Police forcing me to install Jingwang spyware app, how to minimize impact?

  • Chinese police are forcing whole cities to install an Android spyware app Jingwang Weishi. They are stopping people in the street and detaining those who refuse to install it.

    Knowing that I may be forced to install it sooner or later, what are my options to prepare against it?

    Ideally:

    • Make it appear like the app is installed and working as intended,
    • without having it actually spy on me.

    The app is downloadable and documented. It basically sends the IMEI and other phone metadata, as well as file hashes, to a server. It also monitors messages sent via otherwise secure apps. I don't know whether it includes sophisticated anti-tempering features or not.

    I can't afford two phones nor two contracts, so using a second phone is not a viable option for me.

    How do police check whether or not the application is installed?

    @forest: They just take the phone, find the app, open it, and check some status screen, I presume.

    Then it is very possible that you could use a dummy program which mimics the interface/behavior of this spyware. Perhaps you could even use the spyware itself, but "crippled" (i.e. use a firewall to prevent it from accessing the internet, assuming its status screen won't give away the fact that it is unable to contact the server).

    The status screen will almost certainly give away any attempts to firewall the app, drawing more attention to you when they see that your internet connection is working.

    @trogdor of course the problem is the risk of doing things wrong (or not fully understanding the ecosystem and getting caught as a result). I imagine the consequences for getting caught trying to fool the police/app are not going to be small...

    Isn't the cliche in the security world that, if an attacker has physical access to your device, it isn't your device anymore? It's not hard to imagine that some clever attempts to evade the spyware might work in the short-term (at the risk of provoking law enforcement), but if they're really going around forcing everyone to convert, they'll likely just get more adept and aggressive about it in the near future.

    Most of the people here's primary experience with security will be in a corporate setting. The attitudes, adversaries, and resulting threat models are pretty fundamentally different from those of a citizen in a totalitarian setting. Professional infosec thinking can usually rely on law enforcement as an ally or at least as non-hostile; the rules are very different when they are your adversary. None of the existing answers address how to deal with an adversary who can make you disappear if they discover attempts to resist them. That's simply not a threat faced by most security professionals.

    None of the answers mention this. It's a pretty bad idea to present a solution as universal when it could be devastatingly insufficient to some people. This is meant to be a reference site, that presents canonical answers to questions. None of these answers limit their scope appropriately. Also, the camps are only one risk. The Chinese government takes very poorly to activism of any sort, and if someone's interested in preventing government spyware from being installed on their phone then chances are they don't view their government with very high regard.

    @dn3s no one is presenting a "universal answer". They are all ideas. And while the site strives to be canonical, no one can assume that all accepted answers are.

    When contemplating circumvention measures always keep in mind the resources and possible responses of those imposing whatever you're trying to get around. No matter how clever and tech savvy you are you're unlikely to be better than the combined capabilities of a state funded security team looking for people circumventing monitoring measures. Don't make the mistake of assuming that your opposition is stupid or incompetent and that they will remain that way.

    If you have a potential answer, please post as answers. If you wish to discuss details in other comments, please take to chat. If you want to discuss philosophy, there's a Stack Exchange for that.

    Comments are not for extended discussion; this conversation has been moved to chat.

    What if you don't have an Android phone? What if you had a feature phone instead? Or an iPhone / Windows Phone / FireFox / Blackberry? (this may be a stupid question, but I don't know anything about phone providers in China)

    I can't leave an answer due to the protection element (been lurking, don't have enough non-bonus points). You need to work out how they validate or prove it's been installed. If you can create a 'dummy' copy of the spyware, install that, so when it's physically checked it appears to be working, then you can say 'it's already been installed officer', but that takes a great risk (if they verify it technologically, it'd need to be a working version). You also need to ask yourself what you need the phone for (I presume it isn't just for calls) - is there something else that could do it's job?

    While not an answer, since this might vary from phone to phone, on my Samsung S8 I have a "My Safe" (or however it's called in English) - part of Samsung Knox security suite, an isolated part of the phone where non-authorized apps don't have access. It can be used to take pictures and data securely (data is encrypted) - this data SHOULD be safe from the prying "eyes" of other installed apps (unless explicitly given access to the safe). That said, if your phone is rooted and / or you don't have this feature, then this solution (obviously) won't work.

    You, or someone with experience, can: 1. Download the app (.APK) 2. Decode the app and read the code 3. Remove API calls / bad functionality / etc. 4. Build app and run it on you phone (you can send the file on mail) Now you have the exact same app without the bad things. It looks the same both icon and functionality, but it doesn't send your info to the "bad" guys. :)

    It would be helpful to know why Citizen wants to avoid being spied on, and how much time and effort they are willing to put in to do so. If the goal(s) and how important they are, absolutely and relatively, are clarified, the answers can be more tailored. Citizen, are you still around to answer?

    Is this happening only in Xinjiang (and possibly Tibet)? Or also even in the "Han heartland" cities (Beijing, Shanghai, etc.)?

  • This may not be the answer you will be happy with but how about abstaining from having any undesirable data inside your phone in the first place and instead using the right tool for the job?

    According to Wikipedia:

    The app records information about the device it is installed on, including its [...] IMEI, the phone's model and manufacturer, and the phone number. The app searches the phone for images, videos, audio recordings, and files [...]

    So, instead of trying to tamper with this spyware in any way (which can get you in a much bigger trouble), simply don't do anything suspicious on this phone and let this app do its job. Prepare against it by not having any photos, videos, audios, file, etc., and instead use the right tool for the job. Use some other secure software/hardware to connect to internet, use encrypted email provider and do all of your communication through the computer where you can do communication safely, and store all of your files somehow in a safe place (encrypted, somewhere on computer or USB, etc). Pretend to be an obedient citizen and use the right tool for the job to do whatever it is you don't want your government to find out.

    Some people may wonder why bother having a phone in the first place (and FYI, I asked the same question under OP's question, for clarification). My answer is:

    1. to make phone calls (and have conversations which are not going to be considered by Chinese government suspicious, in case they are tracking that too)
    2. to use it as a "red herring" - if police asks you to give them your phone you won't have to lie to them that you have no phone, or worry that they will find out that you tampered with app, or get in trouble if you don't have app, etc. You'll just confidently give them phone, with no "illegal" information on it, they will check it, and walk away. You may, actually, even have some "red herring" files: pictures of nature, shopping list (milk, eggs, etc.), etc., just so that they wouldn't suspect that you deliberately not using your phone for such purposes, and harass you farther.

    I mean, not long ago mobile phones didn't even have the ability to store pictures, videos, files, etc.

    Are you willing to put your life in danger simply because you want to have some files on your phone?

    Tough times require tough decisions.

    Comments are not for extended discussion; this conversation has been moved to chat.

    Reminds me of the alleged habit of New York City inhabitants of the 1970s and -80s, when crime was at a high, to carry two wallets -- one with 20 dollars or so for a mugger and the other one with the real valuables. (Any parallels between police and muggers are, of course, entirely coincidental.)

  • Get a phone which doesn't support Android apps.

    Why are so many of the answers complex? And not just complex, fragile and suspicious and downright dangerous to the questioner?

    You want to use your phone to send messages and make calls, right? You don't want this app installed, right?

    Say hello to your new phone:

    Enter image description here

    Good luck getting an Android app running on this.

    It's probably not illegal to have an old phone.

    *It's probably not illegal to have a crappy old phone.*, op would need to make very sure that is indeed the case.

    Be wary - my nokia 6310 supported Java, and stored up to 102 kbytes of JAR files. And even worse, it was java.

    @Criggie While possible that they've got a java version of the app... I'm betting they didn't get into that nightmare and just wave people on if their phone doesn't support the app.

    I agree with you. Getting this type of phone is the best solution IFF this won't draw suspicion from police even farther. I asked OP in comments if he can get simple phone or live without of phone at all, but didn't get reply and now my comment is deleted. Whatever. Regardless, additional "benefit" of keeping android phone with running app is for it to be "red herring". You give up a little bit of privacy in order to not get yourself into an even **bigger trouble**. What's better: government knowing exactly where you are at any time or sitting in jail?

    Only problem, they can still listen to all your calls, read your text and track your whereabouts through carrier surveillance. May be worth mentioning.

    @Daniel sure, but that's a given with any phone. If you really want to communicate securely and want something low-profile get the version with basic internet and get a java app that can encrypt chat then bury the java app between a dozen Snake clones and make sure it doesn't save any history.

    You can get one of these with Bluetooth tethering (my Nokia candybar in 2009 did it) and carry an "unphone" Android device with no SIM card that you run actual apps on.

    @Murphy So you are actually recommending a phone without any available security updates while it's still possible to run arbitrary code on it? Despite that: Where's the difference to a smartphone where most of the 'smart' features are simply not used?

    @Noir A phone which has rarely seen serious security issues, low feature and incapable of installing the app which the questioner specifically wants to avoid having installed on their phone. Random chinese cops are not going to start looking through the java API for the phone to code up a custom java version of the app in question. Regardless of whether someone could theoretically write it. I'm talking practice rather than theory.

    Sadly, from what I've heard - having a non-smart phone *does* cause you problems in that province.

    Something like the upcoming Librem 5 that's a smartphone but can't run Android apps and isn't mainstream enough for them to develop a specific application for might also work, but only if their response to not being able to use their tracking app isn't going to be just stapling a transponder tag to your ear...

    @Murphy Police will likely start developing on this phone if they notice that most dissidents they track have a Nokia 3310. Or, well, maybe not even: Have a 3310? They assume you have something to hide and start tracking you.

    @Criggie I used Java apps a lot on on a more modern phone than this one, and they don't run unless you select them, and you can't do anything else while one is running.

    Could also get a Blackberry or an iPhone I suppose as well.

    JavaME applications do not support spying at all.

    @dim I guess non-smart phones have not disappeared of china. You will look more suspicious with a "Librem 5".

    The Gibbs method, i approve! :D

    I do not understand why this answer has so many up votes. One should not stop using technological devices just because some entity can spy on you. Would you stop using your computer and starting using traditional letters to communicate with people, knowing that there is a risk that someone can spy your computer, or that someone is doing it? Or you would rather try to find a solution to that problem and keep using your computer?

    @PedroGomes I disagree. If a technical device is too unsafe, then it is only prudent to stop using it and find an alternative. Of course, if you can still safely use them then you should do so, but that's not always possible. Switching to a different technique _is_ a valid solution to certain threats. Consider an obvious example: If you are a prisoner and wish to communicate outside the prison but the prison has GSM jamming equipment set up, do you try to use a cell phone anyway despite it being a nearly unsurmountable task or do you pass paper notes to someone who can deliver them covertly?

    You will definitely rise suspicion with this phone. Human rights watch analyzed an app which was used to track the behavior of people living in the Xinjiang region. (This is also where the Jingwang is used) Here's an excerpt of their report: `[..] The app’s source code also reveals that the police platform targets 36 types of people for data collection.Those include people who have stopped using smart phones [..]`. You can find the report here: https://www.hrw.org/video-photos/interactive/2019/05/02/china-how-mass-surveillance-works-xinjiang

  • This is a tricky one. It goes without saying, but it's also a dangerous one. Attempting to circumvent these restrictions and getting caught doing so will potentially cause a lot of legal trouble. If they throw people in jail for refusing to install the app, I wouldn't want to figure out what they do to people circumventing the app restrictions. It is especially relevant because even experts in tech security have gotten caught by their governments despite extensive safeguards (the founder of Silk Road is a great example and is now serving a life sentence). Granted, evading this app is most likely a much less serious "crime", but the Chinese government isn't exactly known for lenience here. So while I would like to answer your question, please don't take this as me suggesting that you actually do any of this. I consider myself a tech-expert, but I still wouldn't do it.

    Still, to answer your question, you have a few options. I won't bother mentioning the "Get a second phone" option because you've already ruled that out.

    1. Virtual Machine/Dual Boot

    There are some options for "dual booting" android phones. I don't have any examples to immediately link to (software suggestions are off topic here anyway) but there are options. If you can get your phone to dual boot then you can install the tracking software on one ROM and then do all your personal stuff on the other. You may need to put some basic information on the ROM with the tracking app installed just so you don't raise too many flags.

    Of course there are still risks here: risks that they might reboot your phone and notice, risks that they might realize you have a completely different system installed next to the tracked one, and the simple risk that you would go out and about and forget to reboot into the "tracked" system, allowing a police officer to find and install the tracking app on your actual system.

    2. App modification/interceptors

    If this app creates enough bad press it is possible that anti-tracking apps or hacked versions of this app may start floating around that try to automatically protect you from it. I would not expect there to be any general tools already available that would protect you from this, so this is something that would simply take lots of googling or (perhaps) requests to the right people. This has a major downside that unless you are an expert at reverse engineering, there isn't much to do to make this happen. It's also hard to estimate what the risks of detection are. That will obviously vary wildly depending on the skill level of the person who put it together.

    3. Server Spoofing

    Depending on your level of technological know-how you might be able to put something together yourself (note: this is not for novices). Based on what I know and my experience in this area, I'm going to try to summarize some details about what a server-spoofing measure might look like. Again, I'm not summarizing this because I think you should do it, but because understanding how things like this operate can be generally informative and also help understand the risks there-in.

    Built-in security

    First, we need to understand how this spying app might secure itself. From all information available so-far, the answer is "it doesn't". This is a pretty simple conclusion to come to because the app communicates exclusively through http. It is very easy to intercept http requests, either from the device itself (if your phone is rooted) or with network sniffing tools on a computer attached to the same network as the device. Most likely it is also very possible to easily figure out how the app authenticates itself with the end-server and how the end-server authenticates itself with the app. In all likelihood there is no authentication in either direction, which means that spoofing requests in either direction is trivially easy. This might be hard to believe (given that a country like China sets aside lots of resources to invasive technology like this), but the reality is that if the people who developed this app wanted to secure it from outside tampering, using HTTPS for transit would be the very first step to perform. It is cheap, easy, and very effective. The lack of HTTPS means that it is very likely that there is no actual security in this ecosystem, which is a plus for anyone trying to evade it.

    Sniff all traffic coming out of this app to determine what requests/responses it makes

    This is the first step. By watching the traffic leaving this app (which can be easily intercepted in the network itself since there is no SSL encryption) you can figure out what requests it sends to the destination server and what responses it expects back. Understanding the underlying API is critical, but easy due to the lack of encryption. This will also let you know if there is any authentication happening in either direction. If there is, you can at least see the full request and responses, so you can most likely figure out how to spoof it. It is possible that there is some hard-to-reverse-engineer authentication going back and forth, but again, given the lack of basic encryption, I doubt there is any such thing built in.

    Figure out if the app is talking to a domain name or IP address

    The destination server the app is talking to is either found via a DNS lookup or has its IP address hard-coded in the app. In the event of the former you can edit the DNS for your android phone to repoint it to a different server, including one running on your phone. In the event of a hard-coded IP address you will similarly have to redirect all traffic to that IP address to your local android phone (presumably you can do this with Android - you can with other operating systems, but you would definitely have to root your phone).

    Setup a replacement server

    You then setup a local server that responds to all requests just like the server did in your initial spoofing. You would have to get this server to run on your phone itself, that way it is always available. This doesn't necessarily have to be complicated (although that depends on how detailed the actual server interaction is), as you don't actually care about keeping any data on hand. You just need to make sure that you provide valid responses to all requests.

    Risks:

    1. The app may auto-update itself (although your mock-server may make this impossible) and point to new domains/ip addresses, suddenly removing your protections
    2. If there is an auto-update functionality and your end up unintentionally killing it (which would be good per point #1 above), a police officer may notice that it is not properly updated, flag you for "extra" checking, and discover what you are doing.
    3. They may do server-side tracking and discover what you are doing because they don't find any data on their end for your particular IMEI (because your mock-server acts like a black-hole and sucks up everything). Even if you send spoofed requests there will be easy ways for them to determine that (imagine the police copy a blacklisted image to your phone and discover that the app doesn't block/report it)
    4. They may have root-checking in the app itself, which will cause you problems

    Actually, that's it

    I was trying for a longer list but that is really what it all boils down to. Short of not carrying around a phone or purchasing a separate one, these are about your only options. For reference, I haven't gone into details about the server spoofing because I think you're necessarily going to go out and do it. If anything, I've gone through it because it gives opportunity to talk through the risks in more detail, and those should make it clear that there are a lot of risks. Even if you find a solution from someone, they have to deal with all of these same risks (or ones like it). Right now this app sounds like it is poorly executed and easily fooled, but depending on how much the Chinese government decides it cares, that could change very quickly. At that point in time not getting caught basically turns into a cat-and-mouse game with the Chinese government, and that isn't realistically something that someone can continue to win for an extended period of time. There are a lot of risks, so tread lightly.

    There is one more risc too to concider - other channels used more less frequently - and it may not be for security, just for convenience. I can say, that I made application, which normally communicate in plain text each 1/2 hour, but 4x a day it also use other channel for other data and sometimes (like once a week to once a three months) use another channel for totally another kind of data. (And sometimes it update itself.) Lack of any of such communications is reported as big red error at central server. And it has nothing to do with spying or security, just with primary function of the app.

    There are a few more: sandbox the app + sandbox apps that you want to hide, off the top of my head.

    actually httpS is not very effective on neither Android devices nor iOS devices. the free version of Fiddler Proxy (+ this plugin) has everything needed to generate a fake certificate, install it on the phone, and perform MITM https-decryption, modifcation, redirection, and blocking. i've used this myself several times to study and cheat in mobile games. (and study the Facebook Messenger / friends API)

    @user1067003 Sure, performing a MitM on yourself is very doable. I wasn't trying to imply otherwise. However, it is still harder than simply sniffing network traffic for an unencrypted connection. My point was that SSL is the first and most basic security step for web systems, and also very easy to do. Anyone who is not bothering with HTTPS these days simply isn't trying, and SSL certainly does provide *a* barrier from simple snooping. Add in HSTS and public key pinning and you're starting to get about as secure as possible on someone else's device.

    Another risk of a local server is making it as slow as interactions over the air with the real server.

    I'm not exactly an expert on mobile communication, but AFAIK any phone comes with both an IMEI (spoofable, but it's tricky) and an IMSI (not spoofable, as it's the ID of your phone in the network). Considering the capacities of Chinas surveillance I would be astonished if they couldn't detect a phone with an unique ID having the app active only sporadically. Let alone sniffing on higher levels of the system or examining the entire storage when the app is running.

    **Any** of these can be **remotely** detected, this is just a matter of state will.

    @user285259 yup. That's pretty much the gist of what I was trying to say at the very end of my answer.

    The reference to the founder of the Silk Road isn't really relevant as he was neither a tech security expert, nor was he caught despite an abundance of caution. He was essentially caught because he posted questions in forums with traceable accounts that referred back to Silk Road before it was well known. The FBI didn't cut through TOR's encryption.

  • They can execute code on your device while they have physical access to it. And you can't refuse it. I'm sorry to say that but you are basically doomed. There's no way to trust this device anymore. That's part of the 10 immutable laws of security. In your case the rules #1, #2, #3, #6 and #10 are applicable.

    But when you act like you don't trust the device you could raise their suspicion. Maybe. Because nobody knows what they are actually doing with the collected data. Maybe nothing at all. In the "best" case it's primary for spreading FUD.

    But when they are actually using the data it's easy for them to spot burner phones and all kind of tampering. As far as I know you only get a SIM card by identifying with your ID. Since the spyware reads identifying information like IMEI and IMSI they can simple compare the collected data from the phones with the purchase records. They can combine this with behavior tracking based on metadata collected on the phone (Which apps are used and how often, how long the screen is on etc.) and the mobile network (usage of data, location based on cell tower etc). Since they can do that on a large scale, they can spot strange usage patterns by your usage history or how a "average" user is behaving. Of course there's a vast amount of ambiguity and such in this data but they have the ultimate interpretational sovereignty.

    You must also keep in mind that you need to keep your measures working all of the time because it could always happen that you get stopped on the street again.

    I'd like to emphasize on rule #10. You are basically trying to solve a social problem with technology - just as your government does.

  • Use a custom ROM (two, to be correct).

    Android phones can have more than one ROM installed, and you choose one or the other. So install two copies.

    On the clean ROM you install the spyware, anything not dangerous, games, whatever you feel clean. On the secure ROM you install things you don't want anyone to know about.

    Keep the clean ROM running almost all the time, specially when you are out of home. Boot on the secure ROM only when you really need.

    You will need to keep a secure mindset too, to have awareness of what ROM you are using and what content you can create or access. That is the main point of failure. Using a different keyboard on each ROM, or different OS languages can help: Chinese on the clean, English on the secure, for example.

    But first you must weight the risk/reward of doing so. If the risk of getting caught plus the mental effort to keep activities and files containerized is worth the benefits of bypassing the spyware, do it. Don't do otherwise.

    Whether this is possible is extremely dependent on the particular phone, even if Android is a given.

    What stops them using the logs of the mobile phone network to check that app is running at all times the phone is connected?

    Apps don't run all the time, and OP should not run the secure ROM all the time.

    @ThoriumBR Surveillance apps presumably *do* run all the time.

    But they don't run all the time. Or the battery will run dry in a couple hours, more people will know something is wrong, and lots of angry people will have incentives to bypass the surveillance. They are presumably to be invisible and unobtrusive. They will log things here and there, and send data from time to time.

    @ThoriumBR A mobile phone doesn't go to sleep when not in use like a closed laptop; if nothing else, it will be constantly checking with transmitters to ensure it can receive incoming calls. It seems perfectly plausible to me for a background application to be logging many times a minute whenever the phone is switched on; saving to a local, encrypted, database; and periodically uploading reports to a central server. Gaps in that log might be viewed as suspicious, particularly if they can be compared against logs demanded from the network operator.

    Apparently this is a contentious topic - so far this is the only answer with a positve score that doesn't have any downvotes. lol!

    @ThoriumBR The assumption that they want the app to be invisible and unobtrusive is also dubious. The Chinese government conducts surveillance by coercion, not subterfuge - they're not installing this app remotely without users' permission, they are (allegedly) demanding that they install it under threat of arrest. They have no motivation to hide what it does; anyone who gets angry and decides to bypass it can simply be publicly punished as "subversive"; that's how totalitarianism works.

    @IMSoP: I used to frequently put my phone in airplane mode to save the battery. But your point is valid, and one that most of the answers miss: that if any method succeeds in stopping the reporting, the government will (or can) notice the gap.

  • I'd recommend you just go with it. The Chinese police doesn't just stop any random person in the street and asks for their phone. They stop Uyghur.

    This happens for reasons which are somewhere in between "mitigate a real threat" and "Woah, no go, dude", but whatever it is, it's what the government does, so it's legal and "right". No benefit of doubt, and no assumption of innocence, no Sir. By Western standards, it's kind of unthinkable, but you cannot draw to the same standards there.

    So the situation is that you are easily identified as Uyghur, both from looking at your face, and from the fact that police knows. They know who you are and where you live. And sure they know whether you've been stopped before. Again, you're not being stopped at random. You're stopped because you are already a well-identified target, on their screen.

    It isn't even unreasonable to expect that your Internet traffic is monitored (targetted) and even asking about how to circumvent the measures may move your name onto a different, more high priority list.

    You can bet that police keeps a list of people where the spyware has been installed (with device IDs), too. If no data comes in from your device, well, guess what. You'll be stopped again by police, and they will look very carefully why this isn't working.

    Insofar, it is kind of unwise to try and circumvent (and risking being caught) what police wants. From their point of view, you are a possible criminal, and a possible terrorist. By trying to circumvent the measures you prove that you are a criminal.

    The surveillance happens on the base that if you have nothing to hide, then you need not bother if they're watching you. Again, by Western standards, this stance would in no way be acceptable. But whatever, in China it's perfectly acceptable.

    I wouldn't want to risk disappearing in a detention camp if I was you. Rather, let them have their spyware, and simply don't do anything that isn't opportune to the system.

    Given how insecure the spyware appears to be, simply installing it will likely open you up to attacks from actors other than the Chinese government.

    @AndrolGenhald: Probably, but if you can't leave the country, what else do you want to do? Not complying is not an option, really.

    The situation certainly sucks. I just wanted to point out that even if you accept that it's ok for the Chinese government to do this, there are still other risks.

    This doesn't really answer the question. It's about "I know I'm targeted. How do I defend?". Your answer is basically "How to avoid being targeted" and therefore not really answering the exact question.

    @iBug: That's true, but sometimes "Don't do it" is the right answer. There's too much at stake, and chances that OP gets caught are high (I'd say 99%). The spyware transmits the IMEI, so they know _exactly_ who isn't sending. They _also_ know exactly who had the spyware installed. So... not good.

    This doesn't answer the question, and what is worst, it's accepting a total loss of privacy...

    @Mr.E: It _does_ answer the question. The in my opinion only correct answer is "Don't do it". Given the circumstances, any other answer is just unresponsibly dangerous. Being targetted individually by a governmental institution (as is the case) means your chances of being smarter than the system and getting away are close to zero. This is a suicide move. Given "no privacy" and "die in detention" as alternatives, I know which one I'd choose. Your opinion may differ, and free feel to downvote.

    "even asking about how to circumvent the measures may move your name onto a different, more high priority list." .... makes me think that if I wanted to find how to defeat those attempting to defeat my security system, I would pose as someone just like OP here and review all the answers for further closing of loop holes. IOWs, this entire question and answers appears to help the security of the government perhaps even more than individuals. Hmmm

  • First of all, I think you should search for solutions that are already implemented by other people. For instance, what do other people in your case do to prevent the spying activities?

    One possible solution would be to have a man-in-the-middle implementation analyzing the information that is being sent, altering it, and sending it to the same server and port the spyware is trying to connect to.

    I read a bit about the functionality of the app, and the information it gathers is, and I quote from the Wikipedia source you provided:

    sent in plaintext

    Hence, after doing some tests with a packet sniffer tool and clearly understanding how the spyware and server exchanges made using the HTTP protocol work, you could, if you have root access to your Android phone, redirect the traffic of the spyware app to a process that is running on the background of your Android OS. This process would change the data that is going to be sent to the server the spyware is trying to connect to. That way, you can send data that matches another cellphone (maybe, literally faking the data is a bad idea, because that can trigger alarms).

    You should also take into consideration any kind of validation processes that the spyware has implemented so you do not alter them. More specifically, the data that is in the HTTP packets’ headers and that is sent from the spyware app to the server to gracefully initiate an upload.

    Of course this is theoretical, but it is a realistic thing to do. Also, you probably will require knowledge of Android programming (mostly in C or Java) and IT.

    This approach is stealthy and will not require an uninstall of the spyware app. There is always a risk, but in this case, depending on the data that is actually spoofed, the risk is minimal.

    This will not help in case of keylogger spyware.

    How can a keylogger affect this approach ? Please explain.

    Bare in mind that, keylogger can keep data inside the phone. So if the phone confiscated by the Big brother, the user still susceptible to phone activities forensic.

    I still do not understand what you are trying to point out. A keylogger logs keystrokes, that’s it, the background process has nothing to do with that.

    Do I need to explicit say that keylogger may also take screenshot ?

    I believe the first paragraph is the most critical one. OP is not alone in this, it's a big community of people affected and they _will_ have found a workable solution. Just be aware that the more people fooling the system, the more likely the government will pick up on it and close the loophole. If you're using a method that gets closed there's a chance their net will catch you.

    A screenshot will not affect anything at all on this approach. How a screenshot will affect a process running on the background ? It is not an app

    @Ruadhan2300 I did not suggest this approach to be shared, I suggested him to search for already existing solutions, not to share mine with everyone in the same case. Depending on how the data is faked it could be hard for the government to “close the loophole”

    @PedroGomes I believe you misunderstand me, I don't mean sharing the approach with others, I mean that finding your own solution may not be necessary if there's other people who have already done it and shared it. It's a maxim in software development that any technical problem you encounter has probably already been found and fixed by someone else, you just have to find out what they did.

    @Ruadhan2300 I mis read indeed your comment. I totally agree with you on that point.

  • Due to the nature of the spyware, they will be able to detect any mitigation techniques which will make you a person of interest to them.

    I know you said you can't afford two phones but it really is the best advice - why not clean and refurb an older phone if you have one around?

    A burner phone doesn't need to be anything special and even better if it isn't a smartphone.

    There are certainly ways to defeat this spyware without raising red flags. It's not like the spyware's functionality is particularly secret (or particularly sophisticated).

    Police might not be information security gurus, but they are good at telling if I am hiding something in my other pocket. Then the consequences might be worse.

    I really doubt this is true, and even if it is correct you are not providing any evidence of that fact. Rather, you are expecting everyone to just take your word for it. Given the importance of this question to the OP, I think a little more effort is required.

    @forest But it might not be the same tomorrow as it is today, and that can make all the difference in defeating it or losing to it. When we're talking an oppressive government, can you, in good conscience, really tell someone you've never met to take that risk?

    Note that with the cooperation of network carriers, they will be able to tell if you are using another cellphone with the same SIM card, or if a subscriber has two SIM cards nearby, or the number of devices that are connected to your home WiFi or network. It may be unwise to use a second phone in any case.

  • One idea is to think of your phone as a networking device and nothing more. If you carry a secondary "tablet", that is NOT a phone, you can tether through your phone, and use a VPN on the tablet to protect your data. Now you can hand out your phone to be inspected as all of your actual important data and work is on your tablet which is clearly not a cellphone. If traditional hotspotting is too dangerous, you may want to consider alternative methods such as using a USB2Go cable or bluetooth pairing. If hotspotting is detected or blocked, you might also be able to use an app like PDANet to bypass those restrictions.

    If I were trying to monitor everything, I would have code that flags packets going through the towers without corresponding reports from my spyware.

    That would be very difficult to do. Nothing is ever 100%.

    It would indeed be difficult to catch 100%. It would not be difficult to catch 90%. And if they weren’t already catching a huge percentage of what they want, threads like this would not exist.

    "Hang on, there are packets flying back and forth, but they are not connected to any running app ... Flag this phone as suspicious."

    @tripleee do people not use tethering in China?

    You're still assuming there's a presumption of innocence - it seems more likely that even if there's a valid/acceptable explanation OP can expect to be investigated first.

  • Disclaimer: I live in North America.

    Knowing that I may be forced to install it sooner or later, what are my options to prepare against it?

    Remove illegal items and anything else that you think that the government wouldn't approve of from your property - your clothing, phone, desk at work, home, etc.

    If the government can't find you doing anything wrong then you only have to worry about someone planting false evidence on you - you need to search your own stuff from time to time.

    When I go through Customs I've made absolutely certain that I have checked everything for anything I shouldn't have, because you know that they will likely check when you go through the port of entry.

    As a result of my efforts they've not found anything to object to and have even simply waved me through a few times. Nothing to see here, move along.

    Ideally:

    • Make it appear like the app is installed and working as intended, without having it actually spy on me.

    We have different ideas of what's ideal.

    Ideally I'd prefer to be paid millions of dollars per hour.

    • I don't know whether it includes sophisticated anti-tampering features or not. I can't afford two phones nor two contracts, so using a second phone is not a viable option for me.
    1. It wouldn't make any sense for it not to detect tampering.

    2. The APP is probably an excuse.

      If they obtain the information by another means (like monitoring the cell phone towers and WiFi, along with all Internet traffic, and then there's your neighbors whom earn a healthy living turning people in) they can say in Court that they obtained the information from the spyware - that way you don't know how the information was actually obtained.

    3. This happens in more places than just where you are, it's different where you are in that roving gangs force you to install the APP. In other places (including North America) they get by without using an APO and rely on other techniques.

      Proof: In the last few months people whom have a lot of contact with children (Coaches, High School Principals, etc.) have had their work, home and computers searched for possession of inappropriate images. This appears in the news monthly.

    Moral of the story: If you are poor and unsophisticated don't fight the rich, powerful, intelligent army trying to do something that they can find someone to back their actions to prevent you from doing it.

    If you can't afford a second phone and contract that's a hint that you couldn't afford trouble in the first place, and the fine.

    In your country they are upfront about it and demanding because objections fall on deaf ears. It's not much different in North America, just that they are sneaky to avoid complaints and only focus on major infractions so people don't suspect that they can see the lessor consequential things just as easily.

    If you CAN afford a second phone, either they find out when you buy it or they find out when you use it.

    This is what I'm saying, the cellphone tower reports people in the area that aren't running the APP and then they can triangulate you and pull up a CCTV image of someone walking the path of the offending phone. Also, chances are this webpage is no longer available to the majority of the people there.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM