[liberationtech] WeChat partners with the Guardian Project?!
In a strange bedfellows revelation, it turns out that WeChat (the China-originated mobile messaging app) is using the SQLCipher for Android software that the Guardian Project developed with Team Zetetic. This makes WeChat more secure in terms of protecting local message storage than any other mainstream messaging solution. While their implementation isn't perfect, I still consider this a win for open-source mobile security software. Perhaps a WeChat developer heard my talk at Google IO about how insecure their software was, and decided to show me up a bit. next up, OTR and proxy support? Or is it time to convince WhatsApp to step up to the plate? Thanks to CitizenLab (Asia Chats FTW!) and Emaze.com for bringing this fascinating development to our attention. *** https://guardianproject.info/2013/12/10/sqlcipher-has-300-million-mobile-users-thanks-to-wechat/ SQLCipher has 100M+ Mobile Users (Thanks to WeChat!) Posted on 2013/12/10 by n8fr8 (Note: Originally this post had a title claiming 300 Million WeChat users… that would have included iOS and Android, and we don’t know if the WeChat iOS app also includes SQLCipher encryption or not. That said, there are 50-100M Google Play downloads of WeChat for Android, which does not include all of the users inside China) Through some of our own recent sluething, Citizen Lab’s research into “Asia Chats” security, and now via this detailed look at WeChat security from Emaze.com, it has been recently discovered that WeChat for Android uses SQLCipher for local data encryption in its app. We co-developed SQLCipher for Android with Zetetic, and have been working to promote its adoption among Android developers who need to protect data stored locally on a device. While many people would point to Android’s Full Disk Encryption feature as a solution for that, only a small percentage of users ever enable it, and even then, once a device is unlocked, then all data is accessible by someone looking to extract it. With SQLCipher, the application can ensure its own data is encrypted, and if the app is closed, then the data is secured. Now, as with most things WeChat, the actually implementation of SQLCipher is not that ideal, utilizing a short key, generated in part from the device’s ID, and some sort of server provided token. Still, at least they tried, and SQLCipher is considered stable enough to be used for the over 300 million WeChat users around the world. Who knows, though, maybe the devs are on our developer list or the SQLCipher list, and we can help them improve their implementation using CacheWord! The biggest irony of this, is that I gave a lightning talk at Google IO 2013, highlighting the concern I had with the rapid growth of WeChat, and their parent company’s and country’s poor record on human rights, free speech, and generally defending their users. With the growth of WeChat beyond the borders of China, it is the first major mobile service to be exported and adopted outside of the Great Firewall, by non-Chinese users. So, for now, I raise a toast to the Android developers at Tencent/WeChat, who at least took a shot at providing local message encryption in their app, and may they continue to endeavor to defend their users privacy and security, as best as they can, considering their circumstances. More from the emaze-ing post below… WeChat locally stores application data in an encrypted SQLite database named “EnMicroMsg.db”. This database is located in the “MicroMsg” subfolder inside the application’s data directory (typically something like “/data/data/com.tencent.mm”). The database is encrypted using SQLCipher, an open source extension for SQLite that provides full database encryption. The encryption password is derived from the “uin” parameter (see previous sections) combined with the device identifier through a custom function. More precisely, the key generation function leverages the mangle() function shown in the previous Python snippet. The actual database encryption key can be generated through the following pseudo-code: password = mangle(deviceid + uin)[:7] Here deviceid is the value returned by the Android API function TelephonyManager.getDeviceId(). Follows a sample SQLCipher console session that demonstrate how the EnMicroMsg.db database can be decrypted. $ sqlcipher EnMicroMsg.db sqlite> PRAGMA key = ‘b60c8e4′; sqlite> PRAGMA cipher_use_hmac = OFF; sqlite> .schema CREATE TABLE conversation (unReadCount INTEGER, status INT, … CREATE TABLE bottleconversation (unReadCount INTEGER, status INT, … CREATE TABLE tcontact (username text PRIMARY KEY, extupdateseq long, … … It is also worth pointing out that, as the key generation algorithm truncates the password to 7 hex characters, it would be not so difficult for motivated attackers who are able to get the encrypted database to brute force the key, even without knowing the uin or the device identifier. -- Liberationtech is public & archives are searchable on Google. Violations of list guideli
Re: [liberationtech] WeChat
Sarah Lai Stirland wrote: > Hi everyone -- I'm curious as to whether anyone on here has used WeChat, > what they think of it, ... I would not use any Chinese software if security is a concern. See for example: http://www.businessweek.com/articles/2013-03-08/skypes-been-hijacked-in-china-and-microsoft-is-o-dot-k-dot-with-it There are some products from credible people available. Free, open source software for secure online chat, but (last I looked) not voice or video: http://www.cypherpunks.ca/otr/ A commercial service offering the lot -- email, voice. ... -- and running on smart phones: https://silentcircle.com/ -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] WeChat
I can say with surely that WeChat has some market here in Poland. Unfortunately I get a few invitation each week that I must decline. -- Jerzy Łogiewa -- jerz...@interia.eu On Jul 16, 2013, at 12:03 AM, Paul Holden wrote: > I think part of it is a language problem. But even when the software is > translated, as has been done with Wechat (微信)and Weibo, it doesn't > seem to get far outside China. The Weibo English version is a completely > different site and doesn't seem to have been marketed much in the west. > I don't know why they made those choices. Based on what I've sen with > WeChat, its largest markets outside China are Thailand and Malaysia. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] WeChat
On 13-07-14 23:29:03, Sarah Lai Stirland wrote: > Thanks. This is the kind of discussion and back and forth I was looking for > ... I kind of figured this was the case, although I don't know of any > actual examples of any of this happening. I know a lot of Chinese people From what I understand one of the reasons the Chinese government doesn't allow twitter or Facebook in China is because they can't get physical access to the servers. QQ, renren (人人网) and Weibo (微博) are social networking services equivalent to FB and twitter, and the Chinese government has no problem with them. Partly based on that, as well as other factors, I think it's safe to assume that the PSB has direct access to these companies' facilities and does whatever it wants with the data, including complete social graph analysis. I'd be surprised if the things Nathan suggested, are not actually happening in China. > use it, and I think it's interesting why it's so popular with the Chinese, > and not so much in the US. When I say the American, I mean something made This is interesting. There's a lot going on in the domestic software industry in China that never gets noticed outside. Whether it's word processors, browsers or social networking services, it's all being produced domestically in China, but rarely seems to make it outside. I think part of it is a language problem. But even when the software is translated, as has been done with Wechat (微信)and Weibo, it doesn't seem to get far outside China. The Weibo English version is a completely different site and doesn't seem to have been marketed much in the west. I don't know why they made those choices. Based on what I've sen with WeChat, its largest markets outside China are Thailand and Malaysia. WeChat is an easy jump from QQ, since you can use the same credentials (if you want). But it's a completely separate set of contacts and so a different social network. It's mobile only, there is no website. In my experience with WeChat, most people use it for 1-1 communication, including sharing photos. They also post photos and links on their "moments" (ie, wall) and their friends either comment on or like these. It has limited social networking capability compared to QQ or FB, but it might be that this subset of features is just what people want on a mobile phone app. I think the proximity search for friends and the "shake" feature are probably quite attractive ones. I've found that I use WeChat a lot more now than I ever used the QQ mobile app, or the QQ website. I have several Chinese friends inside and outside China whom I keep in touch with via WeChat. I've rarely met anyone who's not from China who uses WeChat (or QQ for that matter) or even knows what it is. Paul -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] WeChat
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 15/07/13 04:29, Sarah Lai Stirland wrote: > Thanks. This is the kind of discussion and back and forth I was > looking for ... I kind of figured this was the case, although I > don't know of any actual examples of any of this happening. I know > a lot of Chinese people use it, and I think it's interesting why > it's so popular with the Chinese, and not so much in the US. Hi Sarah, There was a thread about WeChat at the end of last year with some great contributions by Nathan, Tricia Wang and others: https://mailman.stanford.edu/pipermail/liberationtech/2012-December/006138.html https://mailman.stanford.edu/pipermail/liberationtech/2013-January/006338.html Cheers, Michael -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJR4/uBAAoJEBEET9GfxSfMbh0H/ApA4fPFkPK/TwjTAD7VcG4P vLgY1IXxA4+8Ic/riwCpGa/1hY2Dc3ojGEAhfaJJMlwU4zhDfBTGOJeWn/M6weeG qLSmV4zZZyG4hdGWfwbJc/6225Tm1hNDHpVGACse1FCJO6b6VXIHsf/SyigH0sFD cOT5yUbDN2A0Ph6yIzVzC0xvSBEYzFHfqGAC4yMg7YCUN/V8z9r9fi6LtZL5WqxF Ea8ZPxAGKEMfp0C6dTwT/OZ05mxYSOyWJUFhx4JSrUxeJ2GyzvpVQnz1roT4gsg2 BDkpyKtSlsahl0tE39TcbkwUX9QlCeqr1A9FOg2NbwuS/8pU5rQ7tA9VUaupS/o= =Pp40 -END PGP SIGNATURE- -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] WeChat
Thanks. This is the kind of discussion and back and forth I was looking for ... I kind of figured this was the case, although I don't know of any actual examples of any of this happening. I know a lot of Chinese people use it, and I think it's interesting why it's so popular with the Chinese, and not so much in the US. When I say the American, I mean something made by a U.S. company. I'd heard that VONAGE is offering something a version of WeChat, but haven't heard anyone talk about it. It seems incredibly intrusive to me from a workflow perspective. I don't want someone barking at me on my screen whenever they feel like it. On Sun, Jul 14, 2013 at 2:35 PM, Nathan of Guardian < nat...@guardianproject.info> wrote: > > > Sarah Lai Stirland wrote: > > >Hi everyone -- I'm curious as to whether anyone on here has used > >WeChat, > >what they think of it, how they use it, and what it provides that other > >communications tools don't. > > It provides a really nice backup system for all of your messages, address > book, photos and audio located in Shanghai. Unfortunately only the Chinese > authorities have access to it. > > It also ensures you don't accidentally send messages about unharmonious > topics, like corruption, graft and human rights. > > It also does away with pesky security features like HTTPS and the need for > backdoors, since as we have learned in the case of the NSA, no one should > have anything to hide, unless they are up to no good. > > Finally, it provides an excellent means for diaspora dissident groups like > the Tibetans and Uyghurs to have their social graphs mapped, and > geolocation tracked. > > In short, it is a smashing success for the CCP and the PSB, and has > already resulted in the arrests of a number of splittists, who just thought > it was a great way to send "free" international messages. > > > > >Is there is an American version of this that anyone uses? > > The American version is the same as the Chinese version, and same as what > is popular throughout SEA. It is China's version of PRISM just wrapped up > in a shiny app package. Brilliant! > > +n8fr8 > > -- Sarah Lai Stirland Senior Writer techPresident Tel: 415-859 9749 Twitter:@LaiStirland http://techpresident.com/blog/76848 -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] WeChat
+n^1: >> Finally, it provides an excellent means for diaspora dissident groups like >> the Tibetans and Uyghurs to have their social graphs mapped, and geolocation >> tracked. G On 15 July 2013 00:23, Nathan of Guardian wrote: > Also, I have a five minute talk at Google IO 2013 Ignite on the subject. It > starts at about 16 minutes in here: > > http://www.youtube.com/watch?v=ZhHSd59qNcQ&feature=youtube_gdata_player > > > > Nathan of Guardian wrote: >> >> >> >> Sarah Lai Stirland wrote: >> >>> Hi everyone -- I'm curious as to whether anyone on here has used >>> WeChat, >>> what they think of it, how they use it, and what it provides that other >>> communications tools don't. >> >> >> It provides a really nice backup system for all of your messages, address >> book, photos and audio located in Shanghai. Unfortunately only the Chinese >> authorities have access to it. >> >> It also ensures you don't accidentally send messages about unharmonious >> topics, like corruption, graft and human rights. >> >> It also does away with pesky security features like HTTPS and the need for >> backdoors, since as we have learned in the case of the NSA, no one should >> have anyt >> hing to >> hide, unless they are up to no good. >> >> Finally, it provides an excellent means for diaspora dissident groups like >> the Tibetans and Uyghurs to have their social graphs mapped, and geolocation >> tracked. >> >> In short, it is a smashing success for the CCP and the PSB, and has >> already resulted in the arrests of a number of splittists, who just thought >> it was a great way to send "free" international messages. >> >> >>> Is there is an American version of this that anyone uses? >> >> >> The American version is the same as the Chinese version, and same as what >> is popular throughout SEA. It is China's version of PRISM just wrapped up in >> a shiny app package. Brilliant! >> >> +n8fr8 >> >> -- >> Too many emails? Unsubscribe, change to digest, or change password by >> emailing moderator at compa...@stanford.edu or changing your settin >> gs at >> https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > -- > Too many emails? Unsubscribe, change to digest, or change password by > emailing moderator at compa...@stanford.edu or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] WeChat
Also, I have a five minute talk at Google IO 2013 Ignite on the subject. It starts at about 16 minutes in here: http://www.youtube.com/watch?v=ZhHSd59qNcQ&feature=youtube_gdata_player Nathan of Guardian wrote: > > >Sarah Lai Stirland wrote: > >>Hi everyone -- I'm curious as to whether anyone on here has used >>WeChat, >>what they think of it, how they use it, and what it provides that >other >>communications tools don't. > >It provides a really nice backup system for all of your messages, >address book, photos and audio located in Shanghai. Unfortunately only >the Chinese authorities have access to it. > >It also ensures you don't accidentally send messages about unharmonious >topics, like corruption, graft and human rights. > >It also does away with pesky security features like HTTPS and the need >for backdoors, since as we have learned in the case of the NSA, no one >should have anything to hide, unless they are up to no good. > >Finally, it provides an excellent means for diaspora dissident groups >like the Tibetans and Uyghurs to have their social graphs mapped, and >geolocation tracked. > >In short, it is a smashing success for the CCP and the PSB, and has >already resulted in the arrests of a number of splittists, who just >thought it was a great way to send "free" international messages. > >> >>Is there is an American version of this that anyone uses? > >The American version is the same as the Chinese version, and same as >what is popular throughout SEA. It is China's version of PRISM just >wrapped up in a shiny app package. Brilliant! > >+n8fr8 > >-- >Too many emails? Unsubscribe, change to digest, or change password by >emailing moderator at compa...@stanford.edu or changing your settings >at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] WeChat
Sarah Lai Stirland wrote: >Hi everyone -- I'm curious as to whether anyone on here has used >WeChat, >what they think of it, how they use it, and what it provides that other >communications tools don't. It provides a really nice backup system for all of your messages, address book, photos and audio located in Shanghai. Unfortunately only the Chinese authorities have access to it. It also ensures you don't accidentally send messages about unharmonious topics, like corruption, graft and human rights. It also does away with pesky security features like HTTPS and the need for backdoors, since as we have learned in the case of the NSA, no one should have anything to hide, unless they are up to no good. Finally, it provides an excellent means for diaspora dissident groups like the Tibetans and Uyghurs to have their social graphs mapped, and geolocation tracked. In short, it is a smashing success for the CCP and the PSB, and has already resulted in the arrests of a number of splittists, who just thought it was a great way to send "free" international messages. > >Is there is an American version of this that anyone uses? The American version is the same as the Chinese version, and same as what is popular throughout SEA. It is China's version of PRISM just wrapped up in a shiny app package. Brilliant! +n8fr8 -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
[liberationtech] WeChat
Hi everyone -- I'm curious as to whether anyone on here has used WeChat, what they think of it, how they use it, and what it provides that other communications tools don't. Is there is an American version of this that anyone uses? best, Sarah -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech