I live in Canada. My girlfriend is Chinese (also living in Canada), and while we are able to communicate via SMS, her mobile carrier isn’t the best, and so there have often been issues for us with regular texting. She expressed a strong preference to use WeChat, at least as a backup option for when texting fails us. While I have some pretty significant reservations, it’s not the hill I want to die on. So my question is: what can be done to use WeChat without compromising my whole phone? I’m okay with it if our conversations aren’t private, but I’d like to know that I’m not giving unfettered access to all of my phone’s systems and data to the CCP. What can be done to limit the reach of this ubiquitous app on my device?

  • viking@infosec.pub
    link
    fedilink
    arrow-up
    48
    ·
    edit-2
    7 months ago

    I’m in China and have to use that piece of crap. So here’s how I locked it down:

    1. Root your phone with Magisk. There’s no way around it.
    2. Install Storage Isolation (https://play.google.com/store/apps/details?id=moe.shizuku.redirectstorage) and deny access to all folders.
    3. Install ApOps (https://play.google.com/store/apps/details?id=rikka.appops) and set pretty much everything to deny or ignore (ignore means the app receives the information “permission granted”, but no data is provided, in case some permissions are “mandatory”). If you intend to use wechat to exchange voice messages or make video calls/send photos, the “use microphone” and “use camera” functions would be required. In a similar fashion the location access if you intend to use the location sharing feature.
    4. Be acutely aware that wechat is not encrypting messages, neither end to end nor in the server communicaton. Everything you say can (and probably will) be read and archived. Don’t say anything confidential or critical there.

    And yeah really, try to convince your wife girlfriend to use signal instead. Or hell, even whatsapp is miles ahead.

    My wife is Chinese as well, so even after we leave here she’ll be using wechat to stay in touch with family, no way around it, but using messengers more commonplace in other countries is definitely better. Personally I will move wechat to another phone once we’re out. For now that’s not feasible as it’s too much integrated into every function of life here.

      • TheAnonymouseJoker@lemmy.ml
        link
        fedilink
        arrow-up
        1
        arrow-down
        1
        ·
        edit-2
        7 months ago

        Can you provide documentation that says AppOps is not standardised part of AOSP? Last I checked, it was part of Android since Android 4.3 beta and baked into 4.4 Kitkat.

        I use both ADB and Shizuku based permission manipulators on Android, and the “ignore” option just defaults to “ask every time” or “deny” instead of “allow”, in case it does not work. I have not yet observed a failure upon extensive testing.

    • Ainz@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      7 months ago
      1. Install Shizuku -> Doesn’t require root
      2. Install Island and use the built in work profile feature of your android device
      3. Install AppOps and block most of the app with garbage data
      4. Be happy without rooting your phone
      • viking@infosec.pub
        link
        fedilink
        arrow-up
        1
        ·
        7 months ago

        Yeah I’ve played around with it in the past, but having to re-establish the wireless adb was quite annoying. Plus I need root for AdAway already, I don’t think that can be achieved via Shizuku, but that might not apply to the OP. I’ve tried island back in the beta stage and it wouldn’t work on my phone, but I guess things have change since. Might give it another try.

      • viking@infosec.pub
        link
        fedilink
        arrow-up
        15
        arrow-down
        1
        ·
        7 months ago

        Whatsapp uses end to end encryption and is far from as intrusive as wechat.

          • viking@infosec.pub
            link
            fedilink
            arrow-up
            10
            ·
            7 months ago

            Nah it’s rather easy to do and has been done by security experts. If your phone is a rooted android, you can do it yourself using PCAPdroid, it’s basically a network logger that allows to install a trusted certificate as a local proxy and go man in the middle on yourself. That way you can decrypt the https traffic between your phone and the whatsapp server.

        • umbrella@lemmy.ml
          link
          fedilink
          arrow-up
          6
          arrow-down
          4
          ·
          7 months ago

          whatsapp is certainly backdoored, its closed source and unverifiable.

      • bionicjoey@lemmy.caOP
        link
        fedilink
        arrow-up
        3
        ·
        7 months ago

        Yeah I was considering Waydroid but then I lose the ability to connect outside of my PC

      • viking@infosec.pub
        link
        fedilink
        arrow-up
        2
        ·
        7 months ago

        I guess it could be, but that kills the use case of being contactable by his GF on the fly.

    • TheAnonymouseJoker@lemmy.ml
      link
      fedilink
      arrow-up
      3
      arrow-down
      4
      ·
      edit-2
      7 months ago

      And yeah really, try to convince your wife girlfriend to use signal instead. Or hell, even whatsapp is miles ahead.

      It is interesting that you promote Facebook over WeChat in a privacy community, even though you have a Chinese wife. Just how far is racism embedded in your head to go through hoops saying things like this? Is it objective analysis to claim WeChat (China) is worse than Facebook (USA)? Or that Signal, something based in USA, using USA servers, promoted by Elon Musk and using a shady MobileCoin crypto system, is so great?

      Encryption of messages is not a thing on WeChat, but then neither is WeChat being used to extract meta data and use it to commit genocides or bomb countries, like USA based messengers do.