Reverse engineering a Huawei phone

by Volker Weber

The US famously does not allow Huawei phones, without further explaining why. Here is a frenchman reverse engineering some of the apps on a "Huawei P20 from China". The question is if Huawei phones bought here exhibit the same behavior. Yesterday, Huawei gave away a few hundred of them to influencers at an event in London. Maybe some of them have enough technical clout to investigate this instead of clamoring about three cameras. And then, maybe, turn off their free phones forever.

This guy is on a roll, btw. The other day he found a very basic security flaw in a dating app, exposing all personal data of singles searching for love in support of Donald Trump.

Comments

I don't get it. I'd send the privacy data just one time to a single dedicated endpoint under my control. Encrypted of course. Let the backend spreading the stuff...

Martin Kautz, 2018-10-17

The astonishing thing is the use of http instead of https. I have only one theory: It is easier to abuse that data.

Volker Weber, 2018-10-17

@Vowe, I believe that the Huawei phones were banned due to national security concerns:

https://www.cnet.com/news/why-some-of-the-flashiest-huawei-android-p20-p20-pro-mate-10-pro-phones-arent-in-the-us/

Unfortunately there seems to be growing evidence of "bad actor" concerns with China. Some of these are only just now coming to light, but based on the broad scope it is appearing more and more likely that the US government has had concerns with China for years:

1. We (the US) are very much in a trade war with China, claimed to be due to their abuse of US intellectual property rights.

2. It was recently unveiled that one of our top politicians (with a very suspiciously high net worth) apparently had a Chinese spy as her driver for 20 years:

https://www.washingtonpost.com/opinions/explain-the-chinese-spy-sen-feinstein/2018/08/09/0560ca60-9bfd-11e8-b60b-1c897f17e185_story.html?noredirect=on&utm_term=.344148eb1f33

3. The latest, potentially huge scandal is this one:

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

Companies are denying the problem, but Bloomberg is doubling-down. We'll have to see how this ends up:

https://www.theregister.co.uk/2018/10/09/bloomberg_super_micro_china_spy_chip_scandal/

4. I read an article a couple of years ago about Apple's chip manufacturing process in the Foxconn facilities being compromised similar to #3. It coincided with the timing of Apple announcing moving their chip manufacturing back to the US.

5. China's "social credit" system has been getting a lot of recent negative press in the US:

https://www.abc.net.au/news/2018-09-18/china-social-credit-a-model-citizen-in-a-digital-dictatorship/10200278

6. We also recently blocked the Broadcom purchase of Qualcomm due to the national security implications.

Erik Brooks, 2018-10-17

Erik, if this simple research holds any water, Huawei devices phone home (through Chinese networks) in a very unsecure way. It would be easy to hoover up all information of interest in transit.

Volker Weber, 2018-10-17

@vowe: Obseration at work: Certificate pinning is rare.
Even Apple still allows devs bypassing ATS by a single entry in Info.plist.

Martin Kautz, 2018-10-17

Recent comments

Frank Köhler on Lange erwartet :: Neue AirPods at 18:55
Jochen Schug on Lange erwartet :: Neue AirPods at 17:28
Michael Hertlein on Lange erwartet :: Neue AirPods at 16:52
Friedrich Holstein on Lange erwartet :: Neue AirPods at 16:41
Volker Weber on Lange erwartet :: Neue AirPods at 14:43
Michael Hertlein on Lange erwartet :: Neue AirPods at 13:44
Stefan Kremer on Lange erwartet :: Neue AirPods at 12:44
Volker Weber on Invoxia Triby :: Ein starker Zwerg at 10:44
Frank Köhler on Lange erwartet :: Neue AirPods at 21:00
Sven Bühler on Lange erwartet :: Neue AirPods at 20:44
Dominique Roller on Lange erwartet :: Neue AirPods at 20:05
Martin Kirchler on Lange erwartet :: Neue AirPods at 16:12
Volker Weber on Lange erwartet :: Neue AirPods at 16:06
Roland Dressler on Lange erwartet :: Neue AirPods at 15:31
Dietmar Liehr on Gestern in der Tagesschau at 12:55
Torsten Armbruster on Invoxia Triby :: Ein starker Zwerg at 12:49
Markus Dierker on Invoxia Triby :: Ein starker Zwerg at 12:06
Volker Weber on Now is a good time to buy a new iMac at 11:28
Axel Borschbach on Now is a good time to buy a new iMac at 11:24
Maik Endler on Orientierung im iPad-Angebot at 09:34
Volker Weber on Gestern in der Tagesschau at 09:12
Manfred Wiktorin on Gestern in der Tagesschau at 09:09
Rafael Mayoral on Orientierung im iPad-Angebot at 07:33
Bernd Hofmann on Gestern in der Tagesschau at 05:31
Volker Weber on Orientierung im iPad-Angebot at 00:27

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter  amazon

Local time is 21:32

visitors.gif

buy me coffee

Paypal vowe