People commonly use WeChat as a social media platform to share updates with contacts, as a platform for conducting financial transactions, and also as a platform for downloading and using other programs, referred to as “Mini Programs.” WeChat has also evolved beyond simply messaging. WeChat has in many ways monopolized messaging in China, making it necessary for individuals in China to use. According to some market research, network traffic from WeChat made up 34% of Chinese mobile traffic in 2018. With over 1.2 billion monthly active users, WeChat is the most popular messaging and social media platform in China and third in the world. Because of this, a user’s data might be subjected to a worse protection than the user thinks. The WeChat Privacy Policy states that these “third-party” services are “operated by Weixin.” Usually, the Weixin Privacy Protection Guidelines apply in whole to users signing up with Chinese phone numbers. Instead, they are governed by Weixin’s Privacy Protection Guidelines. Some important features within WeChat, such as Advanced Search and Channels, are not governed by WeChat’s own Privacy Policy.We identify disclosure gaps with WeChat’s privacy policy, which implies that only third-parties collect usage data related to Mini Programs, when, in fact, WeChat also collects this data.As one consequence, we found that granting permissions such as location permission during the use of a Mini Program will also enable the larger transmission of geolocation data to WeChat. Permission boundaries between Mini Programs and the host WeChat platform are unclear.All Mini Programs, and thereby their users, are enrolled in usage tracking, meaning that a large amount of users’ activity in the Mini Program is sent to WeChat and not just the Mini Program developers themselves. We found that the most fine-grained activity tracking data is sent during Mini Program execution.During usage of core WeChat features, such as Messaging or Moments, network requests generally contained data that was necessary for the function of the application, and not significantly more this is in keeping with the WeChat privacy policy for non-mainland-Chinese phone numbers.Using reverse engineering methods to intercept WeChat’s network requests, we identified exactly what types of data the WeChat app is sending to its servers, and when. This work performs the first analysis of WeChat’s tracking ecosystem.We’ve created an FAQ to accompany this report. This report is part one of a two-part series on a privacy and security analysis of the WeChat ecosystem.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |