is:

to make phone calls (and have conversations which are not going to be considered by Chinese government suspicious, in case they are tracking that too)
to use it as a "red herring" - if police asks you to give them your phone you won't have to lie to them that you have no phone, or worry that they will find out that you tampered with app, or get in trouble if you don't have app, etc. You'll just confidently give them phone, with no "illegal" information on it, they will check it, and walk away. You may, actually, even have some "red herring" files: pictures of nature, shopping list (milk, eggs, etc.), etc., just so that they wouldn't suspect that you deliberately not using your phone for such purposes, and harass you farther.

I mean, not long ago mobile phones didn't even have the ability to store pictures, videos, files, etc.

Are you willing to put your life in danger simply because you want to have some files on your phone?

Tough times require tough decisions.

Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/83672/discussion-on-answer-by-alex-l-police-forcing-me-to-install-jingwang-spyware-app). — Rory Alsop, Sep 26 '18 at 09:51
Reminds me of the alleged habit of New York City inhabitants of the 1970s and -80s, when crime was at a high, to [carry two wallets](https://www.nytimes.com/1982/01/31/nyregion/fear-of-crime-is-now-woven-into-the-fabric-of-city-lives.html) -- one with 20 dollars or so for a mugger and the other one with the real valuables. (Any parallels between police and muggers are, of course, entirely coincidental.) — Peter - Reinstate Monica, Oct 04 '18 at 12:35

score 194 · Answer 2 · edited Jun 16 '20 at 09:49

194

Get a phone which doesn't support Android apps.

Why are so many of the answers complex? And not just complex, fragile and suspicious and downright dangerous to the questioner?

You want to use your phone to send messages and make calls, right? You don't want this app installed, right?

Say hello to your new phone:

Good luck getting an Android app running on this.

It's probably not illegal to have an old phone.

edited Jun 16 '20 at 09:49

Community

1

answered Sep 26 '18 at 11:47

Murphy

2,175
1
9
10

90

*It's probably not illegal to have a crappy old phone.*, op would need to make very sure that is indeed the case. – gerrit Sep 26 '18 at 11:53
39

Be wary - my nokia 6310 supported Java, and stored up to 102 kbytes of JAR files. And even worse, it was java. – Criggie Sep 26 '18 at 11:56
14

@Criggie While possible that they've got a java version of the app... I'm betting they didn't get into that nightmare and just wave people on if their phone doesn't support the app. – Murphy Sep 26 '18 at 12:00
21

I agree with you. Getting this type of phone is the best solution IFF this won't draw suspicion from police even farther. I asked OP in comments if he can get simple phone or live without of phone at all, but didn't get reply and now my comment is deleted. Whatever. Regardless, additional "benefit" of keeping android phone with running app is for it to be "red herring". You give up a little bit of privacy in order to not get yourself into an even **bigger trouble**. What's better: government knowing exactly where you are at any time or sitting in jail? – wha7ever Sep 26 '18 at 13:10
47

Only problem, they can still listen to all your calls, read your text and track your whereabouts through carrier surveillance. May be worth mentioning. – Daniel Sep 26 '18 at 15:33
@Daniel sure, but that's a given with any phone. If you really want to communicate securely and want something low-profile get the version with basic internet and get a java app that can encrypt chat then bury the java app between a dozen Snake clones and make sure it doesn't save any history. – Murphy Sep 26 '18 at 16:34
You can get one of these with Bluetooth tethering (my Nokia candybar in 2009 did it) and carry an "unphone" Android device with no SIM card that you run actual apps on. – R.. GitHub STOP HELPING ICE Sep 27 '18 at 01:46
1

@Murphy So you are actually recommending a phone without any available security updates while it's still possible to run arbitrary code on it? Despite that: Where's the difference to a smartphone where most of the 'smart' features are simply not used? – Noir Sep 27 '18 at 12:08
1

@Noir A phone which has rarely seen serious security issues, low feature and incapable of installing the app which the questioner specifically wants to avoid having installed on their phone. Random chinese cops are not going to start looking through the java API for the phone to code up a custom java version of the app in question. Regardless of whether someone could theoretically write it. I'm talking practice rather than theory. – Murphy Sep 27 '18 at 12:15
1

Why not an iPhone? – SafeFastExpressive Sep 28 '18 at 02:43
6

Sadly, from what I've heard - having a non-smart phone *does* cause you problems in that province. – Danimal Sep 28 '18 at 09:25
3

Something like the upcoming Librem 5 that's a smartphone but can't run Android apps and isn't mainstream enough for them to develop a specific application for might also work, but only if their response to not being able to use their tracking app isn't going to be just stapling a transponder tag to your ear... – Perkins Sep 28 '18 at 21:00
1

@Murphy Police will likely start developing on this phone if they notice that most dissidents they track have a Nokia 3310. Or, well, maybe not even: Have a 3310? They assume you have something to hide and start tracking you. – dim Sep 30 '18 at 21:12
@Criggie I used Java apps a lot on on a more modern phone than this one, and they don't run unless you select them, and you can't do anything else while one is running. – user253751 Oct 01 '18 at 02:25
Could also get a Blackberry or an iPhone I suppose as well. – ouflak Oct 02 '18 at 15:26
JavaME applications do not support spying at all. – Sauron Oct 03 '18 at 19:21
@dim I guess non-smart phones have not disappeared of china. You will look more suspicious with a "Librem 5". – user285259 Oct 03 '18 at 19:56
The Gibbs method, i approve! :D – user1067003 Feb 06 '19 at 15:04
I do not understand why this answer has so many up votes. One should not stop using technological devices just because some entity can spy on you. Would you stop using your computer and starting using traditional letters to communicate with people, knowing that there is a risk that someone can spy your computer, or that someone is doing it? Or you would rather try to find a solution to that problem and keep using your computer? – Pedro Gomes May 11 '19 at 11:00
@PedroGomes I disagree. If a technical device is too unsafe, then it is only prudent to stop using it and find an alternative. Of course, if you can still safely use them then you should do so, but that's not always possible. Switching to a different technique _is_ a valid solution to certain threats. Consider an obvious example: If you are a prisoner and wish to communicate outside the prison but the prison has GSM jamming equipment set up, do you try to use a cell phone anyway despite it being a nearly unsurmountable task or do you pass paper notes to someone who can deliver them covertly? – forest Jun 08 '19 at 02:21
3

You will definitely rise suspicion with this phone. Human rights watch analyzed an app which was used to track the behavior of people living in the Xinjiang region. (This is also where the Jingwang is used) Here's an excerpt of their report: `[..] The app’s source code also reveals that the police platform targets 36 types of people for data collection.Those include people who have stopped using smart phones [..]`. You can find the report here: https://www.hrw.org/video-photos/interactive/2019/05/02/china-how-mass-surveillance-works-xinjiang – Noir Jul 07 '19 at 21:11

score 81 · Answer 3 · edited Jun 16 '20 at 09:49

This is a tricky one. It goes without saying, but it's also a dangerous one. Attempting to circumvent these restrictions and getting caught doing so will potentially cause a lot of legal trouble. If they throw people in jail for refusing to install the app, I wouldn't want to figure out what they do to people circumventing the app restrictions. It is especially relevant because even experts in tech security have gotten caught by their governments despite extensive safeguards (the founder of Silk Road is a great example and is now serving a life sentence). Granted, evading this app is most likely a much less serious "crime", but the Chinese government isn't exactly known for lenience here. So while I would like to answer your question, please don't take this as me suggesting that you actually do any of this. I consider myself a tech-expert, but I still wouldn't do it.

Still, to answer your question, you have a few options. I won't bother mentioning the "Get a second phone" option because you've already ruled that out.

1. Virtual Machine/Dual Boot

There are some options for "dual booting" android phones. I don't have any examples to immediately link to (software suggestions are off topic here anyway) but there are options. If you can get your phone to dual boot then you can install the tracking software on one ROM and then do all your personal stuff on the other. You may need to put some basic information on the ROM with the tracking app installed just so you don't raise too many flags.

Of course there are still risks here: risks that they might reboot your phone and notice, risks that they might realize you have a completely different system installed next to the tracked one, and the simple risk that you would go out and about and forget to reboot into the "tracked" system, allowing a police officer to find and install the tracking app on your actual system.

2. App modification/interceptors

If this app creates enough bad press it is possible that anti-tracking apps or hacked versions of this app may start floating around that try to automatically protect you from it. I would not expect there to be any general tools already available that would protect you from this, so this is something that would simply take lots of googling or (perhaps) requests to the right people. This has a major downside that unless you are an expert at reverse engineering, there isn't much to do to make this happen. It's also hard to estimate what the risks of detection are. That will obviously vary wildly depending on the skill level of the person who put it together.

3. Server Spoofing

Depending on your level of technological know-how you might be able to put something together yourself (note: this is not for novices). Based on what I know and my experience in this area, I'm going to try to summarize some details about what a server-spoofing measure might look like. Again, I'm not summarizing this because I think you should do it, but because understanding how things like this operate can be generally informative and also help understand the risks there-in.

Built-in security

First, we need to understand how this spying app might secure itself. From all information available so-far, the answer is "it doesn't". This is a pretty simple conclusion to come to because the app communicates exclusively through http. It is very easy to intercept http requests, either from the device itself (if your phone is rooted) or with network sniffing tools on a computer attached to the same network as the device. Most likely it is also very possible to easily figure out how the app authenticates itself with the end-server and how the end-server authenticates itself with the app. In all likelihood there is no authentication in either direction, which means that spoofing requests in either direction is trivially easy. This might be hard to believe (given that a country like China sets aside lots of resources to invasive technology like this), but the reality is that if the people who developed this app wanted to secure it from outside tampering, using HTTPS for transit would be the very first step to perform. It is cheap, easy, and very effective. The lack of HTTPS means that it is very likely that there is no actual security in this ecosystem, which is a plus for anyone trying to evade it.

Sniff all traffic coming out of this app to determine what requests/responses it makes

This is the first step. By watching the traffic leaving this app (which can be easily intercepted in the network itself since there is no SSL encryption) you can figure out what requests it sends to the destination server and what responses it expects back. Understanding the underlying API is critical, but easy due to the lack of encryption. This will also let you know if there is any authentication happening in either direction. If there is, you can at least see the full request and responses, so you can most likely figure out how to spoof it. It is possible that there is some hard-to-reverse-engineer authentication going back and forth, but again, given the lack of basic encryption, I doubt there is any such thing built in.

Figure out if the app is talking to a domain name or IP address

The destination server the app is talking to is either found via a DNS lookup or has its IP address hard-coded in the app. In the event of the former you can edit the DNS for your android phone to repoint it to a different server, including one running on your phone. In the event of a hard-coded IP address you will similarly have to redirect all traffic to that IP address to your local android phone (presumably you can do this with Android - you can with other operating systems, but you would definitely have to root your phone).

Setup a replacement server

You then setup a local server that responds to all requests just like the server did in your initial spoofing. You would have to get this server to run on your phone itself, that way it is always available. This doesn't necessarily have to be complicated (although that depends on how detailed the actual server interaction is), as you don't actually care about keeping any data on hand. You just need to make sure that you provide valid responses to all requests.

Risks:

The app may auto-update itself (although your mock-server may make this impossible) and point to new domains/ip addresses, suddenly removing your protections
If there is an auto-update functionality and your end up unintentionally killing it (which would be good per point #1 above), a police officer may notice that it is not properly updated, flag you for "extra" checking, and discover what you are doing.
They may do server-side tracking and discover what you are doing because they don't find any data on their end for your particular IMEI (because your mock-server acts like a black-hole and sucks up everything). Even if you send spoofed requests there will be easy ways for them to determine that (imagine the police copy a blacklisted image to your phone and discover that the app doesn't block/report it)
They may have root-checking in the app itself, which will cause you problems

Actually, that's it

I was trying for a longer list but that is really what it all boils down to. Short of not carrying around a phone or purchasing a separate one, these are about your only options. For reference, I haven't gone into details about the server spoofing because I think you're necessarily going to go out and do it. If anything, I've gone through it because it gives opportunity to talk through the risks in more detail, and those should make it clear that there are a lot of risks. Even if you find a solution from someone, they have to deal with all of these same risks (or ones like it). Right now this app sounds like it is poorly executed and easily fooled, but depending on how much the Chinese government decides it cares, that could change very quickly. At that point in time not getting caught basically turns into a cat-and-mouse game with the Chinese government, and that isn't realistically something that someone can continue to win for an extended period of time. There are a lot of risks, so tread lightly.

There is one more risc too to concider - other channels used more less frequently - and it may not be for security, just for convenience. I can say, that I made application, which normally communicate in plain text each 1/2 hour, but 4x a day it also use other channel for other data and sometimes (like once a week to once a three months) use another channel for totally another kind of data. (And sometimes it update itself.) Lack of any of such communications is reported as big red error at central server. And it has nothing to do with spying or security, just with primary function of the app. — gilhad, Sep 25 '18 at 03:46
There are a few more: sandbox the app + sandbox apps that you want to hide, off the top of my head. — chacham15, Sep 25 '18 at 06:05
actually httpS is not very effective on neither Android devices nor iOS devices. the free version of Fiddler Proxy (+ [this plugin](http://fiddler2.com/r/?FiddlerCertMaker.)) has everything needed to generate a fake certificate, install it on the phone, and perform MITM https-decryption, modifcation, redirection, and blocking. i've used this myself several times to study and cheat in mobile games. (and study the Facebook Messenger / friends API) — user1067003, Sep 25 '18 at 08:14
@user1067003 Sure, performing a MitM on yourself is very doable. I wasn't trying to imply otherwise. However, it is still harder than simply sniffing network traffic for an unencrypted connection. My point was that SSL is the first and most basic security step for web systems, and also very easy to do. Anyone who is not bothering with HTTPS these days simply isn't trying, and SSL certainly does provide *a* barrier from simple snooping. Add in HSTS and public key pinning and you're starting to get about as secure as possible on someone else's device. — Conor Mancone, Sep 25 '18 at 10:33
Another risk of a local server is making it as slow as interactions over the air with the real server. — WGroleau, Sep 26 '18 at 11:27
I'm not exactly an expert on mobile communication, but AFAIK any phone comes with both an IMEI (spoofable, but it's tricky) and an IMSI (not spoofable, as it's the ID of your phone in the network). Considering the capacities of Chinas surveillance I would be astonished if they couldn't detect a phone with an unique ID having the app active only sporadically. Let alone sniffing on higher levels of the system or examining the entire storage when the app is running. — Paul, Sep 26 '18 at 17:52
**Any** of these can be **remotely** detected, this is just a matter of state will. — user285259, Oct 03 '18 at 18:30
@user285259 yup. That's pretty much the gist of what I was trying to say at the very end of my answer. — Conor Mancone, Oct 03 '18 at 18:39
The reference to the founder of the Silk Road isn't really relevant as he was neither a tech security expert, nor was he caught despite an abundance of caution. He was essentially caught because he posted questions in forums with traceable accounts that referred back to Silk Road before it was well known. The FBI didn't cut through TOR's encryption. — Dean MacGregor, Oct 03 '18 at 21:21

Noir · Answer 4 · 2018-09-26T11:29:21.987

They can execute code on your device while they have physical access to it. And you can't refuse it. I'm sorry to say that but you are basically doomed. There's no way to trust this device anymore. That's part of the 10 immutable laws of security. In your case the rules #1, #2, #3, #6 and #10 are applicable.

But when you act like you don't trust the device you could raise their suspicion. Maybe. Because nobody knows what they are actually doing with the collected data. Maybe nothing at all. In the "best" case it's primary for spreading FUD.

But when they are actually using the data it's easy for them to spot burner phones and all kind of tampering. As far as I know you only get a SIM card by identifying with your ID. Since the spyware reads identifying information like IMEI and IMSI they can simple compare the collected data from the phones with the purchase records. They can combine this with behavior tracking based on metadata collected on the phone (Which apps are used and how often, how long the screen is on etc.) and the mobile network (usage of data, location based on cell tower etc). Since they can do that on a large scale, they can spot strange usage patterns by your usage history or how a "average" user is behaving. Of course there's a vast amount of ambiguity and such in this data but they have the ultimate interpretational sovereignty.

You must also keep in mind that you need to keep your measures working all of the time because it could always happen that you get stopped on the street again.

I'd like to emphasize on rule #10. You are basically trying to solve a social problem with technology - just as your government does.

score 28 · Answer 5 · answered Sep 24 '18 at 20:42

28

Use a custom ROM (two, to be correct).

Android phones can have more than one ROM installed, and you choose one or the other. So install two copies.

On the clean ROM you install the spyware, anything not dangerous, games, whatever you feel clean. On the secure ROM you install things you don't want anyone to know about.

Keep the clean ROM running almost all the time, specially when you are out of home. Boot on the secure ROM only when you really need.

You will need to keep a secure mindset too, to have awareness of what ROM you are using and what content you can create or access. That is the main point of failure. Using a different keyboard on each ROM, or different OS languages can help: Chinese on the clean, English on the secure, for example.

But first you must weight the risk/reward of doing so. If the risk of getting caught plus the mental effort to keep activities and files containerized is worth the benefits of bypassing the spyware, do it. Don't do otherwise.

answered Sep 24 '18 at 20:42

ThoriumBR

50,648
13
127
142

8

Whether this is possible is extremely dependent on the particular phone, even if Android is a given. – Matthew Read Sep 24 '18 at 22:33
5

What stops them using the logs of the mobile phone network to check that app is running at all times the phone is connected? – Ian Ringrose Sep 25 '18 at 08:08
Apps don't run all the time, and OP should not run the secure ROM all the time. – ThoriumBR Sep 25 '18 at 11:36
3

@ThoriumBR Surveillance apps presumably *do* run all the time. – Ray Sep 25 '18 at 16:32
But they don't run all the time. Or the battery will run dry in a couple hours, more people will know something is wrong, and lots of angry people will have incentives to bypass the surveillance. They are presumably to be invisible and unobtrusive. They will log things here and there, and send data from time to time. – ThoriumBR Sep 25 '18 at 16:45
9

@ThoriumBR A mobile phone doesn't go to sleep when not in use like a closed laptop; if nothing else, it will be constantly checking with transmitters to ensure it can receive incoming calls. It seems perfectly plausible to me for a background application to be logging many times a minute whenever the phone is switched on; saving to a local, encrypted, database; and periodically uploading reports to a central server. Gaps in that log might be viewed as suspicious, particularly if they can be compared against logs demanded from the network operator. – IMSoP Sep 25 '18 at 17:12
1

Apparently this is a contentious topic - so far this is the only answer with a positve score that doesn't have any downvotes. lol! – Conor Mancone Sep 25 '18 at 17:17
24

@ThoriumBR The assumption that they want the app to be invisible and unobtrusive is also dubious. The Chinese government conducts surveillance by coercion, not subterfuge - they're not installing this app remotely without users' permission, they are (allegedly) demanding that they install it under threat of arrest. They have no motivation to hide what it does; anyone who gets angry and decides to bypass it can simply be publicly punished as "subversive"; that's how totalitarianism works. – IMSoP Sep 25 '18 at 17:18
@IMSoP: I used to frequently put my phone in airplane mode to save the battery. But your point is valid, and one that most of the answers miss: that if any method succeeds in stopping the reporting, the government will (or can) notice the gap. – WGroleau Sep 30 '18 at 23:54

score 19 · Answer 6 · edited Oct 04 '18 at 05:55

19

I'd recommend you just go with it. The Chinese police doesn't just stop any random person in the street and asks for their phone. They stop Uyghur.

This happens for reasons which are somewhere in between "mitigate a real threat" and "Woah, no go, dude", but whatever it is, it's what the government does, so it's legal and "right". No benefit of doubt, and no assumption of innocence, no Sir. By Western standards, it's kind of unthinkable, but you cannot draw to the same standards there.

So the situation is that you are easily identified as Uyghur, both from looking at your face, and from the fact that police knows. They know who you are and where you live. And sure they know whether you've been stopped before. Again, you're not being stopped at random. You're stopped because you are already a well-identified target, on their screen.

It isn't even unreasonable to expect that your Internet traffic is monitored (targetted) and even asking about how to circumvent the measures may move your name onto a different, more high priority list.

You can bet that police keeps a list of people where the spyware has been installed (with device IDs), too. If no data comes in from your device, well, guess what. You'll be stopped again by police, and they will look very carefully why this isn't working.

Insofar, it is kind of unwise to try and circumvent (and risking being caught) what police wants. From their point of view, you are a possible criminal, and a possible terrorist. By trying to circumvent the measures you prove that you are a criminal.

The surveillance happens on the base that if you have nothing to hide, then you need not bother if they're watching you. Again, by Western standards, this stance would in no way be acceptable. But whatever, in China it's perfectly acceptable.

I wouldn't want to risk disappearing in a detention camp if I was you. Rather, let them have their spyware, and simply don't do anything that isn't opportune to the system.

edited Oct 04 '18 at 05:55

Peter Mortensen

877
5
10

answered Sep 25 '18 at 16:46

Damon

5,001
1
19
26

11

Given how insecure the spyware appears to be, simply installing it will likely open you up to attacks from actors other than the Chinese government. – AndrolGenhald Sep 25 '18 at 16:50
5

@AndrolGenhald: Probably, but if you can't leave the country, what else do you want to do? Not complying is not an option, really. – Damon Sep 25 '18 at 16:52
10

The situation certainly sucks. I just wanted to point out that even if you accept that it's ok for the Chinese government to do this, there are still other risks. – AndrolGenhald Sep 25 '18 at 17:03
This doesn't really answer the question. It's about "I know I'm targeted. How do I defend?". Your answer is basically "How to avoid being targeted" and therefore not really answering the exact question. – iBug Sep 27 '18 at 11:02
1

@iBug: That's true, but sometimes "Don't do it" is the right answer. There's too much at stake, and chances that OP gets caught are high (I'd say 99%). The spyware transmits the IMEI, so they know _exactly_ who isn't sending. They _also_ know exactly who had the spyware installed. So... not good. – Damon Sep 27 '18 at 11:06
This doesn't answer the question, and what is worst, it's accepting a total loss of privacy... – Mr. E Oct 03 '18 at 00:34
@Mr.E: It _does_ answer the question. The in my opinion only correct answer is "Don't do it". Given the circumstances, any other answer is just unresponsibly dangerous. Being targetted individually by a governmental institution (as is the case) means your chances of being smarter than the system and getting away are close to zero. This is a suicide move. Given "no privacy" and "die in detention" as alternatives, I know which one I'd choose. Your opinion may differ, and free feel to downvote. – Damon Oct 03 '18 at 08:28
"even asking about how to circumvent the measures may move your name onto a different, more high priority list." .... makes me think that if I wanted to find how to defeat those attempting to defeat my security system, I would pose as someone just like OP here and review all the answers for further closing of loop holes. IOWs, this entire question and answers appears to help the security of the government perhaps even more than individuals. Hmmm – chux - Reinstate Monica Oct 03 '18 at 19:46

score 12 · Answer 7 · edited Oct 04 '18 at 05:57

12

First of all, I think you should search for solutions that are already implemented by other people. For instance, what do other people in your case do to prevent the spying activities?

One possible solution would be to have a man-in-the-middle implementation analyzing the information that is being sent, altering it, and sending it to the same server and port the spyware is trying to connect to.

I read a bit about the functionality of the app, and the information it gathers is, and I quote from the Wikipedia source you provided:

sent in plaintext

Hence, after doing some tests with a packet sniffer tool and clearly understanding how the spyware and server exchanges made using the HTTP protocol work, you could, if you have root access to your Android phone, redirect the traffic of the spyware app to a process that is running on the background of your Android OS. This process would change the data that is going to be sent to the server the spyware is trying to connect to. That way, you can send data that matches another cellphone (maybe, literally faking the data is a bad idea, because that can trigger alarms).

You should also take into consideration any kind of validation processes that the spyware has implemented so you do not alter them. More specifically, the data that is in the HTTP packets’ headers and that is sent from the spyware app to the server to gracefully initiate an upload.

Of course this is theoretical, but it is a realistic thing to do. Also, you probably will require knowledge of Android programming (mostly in C or Java) and IT.

This approach is stealthy and will not require an uninstall of the spyware app. There is always a risk, but in this case, depending on the data that is actually spoofed, the risk is minimal.

edited Oct 04 '18 at 05:57

Peter Mortensen

877
5
10

answered Sep 24 '18 at 15:43

Pedro Gomes

314
2
7

2

This will not help in case of keylogger spyware. – mootmoot Sep 25 '18 at 08:41
2

How can a keylogger affect this approach ? Please explain. – Pedro Gomes Sep 25 '18 at 09:08
2

Bare in mind that, keylogger can keep data inside the phone. So if the phone confiscated by the Big brother, the user still susceptible to phone activities forensic. – mootmoot Sep 25 '18 at 09:17
I still do not understand what you are trying to point out. A keylogger logs keystrokes, that’s it, the background process has nothing to do with that. – Pedro Gomes Sep 25 '18 at 09:32
Do I need to explicit say that keylogger may also take screenshot ? – mootmoot Sep 25 '18 at 09:40
7

I believe the first paragraph is the most critical one. OP is not alone in this, it's a big community of people affected and they _will_ have found a workable solution. Just be aware that the more people fooling the system, the more likely the government will pick up on it and close the loophole. If you're using a method that gets closed there's a chance their net will catch you. – Ruadhan2300 Sep 25 '18 at 10:24
A screenshot will not affect anything at all on this approach. How a screenshot will affect a process running on the background ? It is not an app – Pedro Gomes Sep 25 '18 at 11:01
@Ruadhan2300 I did not suggest this approach to be shared, I suggested him to search for already existing solutions, not to share mine with everyone in the same case. Depending on how the data is faked it could be hard for the government to “close the loophole” – Pedro Gomes Sep 25 '18 at 11:03
@PedroGomes I believe you misunderstand me, I don't mean sharing the approach with others, I mean that finding your own solution may not be necessary if there's other people who have already done it and shared it. It's a maxim in software development that any technical problem you encounter has probably already been found and fixed by someone else, you just have to find out what they did. – Ruadhan2300 Sep 25 '18 at 11:22
2

@Ruadhan2300 I mis read indeed your comment. I totally agree with you on that point. – Pedro Gomes Sep 25 '18 at 11:28

score 9 · Answer 8 · answered Sep 24 '18 at 13:41

9

Due to the nature of the spyware, they will be able to detect any mitigation techniques which will make you a person of interest to them.

I know you said you can't afford two phones but it really is the best advice - why not clean and refurb an older phone if you have one around?

A burner phone doesn't need to be anything special and even better if it isn't a smartphone.

answered Sep 24 '18 at 13:41

Doomgoose

736
4
8

3

There are certainly ways to defeat this spyware without raising red flags. It's not like the spyware's functionality is particularly secret (or particularly sophisticated). – forest Sep 24 '18 at 13:45
74

Police might not be information security gurus, but they are good at telling if I am hiding something in my other pocket. Then the consequences might be worse. – Citizen Sep 24 '18 at 13:53
11

I really doubt this is true, and even if it is correct you are not providing any evidence of that fact. Rather, you are expecting everyone to just take your word for it. Given the importance of this question to the OP, I think a little more effort is required. – Conor Mancone Sep 24 '18 at 16:00
5

@forest But it might not be the same tomorrow as it is today, and that can make all the difference in defeating it or losing to it. When we're talking an oppressive government, can you, in good conscience, really tell someone you've never met to take that risk? – jpmc26 Sep 24 '18 at 19:47
1

Note that with the cooperation of network carriers, they will be able to tell if you are using another cellphone with the same SIM card, or if a subscriber has two SIM cards nearby, or the number of devices that are connected to your home WiFi or network. It may be unwise to use a second phone in any case. – jjmontes Sep 25 '18 at 16:58

shellster · Answer 9 · 2018-09-25T18:54:10.620

8

One idea is to think of your phone as a networking device and nothing more. If you carry a secondary "tablet", that is NOT a phone, you can tether through your phone, and use a VPN on the tablet to protect your data. Now you can hand out your phone to be inspected as all of your actual important data and work is on your tablet which is clearly not a cellphone. If traditional hotspotting is too dangerous, you may want to consider alternative methods such as using a USB2Go cable or bluetooth pairing. If hotspotting is detected or blocked, you might also be able to use an app like PDANet to bypass those restrictions.

edited Sep 25 '18 at 18:54

answered Sep 25 '18 at 13:52

shellster

568
3
5

7

If I were trying to monitor everything, I would have code that flags packets going through the towers without corresponding reports from my spyware. – WGroleau Sep 26 '18 at 11:36
1

That would be very difficult to do. Nothing is ever 100%. – shellster Sep 26 '18 at 13:41
2

It would indeed be difficult to catch 100%. It would not be difficult to catch 90%. And if they weren’t already catching a huge percentage of what they want, threads like this would not exist. – WGroleau Sep 26 '18 at 16:45
1

"Hang on, there are packets flying back and forth, but they are not connected to any running app ... Flag this phone as suspicious." – tripleee Sep 27 '18 at 11:37
2

@tripleee do people not use tethering in China? – user253751 Oct 01 '18 at 02:34
2

You're still assuming there's a presumption of innocence - it seems more likely that even if there's a valid/acceptable explanation OP can expect to be investigated first. – Adam Luchjenbroers Oct 04 '18 at 07:19

score 4 · Answer 10 · edited Jun 16 '20 at 09:49

Disclaimer: I live in North America.

Knowing that I may be forced to install it sooner or later, what are my options to prepare against it?

Remove illegal items and anything else that you think that the government wouldn't approve of from your property - your clothing, phone, desk at work, home, etc.

If the government can't find you doing anything wrong then you only have to worry about someone planting false evidence on you - you need to search your own stuff from time to time.

When I go through Customs I've made absolutely certain that I have checked everything for anything I shouldn't have, because you know that they will likely check when you go through the port of entry.

As a result of my efforts they've not found anything to object to and have even simply waved me through a few times. Nothing to see here, move along.

Ideally:

Make it appear like the app is installed and working as intended, without having it actually spy on me.

We have different ideas of what's ideal.

Ideally I'd prefer to be paid millions of dollars per hour.

I don't know whether it includes sophisticated anti-tampering features or not. I can't afford two phones nor two contracts, so using a second phone is not a viable option for me.

It wouldn't make any sense for it not to detect tampering.
The APP is probably an excuse.

If they obtain the information by another means (like monitoring the cell phone towers and WiFi, along with all Internet traffic, and then there's your neighbors whom earn a healthy living turning people in) they can say in Court that they obtained the information from the spyware - that way you don't know how the information was actually obtained.
This happens in more places than just where you are, it's different where you are in that roving gangs force you to install the APP. In other places (including North America) they get by without using an APO and rely on other techniques.

Proof: In the last few months people whom have a lot of contact with children (Coaches, High School Principals, etc.) have had their work, home and computers searched for possession of inappropriate images. This appears in the news monthly.

Moral of the story: If you are poor and unsophisticated don't fight the rich, powerful, intelligent army trying to do something that they can find someone to back their actions to prevent you from doing it.

If you can't afford a second phone and contract that's a hint that you couldn't afford trouble in the first place, and the fine.

In your country they are upfront about it and demanding because objections fall on deaf ears. It's not much different in North America, just that they are sneaky to avoid complaints and only focus on major infractions so people don't suspect that they can see the lessor consequential things just as easily.

If you CAN afford a second phone, either they find out when you buy it or they find out when you use it. — WGroleau, Sep 30 '18 at 23:43
This is what I'm saying, the cellphone tower reports people in the area that aren't running the APP and then they can triangulate you and pull up a CCTV image of someone walking the path of the offending phone. Also, chances are this webpage is no longer available to the majority of the people there. — Rob, Oct 01 '18 at 00:11

score 2 · Answer 11 · answered Sep 26 '18 at 09:49

For a rooted phone (without you will have a hard time to stop the app from doing what it is doing), you can use AFWall+ to prevent the app from phoning home and XPrivacy.

XPrivacy on Android up to 6 is better than XPrivacyLua (Android 6 and newer), because the old version can block more different things.

This setup works best, if you can install the app voluntary at a time nobody is watching you configuring the security solutions. If you can only get the app when a policeman stops you, it is a bit harder to hide the security apps.

+1. Unfortunately rooting and using niche tools like XprivacyLua is not for everyone ( I use). Just as FYI am alternative in my answer https://security.stackexchange.com/a/194842/99059 — beeshyams, Oct 02 '18 at 05:15

score 2 · Answer 12 · answered Sep 29 '18 at 02:59

I wouldn't be shocked if there isn't a fake version somewhere--looks exactly real but doesn't actually spy. Unless the police are actually checking functionality in some fashion this would stop them.

As others have said, though, getting caught fooling the cops would not be a good thing!

beeshyams · Answer 13 · 2018-10-01T10:13:34.283

While other answers do provide useful insights, my alternative would be to use the phone as you normally would but isolate the app access to data

One method has been suggested by rooting the device, installing Xposed and corresponding modules of Xprivacy / XPrivacyLua. While I personally use this, rooting the device, managing additional risks due to unlocked bootloader and malicious apps gaining root access is yet another challenge - IMO beyond the scope of average user and hence easy alternative approach below

There is an open source app called Shelter that does two things

Use the "Work Profile" available in Android from version 5.0 (Lollipop) onwards
It allows you to install the app of your choice, in this case, your spy app in the work profile. Once it is installed on the work profile (by cloning) , it essentially is on an island and can't access any data that is outside your work profile (your photos, emails, SMS or any other app information). You can safely uninstall the original app and if police check, show them your app, which has a padlock icon indicating it is on your work profile. You can keep the app always in your recents or Overview and pull from there so that they don't even see the icon

In simple terms, the spy app has nothing to spy on!

Download Shelter - an open source app from F-droid or GitHub. Quoting the developer, relevant use case

Run “Big Brother” apps inside the isolated profile so they cannot access your data outside the profile

(Emphasis supplied)

I am currently using this, in addition to XprivacyLua. For more details see WhatsApp: How to isolate contacts and photos - Privacy concerns

your answer is good. and is also just an example of how complicated it is to do monitoring and surveillence, which seemed like is an easy job to do. your answer examplify the many variations of technologies that are available for monitoring and anti-monitoring - just like the end-less game of virus and anti-virus. which is also why i hardly read all other solutions and techniques, which is not as technically deep as I wanted (from the monitoring/trojanizing point of view). — Peter Teoh, Oct 02 '18 at 00:52
talking about PC: you also have chrome bugs reporting, windows telemetry etc all capable of sending back debugging information. if they want to monitor, and you are not doing anything "harmful", just let them do it - it is like having a security guard near your house. and you may be afraid that one day this security guard may come back and attack you? then get multiple security guards. Apps that can monitor other apps - like those of parental control apps which I used to install on my kids' phone. — Peter Teoh, Oct 02 '18 at 00:55
@PeterTeoh Thanks. *Variations* as you rightly pointed out is the key to both sides. For those who care this is an endless game but sadly majority dint care IMO — beeshyams, Oct 02 '18 at 05:13
I would expect the Jingwang Weishi spyware to notice if it never sees any calls, photos, emails, SMS etc and raise a red flag. — WHO's NoToOldRx4CovidIsMurder, Sep 18 '21 at 03:43

sampathsris · Answer 14 · 2018-10-04T08:14:43.817

There are a lot of great answers, but most of them give solutions that are beyond the ability of the average Android user.

I would like to offer a compromise between absolute privacy and getting spied upon.

I assume that your government has other means of acquiring the IMEI and phone metadata. You can stop the app from acquiring other information by denying it permission for:

Body sensors
Calendar
Camera
Contacts
Location
Microphone
Phone
SMS
Storage

Here are instructions on how to do it.

(I am not sure of your Android OS version, but the steps should be similar.)

This way the spyware would not be able to collect information about you, and therefore I assume that it will either not try to send information to servers, or it will send empty information.

However, this means that you install the app before police stops you and makes you install it. You can let the app download, kill the network connection while it's installing, and then remove permissions before it starts.

Risks

You should be aware that if the police does a deeper investigation, turned off permissions would be evidence that you have willfully tampered with the spyware. You should calculate if this risk is worthy.

This will also be a useful method of stopping other spyware (such as your flashlight app that requires contact information) from breaching your privacy.

score 0 · Answer 15 · answered Sep 25 '18 at 21:42

0

You can simply resolve the servers it attempts to connect to back to localhost.

This can be accomplished by modifying the /etc/hosts file on your device if you have root.

Alternatively, you can use a local VPN which doesn't require root, such as this.

answered Sep 25 '18 at 21:42

DrDinosaur

145
2

4

Presumably then the app will alert that it cannot call home and display a big friendly red badge with yellow stars. – tripleee Sep 27 '18 at 11:38
I'm not sure how the app works exactly. It could definitely be passed off as server-side error that wouldn't be your fault. You can also change it whenever you are about to be inspected and otherwise have it set to block traffic. – DrDinosaur Sep 28 '18 at 20:32

score 0 · Answer 16 · answered Sep 27 '18 at 14:53

Based on your question I cannot be sure whether you are a Chinese resident, or someon who is planning to visit (for instance a tourist).

It was already mentioned earlier that so far it seems that only certain minority citizens people are targeted (and if they were to start targeting foreigners that news is sure to spread very quickly).

Regardless of what I think about that, the following bit may actually help most tourists:

The google play store is currently blocked in China, so though it is easy to overcome, this likely means that you will not be able to get the app through the standard procedure.

score -4 · Answer 17 · edited Jun 16 '20 at 09:49

-4

(radically edited)

I had proposed that one idea to consider was that

Playing dumb can be a good strategy.

For example, ask the phone vendor, :"Hi. My phone is working really slow and keeps crashing. Can you show me how to do a factory reset?"

However, I've been informed (see comments below) that even if this led to it being documented that someone else had removed the spyware, the person would likely still get in deep trouble when it was noticed that the spyware was no longer installed. It sounds like the answer to the question, "Is there any excuse for not having the spyware installed that would be considered valid?" is 'NO!' So it wouldn't matter whether the factory reset is more effective at wiping the system than the spyware is at staying installed. I would say don't risk it, especially if you think you'd make a high-value target.

Sadly, the software is effective at repressing dissidents and dissent even if technically it is 100% defective.

So my answer is that secretly helping to evangelize, build or crowdfund efforts to make it not work or prove it doesn't work well or to break it or make the phone to appear broken when spies try to install spyware would be better than a more direct approach, which would paint a target on your back. Good luck, and may the force be with you.

edited Jun 16 '20 at 09:49

Community

1

answered Sep 25 '18 at 00:03

WHO's NoToOldRx4CovidIsMurder

590
2
14

5

Most of this answer is just saying "lol you're f---ed good luck", it doesn't really try to answer the question itself. Even if you factory reset your phone, if the police are on the streets, as the question says they are, they're just going to stop you and demand you install it again. – numbermaniac Sep 29 '18 at 00:46
1

@MatthewElvey people are sometimes being sent to "reeducation camps" for not having the software installed in this province, and they keep track of who has it installed. If it is suddenly not sending data anymore, they WOULD catch that. Not only is this answer not helpful, it is genuinely dangerous, especially if OP is Uyghur. – user185163 Sep 30 '18 at 05:35
1

Ok, thanks, user185163. If the excuse/explanation: _"I didn't remove it. I was having trouble with my phone and the phone vendor removed it when they reset my phone. Here's a receipt / record of the visit."_ won't work to avoid 'reeducation camp' then my "idea to consider" indeed was poor and I've just edited my answer to reflect that. What do you think now, @user185163 ? – WHO's NoToOldRx4CovidIsMurder Sep 30 '18 at 18:59
1

I've radically edited my answer; would appreciate more re-rates and/or more feedback. I find it interesting that the playing dumb strategy is said to be sure not to work in China. I imagine it might be useful in other countries/other legal systems. But then the only repressive regimes I have significant experience with are the relatively lighter touch ones in the US. – WHO's NoToOldRx4CovidIsMurder Oct 07 '18 at 23:57

score -15 · Answer 18 · edited Sep 25 '18 at 04:53

-15

I agree with Doomgoose. Get a burner phone for this. Alternatively, get an app called Orbot (it's Tor for Android) which can get you a bit of the privacy you so desire by encrypting your online activities. Another alternative is adding a VPN on top of the equation.

edited Sep 25 '18 at 04:53

forest

64,616
20
206
257

answered Sep 24 '18 at 15:12

Malekr

1

66

Transport encryption doesn't do any good if the endpoint is compromised. – AndrolGenhald Sep 24 '18 at 15:13
15

They'll generate a report on him stating that he uses Tor/VPN? What a recommendation... – Daniel F Sep 24 '18 at 22:21
9

The spyware is locally intercepting the data, making both TOR and a VPN more than useless. Those change and somewhat protect the path your data takes through the internet, they don't change what your device is doing before that! And if the spyware sends its report over one of these the government could easily notice that they're receiving data from a known TOR node or VPN service.... – Matthew Read Sep 24 '18 at 22:40
They also know what phones are using which towers and whether those phones are reporting. And they shut down/block VPNs when they detect them. – WGroleau Sep 26 '18 at 11:45