Home » Police forcing me to install Jingwang spyware app, how to minimize impact?

Police forcing me to install Jingwang spyware app, how to minimize impact?

Solutons:


This may not be the answer you will be happy with but how about abstaining from having any undesirable data inside your phone in the first place and instead using the right tool for the job?

According to Wikipedia:

The app records information about the device it is installed on, including its […] IMEI, the phone’s model and manufacturer, and the phone number. The app searches the phone for images, videos, audio recordings, and files […]

So, instead of trying to tamper with this spyware in any way (which can get you in a much bigger trouble), simply don’t do anything suspicious on this phone and let this app do its job. Prepare against it by not having any photos, videos, audios, file, etc., and instead use the right tool for the job. Use some other secure software/hardware to connect to internet, use encrypted email provider and do all of your communication through the computer where you can do communication safely, and store all of your files somehow in a safe place (encrypted, somewhere on computer or USB, etc). Pretend to be an obedient citizen and use the right tool for the job to do whatever it is you don’t want your government to find out.

Some people may wonder why bother having a phone in the first place (and FYI, I asked the same question under OP’s question, for clarification). My answer is:

  1. to make phone calls (and have conversations which are not going to be considered by Chinese government suspicious, in case they are tracking that too)
  2. to use it as a “red herring” – if police asks you to give them your phone you won’t have to lie to them that you have no phone, or worry that they will find out that you tampered with app, or get in trouble if you don’t have app, etc. You’ll just confidently give them phone, with no “illegal” information on it, they will check it, and walk away. You may, actually, even have some “red herring” files: pictures of nature, shopping list (milk, eggs, etc.), etc., just so that they wouldn’t suspect that you deliberately not using your phone for such purposes, and harass you farther.

I mean, not long ago mobile phones didn’t even have the ability to store pictures, videos, files, etc.

Are you willing to put your life in danger simply because you want to have some files on your phone?

Tough times require tough decisions.

Get a phone which doesn’t support Android apps.

Why are so many of the answers complex? And not just complex, fragile and suspicious and downright dangerous to the questioner?

You want to use your phone to send messages and make calls, right? You don’t want this app installed, right?

Say hello to your new phone:

Enter image description here

Good luck getting an Android app running on this.

It’s probably not illegal to have an old phone.

This is a tricky one. It goes without saying, but it’s also a dangerous one. Attempting to circumvent these restrictions and getting caught doing so will potentially cause a lot of legal trouble. If they throw people in jail for refusing to install the app, I wouldn’t want to figure out what they do to people circumventing the app restrictions. It is especially relevant because even experts in tech security have gotten caught by their governments despite extensive safeguards (the founder of Silk Road is a great example and is now serving a life sentence). Granted, evading this app is most likely a much less serious “crime”, but the Chinese government isn’t exactly known for lenience here. So while I would like to answer your question, please don’t take this as me suggesting that you actually do any of this. I consider myself a tech-expert, but I still wouldn’t do it.

Still, to answer your question, you have a few options. I won’t bother mentioning the “Get a second phone” option because you’ve already ruled that out.

1. Virtual Machine/Dual Boot

There are some options for “dual booting” android phones. I don’t have any examples to immediately link to (software suggestions are off topic here anyway) but there are options. If you can get your phone to dual boot then you can install the tracking software on one ROM and then do all your personal stuff on the other. You may need to put some basic information on the ROM with the tracking app installed just so you don’t raise too many flags.

Of course there are still risks here: risks that they might reboot your phone and notice, risks that they might realize you have a completely different system installed next to the tracked one, and the simple risk that you would go out and about and forget to reboot into the “tracked” system, allowing a police officer to find and install the tracking app on your actual system.

2. App modification/interceptors

If this app creates enough bad press it is possible that anti-tracking apps or hacked versions of this app may start floating around that try to automatically protect you from it. I would not expect there to be any general tools already available that would protect you from this, so this is something that would simply take lots of googling or (perhaps) requests to the right people. This has a major downside that unless you are an expert at reverse engineering, there isn’t much to do to make this happen. It’s also hard to estimate what the risks of detection are. That will obviously vary wildly depending on the skill level of the person who put it together.

3. Server Spoofing

Depending on your level of technological know-how you might be able to put something together yourself (note: this is not for novices). Based on what I know and my experience in this area, I’m going to try to summarize some details about what a server-spoofing measure might look like. Again, I’m not summarizing this because I think you should do it, but because understanding how things like this operate can be generally informative and also help understand the risks there-in.

Built-in security

First, we need to understand how this spying app might secure itself. From all information available so-far, the answer is “it doesn’t”. This is a pretty simple conclusion to come to because the app communicates exclusively through http. It is very easy to intercept http requests, either from the device itself (if your phone is rooted) or with network sniffing tools on a computer attached to the same network as the device. Most likely it is also very possible to easily figure out how the app authenticates itself with the end-server and how the end-server authenticates itself with the app. In all likelihood there is no authentication in either direction, which means that spoofing requests in either direction is trivially easy. This might be hard to believe (given that a country like China sets aside lots of resources to invasive technology like this), but the reality is that if the people who developed this app wanted to secure it from outside tampering, using HTTPS for transit would be the very first step to perform. It is cheap, easy, and very effective. The lack of HTTPS means that it is very likely that there is no actual security in this ecosystem, which is a plus for anyone trying to evade it.

Sniff all traffic coming out of this app to determine what requests/responses it makes

This is the first step. By watching the traffic leaving this app (which can be easily intercepted in the network itself since there is no SSL encryption) you can figure out what requests it sends to the destination server and what responses it expects back. Understanding the underlying API is critical, but easy due to the lack of encryption. This will also let you know if there is any authentication happening in either direction. If there is, you can at least see the full request and responses, so you can most likely figure out how to spoof it. It is possible that there is some hard-to-reverse-engineer authentication going back and forth, but again, given the lack of basic encryption, I doubt there is any such thing built in.

Figure out if the app is talking to a domain name or IP address

The destination server the app is talking to is either found via a DNS lookup or has its IP address hard-coded in the app. In the event of the former you can edit the DNS for your android phone to repoint it to a different server, including one running on your phone. In the event of a hard-coded IP address you will similarly have to redirect all traffic to that IP address to your local android phone (presumably you can do this with Android – you can with other operating systems, but you would definitely have to root your phone).

Setup a replacement server

You then setup a local server that responds to all requests just like the server did in your initial spoofing. You would have to get this server to run on your phone itself, that way it is always available. This doesn’t necessarily have to be complicated (although that depends on how detailed the actual server interaction is), as you don’t actually care about keeping any data on hand. You just need to make sure that you provide valid responses to all requests.

Risks:

  1. The app may auto-update itself (although your mock-server may make this impossible) and point to new domains/ip addresses, suddenly removing your protections
  2. If there is an auto-update functionality and your end up unintentionally killing it (which would be good per point #1 above), a police officer may notice that it is not properly updated, flag you for “extra” checking, and discover what you are doing.
  3. They may do server-side tracking and discover what you are doing because they don’t find any data on their end for your particular IMEI (because your mock-server acts like a black-hole and sucks up everything). Even if you send spoofed requests there will be easy ways for them to determine that (imagine the police copy a blacklisted image to your phone and discover that the app doesn’t block/report it)
  4. They may have root-checking in the app itself, which will cause you problems

Actually, that’s it

I was trying for a longer list but that is really what it all boils down to. Short of not carrying around a phone or purchasing a separate one, these are about your only options. For reference, I haven’t gone into details about the server spoofing because I think you’re necessarily going to go out and do it. If anything, I’ve gone through it because it gives opportunity to talk through the risks in more detail, and those should make it clear that there are a lot of risks. Even if you find a solution from someone, they have to deal with all of these same risks (or ones like it). Right now this app sounds like it is poorly executed and easily fooled, but depending on how much the Chinese government decides it cares, that could change very quickly. At that point in time not getting caught basically turns into a cat-and-mouse game with the Chinese government, and that isn’t realistically something that someone can continue to win for an extended period of time. There are a lot of risks, so tread lightly.

Related Solutions

How can I find the implementations of Linux kernel system calls?

System calls aren't handled like regular function calls. It takes special code to make the transition from user space to kernel space, basically a bit of inline assembly code injected into your program at the call site. The kernel side code that "catches" the...

Is a composite index also good for queries on the first field?

It certainly is. We discussed that in great detail under this related question: Working of indexes in PostgreSQL Space is allocated in multiples of MAXALIGN, which is typically 8 bytes on a 64-bit OS or (much less common) 4 bytes on a 32-bit OS. If you are not...

Explaining computational complexity theory

Hoooo, doctoral comp flashback. Okay, here goes. We start with the idea of a decision problem, a problem for which an algorithm can always answer "yes" or "no." We also need the idea of two models of computer (Turing machine, really): deterministic and...

Building a multi-level menu for umbraco

First off, no need pass the a parent parameter around. The context will transport this information. Here is the XSL stylesheet that should solve your problem: <!-- update this variable on how deep your menu should be --> <xsl:variable...

How to generate a random string?

My favorite way to do it is by using /dev/urandom together with tr to delete unwanted characters. For instance, to get only digits and letters: tr -dc A-Za-z0-9 </dev/urandom | head -c 13 ; echo '' Alternatively, to include more characters from the OWASP...

How to copy a file from a remote server to a local machine?

The syntax for scp is: If you are on the computer from which you want to send file to a remote computer: scp /file/to/send username@remote:/where/to/put Here the remote can be a FQDN or an IP address. On the other hand if you are on the computer wanting to...

What is the difference between curl and wget?

The main differences are: wget's major strong side compared to curl is its ability to download recursively. wget is command line only. There's no lib or anything, but curl's features are powered by libcurl. curl supports FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP,...

Using ‘sed’ to find and replace [duplicate]

sed is the stream editor, in that you can use | (pipe) to send standard streams (STDIN and STDOUT specifically) through sed and alter them programmatically on the fly, making it a handy tool in the Unix philosophy tradition; but can edit files directly, too,...

How do I loop through only directories in bash?

You can specify a slash at the end to match only directories: for d in */ ; do echo "$d" done If you want to exclude symlinks, use a test to continue the loop if the current entry is a link. You need to remove the trailing slash from the name in order for -L to...

How to clear journalctl

The self maintenance method is to vacuum the logs by size or time. Retain only the past two days: journalctl --vacuum-time=2d Retain only the past 500 MB: journalctl --vacuum-size=500M man journalctl for more information. You don't typically clear the journal...

How can I run a command which will survive terminal close?

One of the following 2 should work: $ nohup redshift & or $ redshift & $ disown See the following for a bit more information on how this works: man nohup help disown Difference between nohup, disown and & (be sure to read the comments too) If your...

Get exit status of process that’s piped to another

bash and zsh have an array variable that holds the exit status of each element (command) of the last pipeline executed by the shell. If you are using bash, the array is called PIPESTATUS (case matters!) and the array indicies start at zero: $ false | true $...

Execute vs Read bit. How do directory permissions in Linux work?

When applying permissions to directories on Linux, the permission bits have different meanings than on regular files. The read bit (r) allows the affected user to list the files within the directory The write bit (w) allows the affected user to create, rename,...

What are the pros and cons of Vim and Emacs? [closed]

I use both, although if I had to choose one, I know which one I would pick. Still, I'll try to make an objective comparison on a few issues. Available everywhere? If you're a professional system administrator who works with Unix systems, or a power user on...

How do I use pushd and popd commands?

pushd, popd, and dirs are shell builtins which allow you manipulate the directory stack. This can be used to change directories but return to the directory from which you came. For example start up with the following directories: $ pwd /home/saml/somedir $ ls...

How to forward X over SSH to run graphics applications remotely?

X11 forwarding needs to be enabled on both the client side and the server side. On the client side, the -X (capital X) option to ssh enables X11 forwarding, and you can make this the default (for all connections or for a specific connection) with ForwardX11 yes...

What does “LC_ALL=C” do?

LC_ALL is the environment variable that overrides all the other localisation settings (except $LANGUAGE under some circumstances). Different aspects of localisations (like the thousand separator or decimal point character, character set, sorting order, month,...