Reverse engineering a Huawei phone

by Volker Weber

The US famously does not allow Huawei phones, without further explaining why. Here is a frenchman reverse engineering some of the apps on a "Huawei P20 from China". The question is if Huawei phones bought here exhibit the same behavior. Yesterday, Huawei gave away a few hundred of them to influencers at an event in London. Maybe some of them have enough technical clout to investigate this instead of clamoring about three cameras. And then, maybe, turn off their free phones forever.

This guy is on a roll, btw. The other day he found a very basic security flaw in a dating app, exposing all personal data of singles searching for love in support of Donald Trump.

Comments

I don't get it. I'd send the privacy data just one time to a single dedicated endpoint under my control. Encrypted of course. Let the backend spreading the stuff...

Martin Kautz, 2018-10-17

The astonishing thing is the use of http instead of https. I have only one theory: It is easier to abuse that data.

Volker Weber, 2018-10-17

@Vowe, I believe that the Huawei phones were banned due to national security concerns:

https://www.cnet.com/news/why-some-of-the-flashiest-huawei-android-p20-p20-pro-mate-10-pro-phones-arent-in-the-us/

Unfortunately there seems to be growing evidence of "bad actor" concerns with China. Some of these are only just now coming to light, but based on the broad scope it is appearing more and more likely that the US government has had concerns with China for years:

1. We (the US) are very much in a trade war with China, claimed to be due to their abuse of US intellectual property rights.

2. It was recently unveiled that one of our top politicians (with a very suspiciously high net worth) apparently had a Chinese spy as her driver for 20 years:

https://www.washingtonpost.com/opinions/explain-the-chinese-spy-sen-feinstein/2018/08/09/0560ca60-9bfd-11e8-b60b-1c897f17e185_story.html?noredirect=on&utm_term=.344148eb1f33

3. The latest, potentially huge scandal is this one:

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

Companies are denying the problem, but Bloomberg is doubling-down. We'll have to see how this ends up:

https://www.theregister.co.uk/2018/10/09/bloomberg_super_micro_china_spy_chip_scandal/

4. I read an article a couple of years ago about Apple's chip manufacturing process in the Foxconn facilities being compromised similar to #3. It coincided with the timing of Apple announcing moving their chip manufacturing back to the US.

5. China's "social credit" system has been getting a lot of recent negative press in the US:

https://www.abc.net.au/news/2018-09-18/china-social-credit-a-model-citizen-in-a-digital-dictatorship/10200278

6. We also recently blocked the Broadcom purchase of Qualcomm due to the national security implications.

Erik Brooks, 2018-10-17

Erik, if this simple research holds any water, Huawei devices phone home (through Chinese networks) in a very unsecure way. It would be easy to hoover up all information of interest in transit.

Volker Weber, 2018-10-17

@vowe: Obseration at work: Certificate pinning is rare.
Even Apple still allows devs bypassing ATS by a single entry in Info.plist.

Martin Kautz, 2018-10-17

Post a comment

Store next two fields in a cookie for you?




Use your full name and a working email address. Unless you want your comment to be removed. No kidding.

Recent comments

Ingo Seifert on Useful gestures for iPad Pro at 10:00
Jochen Schug on Useful gestures for iPad Pro at 07:05
Oliver Stör on Useful gestures for iPad Pro at 23:31
Thomas Holzapfel on Ab morgen :: Surface Pro 6 und Surface Laptop 2 at 16:46
Volker Weber on Ab morgen :: Surface Pro 6 und Surface Laptop 2 at 15:07
Thomas Holzapfel on Ab morgen :: Surface Pro 6 und Surface Laptop 2 at 14:57
Volker Weber on Siri has completely replaced Alexa at 14:55
Volker Weber on Ab morgen :: Surface Pro 6 und Surface Laptop 2 at 14:47
Thomas Holzapfel on Ab morgen :: Surface Pro 6 und Surface Laptop 2 at 14:43
Volker Weber on Lass das Swipen und like das Leben at 09:43
Jens Arne Männig on Lass das Swipen und like das Leben at 09:37
Andreas Linde on Weitergehen. Keine Haufen bilden. at 09:13
Manfred Wiktorin on Lass das Swipen und like das Leben at 09:10
Ole Saalmann on Weitergehen. Keine Haufen bilden. at 08:31
Mariano Kamp on Weitergehen. Keine Haufen bilden. at 08:00
Volker Weber on Weitergehen. Keine Haufen bilden. at 07:43
Mariano Kamp on Weitergehen. Keine Haufen bilden. at 22:59
Jonas Rathert on Stream Spotify on Apple Watch at 22:46
Thomas Cloer on Siri has completely replaced Alexa at 16:49
Andreas Pfau on Siri has completely replaced Alexa at 13:02
Benno Christen on Weitergehen. Keine Haufen bilden. at 12:48
Oliver Stör on Weitergehen. Keine Haufen bilden. at 11:16
Volker Weber on Weitergehen. Keine Haufen bilden. at 10:35
Stephan Perthes on Weitergehen. Keine Haufen bilden. at 10:22
Volker Weber on Siri has completely replaced Alexa at 09:40

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter  amazon

Local time is 10:15

visitors.gif

buy me coffee