Reverse engineering a Huawei phone

by Volker Weber

The US famously does not allow Huawei phones, without further explaining why. Here is a frenchman reverse engineering some of the apps on a "Huawei P20 from China". The question is if Huawei phones bought here exhibit the same behavior. Yesterday, Huawei gave away a few hundred of them to influencers at an event in London. Maybe some of them have enough technical clout to investigate this instead of clamoring about three cameras. And then, maybe, turn off their free phones forever.

This guy is on a roll, btw. The other day he found a very basic security flaw in a dating app, exposing all personal data of singles searching for love in support of Donald Trump.

Comments

I don't get it. I'd send the privacy data just one time to a single dedicated endpoint under my control. Encrypted of course. Let the backend spreading the stuff...

Martin Kautz, 2018-10-17

The astonishing thing is the use of http instead of https. I have only one theory: It is easier to abuse that data.

Volker Weber, 2018-10-17

@Vowe, I believe that the Huawei phones were banned due to national security concerns:

https://www.cnet.com/news/why-some-of-the-flashiest-huawei-android-p20-p20-pro-mate-10-pro-phones-arent-in-the-us/

Unfortunately there seems to be growing evidence of "bad actor" concerns with China. Some of these are only just now coming to light, but based on the broad scope it is appearing more and more likely that the US government has had concerns with China for years:

1. We (the US) are very much in a trade war with China, claimed to be due to their abuse of US intellectual property rights.

2. It was recently unveiled that one of our top politicians (with a very suspiciously high net worth) apparently had a Chinese spy as her driver for 20 years:

https://www.washingtonpost.com/opinions/explain-the-chinese-spy-sen-feinstein/2018/08/09/0560ca60-9bfd-11e8-b60b-1c897f17e185_story.html?noredirect=on&utm_term=.344148eb1f33

3. The latest, potentially huge scandal is this one:

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

Companies are denying the problem, but Bloomberg is doubling-down. We'll have to see how this ends up:

https://www.theregister.co.uk/2018/10/09/bloomberg_super_micro_china_spy_chip_scandal/

4. I read an article a couple of years ago about Apple's chip manufacturing process in the Foxconn facilities being compromised similar to #3. It coincided with the timing of Apple announcing moving their chip manufacturing back to the US.

5. China's "social credit" system has been getting a lot of recent negative press in the US:

https://www.abc.net.au/news/2018-09-18/china-social-credit-a-model-citizen-in-a-digital-dictatorship/10200278

6. We also recently blocked the Broadcom purchase of Qualcomm due to the national security implications.

Erik Brooks, 2018-10-17

Erik, if this simple research holds any water, Huawei devices phone home (through Chinese networks) in a very unsecure way. It would be easy to hoover up all information of interest in transit.

Volker Weber, 2018-10-17

@vowe: Obseration at work: Certificate pinning is rare.
Even Apple still allows devs bypassing ATS by a single entry in Info.plist.

Martin Kautz, 2018-10-17

Recent comments

Christopher Schmidt on Pepper könnte noch leben at 16:13
Volker Weber on Pepper könnte noch leben at 16:07
Thomas Einwaller on Pepper könnte noch leben at 15:52
Christopher Schmidt on Pepper könnte noch leben at 15:51
Thomas Odorfer on Pepper könnte noch leben at 15:32
Valentin Woelm on Pepper könnte noch leben at 14:50
Volker Weber on Pepper könnte noch leben at 14:40
Thomas Odorfer on Pepper könnte noch leben at 12:19
Ingo Küper on Pepper könnte noch leben at 11:59
Nils Michael Becker on Nothing beats experience at 17:44
Erik Brooks on Apple HomePod :: And the beat goes on at 17:26
Stefan Domanske on Logi R500 :: Klicker für iPhone und iPad at 14:37
Torben Volkmann on Logi R500 :: Klicker für iPhone und iPad at 14:22
Markus Dierker on Logi R500 :: Klicker für iPhone und iPad at 13:32
Christian Ott on Apple HomePod :: And the beat goes on at 13:27
Nina Wittich on Apple HomePod :: And the beat goes on at 12:46
Nina Wittich on Logi R500 :: Klicker für iPhone und iPad at 12:40
Volker Neumann on Logi R500 :: Klicker für iPhone und iPad at 12:37
Frank Quednau on Apple HomePod :: And the beat goes on at 12:30
Friedrich Holstein on Apple Smart Battery Cases at 12:15
Martin Dietze on Stuff that works :: Plantronics Fit 3100 at 11:58
Yves Menge on Apple Smart Battery Cases at 11:48
Volker Weber on Stuff that works :: Plantronics Fit 3100 at 11:27
Martin Dietze on Stuff that works :: Plantronics Fit 3100 at 10:56
Volker Weber on Apple HomePod :: And the beat goes on at 10:51

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter  amazon

Local time is 16:42

visitors.gif

buy me coffee

Paypal vowe