What is this report about, and what did we learn?
Additionally we find that various operating system protections work to limit the amount of data the WeChat application may gather, and encourage users to be cautious with sensitive permissions like location. Many new security features in newer Android versions seek to enforce permission boundaries and limit types of identifiers available to the application.
What is WeChat, and how is it used?
WeChat is the most popular messaging and social media platform in China and third in the world, with over 1.2 billion monthly active users. According to some market research, network traffic from WeChat made up 34% of Chinese mobile traffic in 2018.
Many inside and outside China use WeChat out of necessity. Besides individuals in China, diaspora populations, family members, journalists, international activists, diplomats, people who do business in China, and just about anyone with a relationship in China are also using WeChat out of necessity.
What is Weixin, and its relation to WeChat?
According to the WeChat Terms of Service, if the user registered using a Chinese phone number (country code +86), they are considered a “Weixin user”. Tencent appears to characterize Weixin and WeChat as two “services” provided within the same “app” based on the language of both WeChat and Weixin’s policies. Both “services” are operated by two separate subsidiaries (WeChat International Pte. Ltd. in Singapore and Shenzhen Tencent Computer Systems Company Limited for Weixin).
In the app, the boundary between these two “services” are not clear. There are features operated by Weixin available for WeChat users. From our observation, both services also mostly use the same set of servers. Users of both services can directly communicate with each other.
What are Mini Programs?
Mini Programs are lightweight apps that can be downloaded and launched within the WeChat app. They can also sync and link with users’ WeChat accounts. The breadth and variety of Mini Programs is essentially the same as any other app ecosystem, like the Google Play Store or the Apple App Store. Mini Programs cover e-commerce, health, public services, gaming, and any other service an app may possibly be used for. This also means that many popular Mini Program apps manage sensitive data. Certain apps manage health data, government services, or perform financial transactions on behalf of the user.
How did you conduct this study?
To set the stage for this work, we first developed tools to study WeChat network requests. We then used these tools to identify and analyze data flowing from the WeChat client to the server during the usage of various WeChat features.
What type of data is sent to WeChat servers during Mini Program execution?
The data collection observed on Mini Programs is likely in-place to enable the application monitoring and analytics features provided by WeChat, namely, “We分析” or “WeAnalyze”. However, from our analysis, we find that all Mini Programs are automatically enrolled into the WeAnalyze program and data collection, and there is no reasonable way to opt-out. To put this data collection into perspective, it would be an equivalent privacy violation if the Google Play Store automatically injected Google Analytics tracking scripts into all applications that were available on the platform.
What other type of data is sent to WeChat servers?
Generally, WeChat collects device and network metadata on top of whatever other data it needs to implement the app’s functionality.
If your location permission is granted to WeChat, WeChat enables the “People Nearby” feature, which collects your location when you are using the application.
Certain features of WeChat send more usage and tracking data than others. Using Mini Programs or Channels, for instance, collects click/page data and tracks your usage of the app.
For a more comprehensive description, check out the full report.
Where are WeChat servers located?
We observed WeChat reporting to servers that are nominally located in Singapore and Hong Kong. The application also has the capability to contact servers in mainland China. Which servers the app uses may be determined based on your IP address location if you are logged out or your registered phone number if you are logged in.
What happens to the data after WeChat/Tencent collects it?
What are the limitations of this work?
This report only looks at the behavior of a recent version of the WeChat mobile Android app. Even though we look at what types of data are sent to WeChat servers, we cannot always definitively say what WeChat servers are doing with that data.
Furthermore, we only investigated the application using a U.S. phone number, which limits the scope of our results to understanding the app’s behavior for users who do not have mainland China accounts. We also cannot test certain features, such as WeChat Pay.
Finally, WeChat is a very large app with many features. Although we do our best to be comprehensive, there may be blind spots in our study in which we may have failed to induce the application conditions necessary for the transmission of certain data.
What are some recommendations for Tencent?
WeChat should also allow users to opt out of extraneous tracking during usage of “Weixin” services. In particular, WeChat should remove forced enrollment of Mini Program analysis and tracking features and switch to an opt-in model. Currently, both developers and users are automatically enrolled into the WeAnalyze (We分析) data collection program with little notification. There is currently no way to opt out of the program for either developers or users.
For more recommendations, you can read the WeChat recommendations section of our report.
What are some recommendations for users?
For general WeChat users, we can provide a few recommendations:
- Avoid features delineated as “Weixin services” if possible. Many core “Weixin” services (such as Search and Channels) perform more tracking than core “WeChat” services, and by using “Weixin” services your data is shared with an entity operating in Shenzhen, China.
- Use stricter permissions. In modern versions of Android, it is possible to restrict certain permissions (like location access) to only when the application is open on screen or to outright deny these permissions.
- Apply regular security and operating system updates. Many new security features on modern versions of Android are working to enforce permission boundaries and limit certain types of identifiers that are available to the application. We recommend regularly updating for additional security features down the line.
If I am a high risk user, how can I protect myself?
We caution no amount of adjustments can make the app completely “safe” for certain high-risk threat models. We can recommend alternative encrypted or anonymous messaging systems, but we also recognize that most WeChat users are on WeChat out of necessity. For high-risk users, we recommend talking to a security professional about your particular concerns to see what you can do to limit, manage, or reduce your exposure to risk while using the app.