Reverse engineering a Huawei phone

by Volker Weber

The US famously does not allow Huawei phones, without further explaining why. Here is a frenchman reverse engineering some of the apps on a "Huawei P20 from China". The question is if Huawei phones bought here exhibit the same behavior. Yesterday, Huawei gave away a few hundred of them to influencers at an event in London. Maybe some of them have enough technical clout to investigate this instead of clamoring about three cameras. And then, maybe, turn off their free phones forever.

This guy is on a roll, btw. The other day he found a very basic security flaw in a dating app, exposing all personal data of singles searching for love in support of Donald Trump.

Comments

I don't get it. I'd send the privacy data just one time to a single dedicated endpoint under my control. Encrypted of course. Let the backend spreading the stuff...

Martin Kautz, 2018-10-17

The astonishing thing is the use of http instead of https. I have only one theory: It is easier to abuse that data.

Volker Weber, 2018-10-17

@Vowe, I believe that the Huawei phones were banned due to national security concerns:

https://www.cnet.com/news/why-some-of-the-flashiest-huawei-android-p20-p20-pro-mate-10-pro-phones-arent-in-the-us/

Unfortunately there seems to be growing evidence of "bad actor" concerns with China. Some of these are only just now coming to light, but based on the broad scope it is appearing more and more likely that the US government has had concerns with China for years:

1. We (the US) are very much in a trade war with China, claimed to be due to their abuse of US intellectual property rights.

2. It was recently unveiled that one of our top politicians (with a very suspiciously high net worth) apparently had a Chinese spy as her driver for 20 years:

https://www.washingtonpost.com/opinions/explain-the-chinese-spy-sen-feinstein/2018/08/09/0560ca60-9bfd-11e8-b60b-1c897f17e185_story.html?noredirect=on&utm_term=.344148eb1f33

3. The latest, potentially huge scandal is this one:

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

Companies are denying the problem, but Bloomberg is doubling-down. We'll have to see how this ends up:

https://www.theregister.co.uk/2018/10/09/bloomberg_super_micro_china_spy_chip_scandal/

4. I read an article a couple of years ago about Apple's chip manufacturing process in the Foxconn facilities being compromised similar to #3. It coincided with the timing of Apple announcing moving their chip manufacturing back to the US.

5. China's "social credit" system has been getting a lot of recent negative press in the US:

https://www.abc.net.au/news/2018-09-18/china-social-credit-a-model-citizen-in-a-digital-dictatorship/10200278

6. We also recently blocked the Broadcom purchase of Qualcomm due to the national security implications.

Erik Brooks, 2018-10-17

Erik, if this simple research holds any water, Huawei devices phone home (through Chinese networks) in a very unsecure way. It would be easy to hoover up all information of interest in transit.

Volker Weber, 2018-10-17

@vowe: Obseration at work: Certificate pinning is rare.
Even Apple still allows devs bypassing ATS by a single entry in Info.plist.

Martin Kautz, 2018-10-17

Old vowe.net archive pages

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Paypal vowe