Reverse engineering a Huawei phone

by Volker Weber

The US famously does not allow Huawei phones, without further explaining why. Here is a frenchman reverse engineering some of the apps on a "Huawei P20 from China". The question is if Huawei phones bought here exhibit the same behavior. Yesterday, Huawei gave away a few hundred of them to influencers at an event in London. Maybe some of them have enough technical clout to investigate this instead of clamoring about three cameras. And then, maybe, turn off their free phones forever.

This guy is on a roll, btw. The other day he found a very basic security flaw in a dating app, exposing all personal data of singles searching for love in support of Donald Trump.

Comments

I don't get it. I'd send the privacy data just one time to a single dedicated endpoint under my control. Encrypted of course. Let the backend spreading the stuff...

Martin Kautz, 2018-10-17

The astonishing thing is the use of http instead of https. I have only one theory: It is easier to abuse that data.

Volker Weber, 2018-10-17

@Vowe, I believe that the Huawei phones were banned due to national security concerns:

https://www.cnet.com/news/why-some-of-the-flashiest-huawei-android-p20-p20-pro-mate-10-pro-phones-arent-in-the-us/

Unfortunately there seems to be growing evidence of "bad actor" concerns with China. Some of these are only just now coming to light, but based on the broad scope it is appearing more and more likely that the US government has had concerns with China for years:

1. We (the US) are very much in a trade war with China, claimed to be due to their abuse of US intellectual property rights.

2. It was recently unveiled that one of our top politicians (with a very suspiciously high net worth) apparently had a Chinese spy as her driver for 20 years:

https://www.washingtonpost.com/opinions/explain-the-chinese-spy-sen-feinstein/2018/08/09/0560ca60-9bfd-11e8-b60b-1c897f17e185_story.html?noredirect=on&utm_term=.344148eb1f33

3. The latest, potentially huge scandal is this one:

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

Companies are denying the problem, but Bloomberg is doubling-down. We'll have to see how this ends up:

https://www.theregister.co.uk/2018/10/09/bloomberg_super_micro_china_spy_chip_scandal/

4. I read an article a couple of years ago about Apple's chip manufacturing process in the Foxconn facilities being compromised similar to #3. It coincided with the timing of Apple announcing moving their chip manufacturing back to the US.

5. China's "social credit" system has been getting a lot of recent negative press in the US:

https://www.abc.net.au/news/2018-09-18/china-social-credit-a-model-citizen-in-a-digital-dictatorship/10200278

6. We also recently blocked the Broadcom purchase of Qualcomm due to the national security implications.

Erik Brooks, 2018-10-17

Erik, if this simple research holds any water, Huawei devices phone home (through Chinese networks) in a very unsecure way. It would be easy to hoover up all information of interest in transit.

Volker Weber, 2018-10-17

@vowe: Obseration at work: Certificate pinning is rare.
Even Apple still allows devs bypassing ATS by a single entry in Info.plist.

Martin Kautz, 2018-10-17

Recent comments

Nils Michael Becker on satellite für Android ist fertig at 09:36
Stefan Brandl on May Android Updates :: Samsung wins again at 21:03
Manfred Wiktorin on May Android Updates :: Samsung wins again at 20:33
Roland Dressler on How to make boring software look sexy :: Exhibit 1 Microsoft at 13:13
Hubert Stettner on May Android Updates :: Samsung wins again at 12:40
Hubert Stettner on How to make boring software look sexy :: Exhibit 1 Microsoft at 12:39
David Guillaume on May Android Updates :: Samsung wins again at 12:03
Lars Berntrop-Bos on May Android Updates :: Samsung wins again at 11:54
Martin Kautz on Externe SSD mit USB-C für aktuell 88 Euro at 11:07
Volker Weber on May Android Updates :: Samsung wins again at 10:36
Felix Kluge on May Android Updates :: Samsung wins again at 10:35
Thomas Cloer on Vipp 501 :: From my inbox at 10:12
Manfred Wiktorin on satellite für Android ist fertig at 10:05
Markus Heyl on Typ-2-Diabetes lässt sich wohl wieder zurückdrängen #dontbreakthechain at 09:51
Volker Weber on satellite für Android ist fertig at 09:44
Dirk Hagedorn on satellite für Android ist fertig at 09:43
Sami Bahri on No Limits at 07:12
Nick Coenen on No Limits at 02:58
Robert Schneider on Typ-2-Diabetes lässt sich wohl wieder zurückdrängen #dontbreakthechain at 18:28
Armin Grewe on Yancey Strickler :: The Internet is Becoming a Dark Forest at 17:44
Till Nachtmann on Yancey Strickler :: The Internet is Becoming a Dark Forest at 16:33
Volker Weber on Yancey Strickler :: The Internet is Becoming a Dark Forest at 15:22
Volker Weber on If you build barriers, people will build around you. If you are lucky. at 15:07
Armin Grewe on Yancey Strickler :: The Internet is Becoming a Dark Forest at 11:28
Theo Heselmans on If you build barriers, people will build around you. If you are lucky. at 11:13

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter  amazon

Local time is 13:42

visitors.gif

buy me coffee

Paypal vowe