Police in China has reportedly forced Muslims in China to download an App called JingWang as part of a mass inspection campaign. They are checked to ensure that individuals have it installed on their phones, and have arrested individuals who refuse to do so.
Now, researchers have found JingWang transfers the collected data with no encryption.
The App extracts a phone’s IMEI, MAC Address, manufacturer, model, phone number, subscriber ID. Filenames with hashes for all files stored on the person’s device are gathered by the App.
These identifiers serve to easily identify and track any mobile device and its contents.
The app scans the device’s external storage for files. It searches for those it deems as “dangerous” by recording the name, path, size, MD5 hash of the file and compares it to a list of file hashes received from the server. If a file is identified as “dangerous” it prompts the user to delete the file.
An MD5 hash is a unique file identifier that can locate any file on a person’s mobile device
The App specifies the types of file types it looks for which primarily includes audio, video, photos, and HTML.
The App then sends all the filenames with hashes back to the server. And not just those that may have been identified as dangerous hashes for every single file on a person’s device. Any user with this app installed will have every file stored on their device sent to an unknown entity for monitoring.
Lastly, nothing is transmitted from the individual’s device to the receiving server over HTTPS — all is in plaintext via HTTP — and updates are unsigned.
This means all the data the app collects is transmitted to the unknown entity on the receiving end.
This allows someone with a limited amount of technical knowledge to intercept and potentially manipulate the subscribers personal information.