What is this report about, and what did we learn?
This report analyzes privacy issues with popular app WeChat by reviewing the data collected by the app and sent to WeChat servers during the regular operation of its various features. We find that they collect more usage data than is disclosed in the WeChat privacy policy.
Specifically, we find that WeChat is collecting activity and usage logs when users run Mini Programs. The WeChat privacy policy implies that only third parties collect this data, despite the fact that WeChat collects a vast amount of data, not just the third party developers of the Mini Program. For the average user, it means your identity and activities on Mini Programs are disclosed to WeChat without an informed way to opt-out of this data collection. This will not only pose a privacy risk but it’s also unknown how WeChat might use that information.
Additionally we find that various operating system protections work to limit the amount of data the WeChat application may gather, and encourage users to be cautious with sensitive permissions like location. Many new security features in newer Android versions seek to enforce permission boundaries and limit types of identifiers available to the application.
What is WeChat, and how is it used?
WeChat is the most popular messaging and social media platform in China and third in the world, with over 1.2 billion monthly active users. According to some market research, network traffic from WeChat made up 34% of Chinese mobile traffic in 2018.
Many inside and outside China use WeChat out of necessity. Besides individuals in China, diaspora populations, family members, journalists, international activists, diplomats, people who do business in China, and just about anyone with a relationship in China are also using WeChat out of necessity.
What is Weixin, and its relation to WeChat?
According to the WeChat Terms of Service, if the user registered using a Chinese phone number (country code +86), they are considered a “Weixin user”. Tencent appears to characterize Weixin and WeChat as two “services” provided within the same “app” based on the language of both WeChat and Weixin’s policies. Both “services” are operated by two separate subsidiaries (WeChat International Pte. Ltd. in Singapore and Shenzhen Tencent Computer Systems Company Limited for Weixin).
In the app, the boundary between these two “services” are not clear. There are features operated by Weixin available for WeChat users. From our observation, both services also mostly use the same set of servers. Users of both services can directly communicate with each other.
What are Mini Programs?
Mini Programs are lightweight apps that can be downloaded and launched within the WeChat app. They can also sync and link with users’ WeChat accounts. The breadth and variety of Mini Programs is essentially the same as any other app ecosystem, like the Google Play Store or the Apple App Store. Mini Programs cover e-commerce, health, public services, gaming, and any other service an app may possibly be used for. This also means that many popular Mini Program apps manage sensitive data. Certain apps manage health data, government services, or perform financial transactions on behalf of the user.
How did you conduct this study?
To set the stage for this work, we first developed tools to study WeChat network requests. We then used these tools to identify and analyze data flowing from the WeChat client to the server during the usage of various WeChat features.
What type of data is sent to WeChat servers during Mini Program execution?
The data collection observed on Mini Programs is likely in-place to enable the application monitoring and analytics features provided by WeChat, namely, “We分析” or “WeAnalyze”. However, from our analysis, we find that all Mini Programs are automatically enrolled into the WeAnalyze program and data collection, and there is no reasonable way to opt-out. To put this data collection into perspective, it would be an equivalent privacy violation if the Google Play Store automatically injected Google Analytics tracking scripts into all applications that were available on the platform.
What other type of data is sent to WeChat servers?
Generally, WeChat collects device and network metadata on top of whatever other data it needs to implement the app’s functionality.
If your location permission is granted to WeChat, WeChat enables the “People Nearby” feature, which collects your location when you are using the application.
Certain features of WeChat send more usage and tracking data than others. Using Mini Programs or Channels, for instance, collects click/page data and tracks your usage of the app.
For a more comprehensive description, check out the full report.
Where are WeChat servers located?
We observed WeChat reporting to servers that are nominally located in Singapore and Hong Kong. The application also has the capability to contact servers in mainland China. Which servers the app uses may be determined based on your IP address location if you are logged out or your registered phone number if you are logged in.
What happens to the data after WeChat/Tencent collects it?
Using our methodology we cannot definitively say what happens to data after WeChat or Tencent collects it, since we are studying client behaviors. WeChat’s privacy policy specifies retention periods for certain types of data, like location data, log data, and messaging data. The privacy policy also provides conditions in which user data may be shared with Weixin, a service operated in Shenzhen, China, such as by communicating with users with mainland China accounts. However, we note that Weixin’s privacy policy does not specify any retention periods. Furthermore, previous research has observed that even communications entirely among North American accounts were still used to secretly train Weixin’s Chinese political censorship system.
What are the limitations of this work?
This report only looks at the behavior of a recent version of the WeChat mobile Android app. Even though we look at what types of data are sent to WeChat servers, we cannot always definitively say what WeChat servers are doing with that data.
Furthermore, we only investigated the application using a U.S. phone number, which limits the scope of our results to understanding the app’s behavior for users who do not have mainland China accounts. We also cannot test certain features, such as WeChat Pay.
Finally, WeChat is a very large app with many features. Although we do our best to be comprehensive, there may be blind spots in our study in which we may have failed to induce the application conditions necessary for the transmission of certain data.
Does the privacy policy address all of the data that is collected by the application?
Not quite. For certain core features, such as Messaging and Moments, the WeChat privacy policy addresses the data that is collected. However, according to WeChat’s privacy policy, the features with the most invasive tracking behavior, such as Search and Channels, are considered features run by a “third-party entity” named Weixin, a service operated in Shenzhen, China.
Though WeChat makes a separation between “WeChat” and “Weixin” services in the privacy policy, there is no such observable distinction on the application itself. All of the data collected by “WeChat features” and “Weixin features” are transmitted to the same servers.
The WeChat privacy policy also states that it will only share data with Weixin as necessary. However, app usage tracking for analytics is not necessary for the operation of the platform. In addition, we note that prior research found that non-mainland-Chinese user data was being used to train censorship algorithms for mainland-Chinese users.
Second, the WeChat privacy policy implies that only third-party privacy practices and policies govern Mini Programs, when in fact, WeChat/Weixin also collect lots of data. In fact, Mini Programs are not listed as subject to the Weixin privacy policy, and instead listed under “Weixin Open Platform,” which are only governed by third-party privacy policies.
What are some recommendations for Tencent?
Since there is no meaningful app distinction between features operated by WeChat or Weixin, WeChat’s privacy policy should cover “Weixin features” so that users may better understand how their data is handled when shared with the Shenzhen-based service.
WeChat should also allow users to opt out of extraneous tracking during usage of “Weixin” services. In particular, WeChat should remove forced enrollment of Mini Program analysis and tracking features and switch to an opt-in model. Currently, both developers and users are automatically enrolled into the WeAnalyze (We分析) data collection program with little notification. There is currently no way to opt out of the program for either developers or users.
For more recommendations, you can read the WeChat recommendations section of our report.
What are some recommendations for users?
For general WeChat users, we can provide a few recommendations:
- Avoid features delineated as “Weixin services” if possible. Many core “Weixin” services (such as Search and Channels) perform more tracking than core “WeChat” services, and by using “Weixin” services your data is shared with an entity operating in Shenzhen, China.
- Use stricter permissions. In modern versions of Android, it is possible to restrict certain permissions (like location access) to only when the application is open on screen or to outright deny these permissions.
- Apply regular security and operating system updates. Many new security features on modern versions of Android are working to enforce permission boundaries and limit certain types of identifiers that are available to the application. We recommend regularly updating for additional security features down the line.
If I am a high risk user, how can I protect myself?
We caution no amount of adjustments can make the app completely “safe” for certain high-risk threat models. We can recommend alternative encrypted or anonymous messaging systems, but we also recognize that most WeChat users are on WeChat out of necessity. For high-risk users, we recommend talking to a security professional about your particular concerns to see what you can do to limit, manage, or reduce your exposure to risk while using the app.