@@mattbrwn Not to mention TikTok has had eyes on it for a while, if they were sending any data back to the CCP, it would likely be through much more untraceable and encrypted onion routed proxy stuff.
The sad thing is that many TikTokers have no problem transferring their data to the inhumane Chinese government while they distrust their own western liberal democratic governments.
There’s not a US social media site that wouldn’t sell their mom’s data for a quick buck. I’m all for privacy and security but have no tolerance for hypocrisy.
Pretty much. The working class of all countries are esentially prisoners to the people who run their infrastructure (capitalists). And some even defend their own overlords. Isnt that the definition of nationalism?
Yes. I think everyone has forgotten the Facebook-Cambridge Analytica data scandal. Everyone has also forgotten Edward Joseph Snowden (former NSA intelligence contractor and whistleblower) has been in hiding in Russia as he leaked the US and global surveillance programs on all private citizens. Everyone must note that even the Telcos have massive data breaches. Everyone is constantly stealing our data.
Haha, finally, the video of the Chinese software threat theory has finally appeared. As we Chinese would like to think, the "Chinese threat is always the best reason for the US" propagated by the European and American media.
The Israelis pushed exploding hardware to Hezbollah. We get hardware from China. I'm buying hardware from China for others to use. You just never know. I'll beat my brains out trying to make the software secure. But I'll never really know that the hardware can't override the software, turn off the system,...
@@OkItsJustSean Ironic seeing as how much social media influences politics and narratives and even further so by learning your behavior to understand what content you accept and reject to probably enhance its capability in feeding you narratives you would be likely to buy into based on your behavior.
@OkItsJustSean ?????? What about ads about politics and narratives? Lmao. I appreciate your positive thinking but it's woefully naive to think American policies does not influence the ads and content we're served
@ Did you actually comprehend what I said? Data companies aren't using your data to influence politics. Data doesn't influence politics. It influences ads. It tells the person with your data what you like seeing. It doesn't influence politics itself. Whereas its been well warned for about a decade now that China and Russia are using your data to figure out how to sneak misinfo into the media you consume. Diff is, the US government doesn't use your data, FB does to sell to other private interests and ads. China sure does and thats a dictatorship. But I'm sure you don't care.
@ I think you too have reading comprehension issues. US companies aren't using your data to influence your politics. They using it to keep you hooked and to sell ads. China and Russia use your data to spread for political purposes. Difference is, in America your data goes to Private companies for profit, in China your data goes to dictators for political purposes. But the avg brainrotted ticktok user doesn't know this because you only can comprehend memes.
President Xi, please enjoy my clear text cat video. Better story on this app is the us/Chinese interactions on it. Normal people from “enemy” countries speaking directly worries some people.
@mikestewart4752 It's been a whole lot of Americans going, "no, really. Those are real numbers." and Chinese people going "I think you're lying. I was always told everyone in America has a big house and a new car, throws away their food when they just want something else, and chooses not to save money because they like to consume" and Americans going "my whole paycheck goes to survival. How am I supposed to save money?" Apparently they thought we have free healthcare, and have also been pretty horrified by the cost of ambulances and the practice of charging people who've just had kids to hold their newborn skin to skin. Most of them are willing to believe us, but are still shocked by hearing what life is like over here. Some of them are convinced we're outright lying for some unknown reason, though.
People might think this is an outlandish statement but recently Microsofts own security research team has brought up the same questions surrounding TP-Link Products. Suggesting they may be purposefully exposing their devices in such a way that would aid in chinas cyber offensive operations on edge and IOT devices.
@ do you think that's the only way privacy is threatened is with a specific "oops, anyone who can sniff can see it" issue? I mean, even if you're not on any Meta properties if any of your friends ever posts about you, they keep a shadow profile around. Normal stuff, right? Nothing to worry about because it's an "American" company right?
@ Of course! Everyone knows that sensitive data can only be accessed by foreign powers through their personally-administered applications hosted on their soil. Other social media companies definitely dont collect dossiers on their users and sell them to data brokers. How ridiculous. If they were doing that everyone would be concerned about national security… right…?
As a non-American, who comes from a country whose military dictatorship was admittedly funded by the U.S., and who has a memory and hasn't forgotten the revelations about the NSA, look... I'm soooo worried...
The US has been known to backdoor the communications of other countries they are promising to help. They've offered to do it for the Olympics to "help detect and prevent an attack". But we all know they never leave. They won't stop just because the Olympics are over. They're in now.
Why? The unity and love going on right now Has to be The Coolest thing I have ever seen in my 30+ years of life. It's insanely beautiful.... Its like pushing everyone to be super positive!! ..Imagine if everyone starts saying no more war. No more division..February 1st is when mass boycotts start! Don't support any mainstream bs! Only support locals, neighbors, Amish, ecovillages, homestead, independent farms etc! Only buy as much fuel as you NEED! Do this until the people in power stop being dicks and give us more affordable items/hemp fuels(only known sustainable fuel source , Henry Ford built and ran his 1st cars on it!) It's time for a change!!! The people in power don't need 10 houses and 13 cars! While most can't even afford ONE! Enough is enough!
Also, why would u be more worried about an ap and it's data, over our own gov who quite literally has been exposed killing MILLIONS... not to mention all the humans who "killed themselves " after trying to change things here...I think we better worry bout that sht 1st, no?😂
What does disclosing a security vulnerability have to do with Americans? Security Bugs in software/hardware affects every nationality. To make this issue about Americans is ridiculous and out of pocket.
You should take a look at how Messenger (Meta) behaves. What it logs, what "telemetry data" sends home and what it does. You'd be surprized. Device info (id, mac,ip, apps name / use, contacts, etc etc), connection info (networks name, map of the network, info on devices in the network id/name/ip/mac), etc etc. Have fun.
Nah FB cant be used as a boogeyman to push recruitment and funding for wars . Not as useful to make videos about. Btw this channel glows hard, i highly doubt he’s even allowed to talk about FB
For most people, your personal data is less valuable than you think😢 The true value is when u and millions of others together gives a meaningful statistical trend to the system, but then your data is not personal anymore.
@@mikestewart4752 I don’t think it requires being a content creator to call one out for selective coverage. That’s kind of like saying only journalists can criticize journalists
5:39 Actually the CN name only means it's registered in China, where it is might not be there. I work for Chinese tech giant all our up addresses is CN but actually in our global cloud
Reality-comedian Josh Johnson perfectly explained why TikTok users flooded to XHS, and security vulnerabilities was not the point at all, which is a given on any app; it's U.S. goverment's I own censorship and shadow-ban on certain topics.
Thanks so much for doing this. I’d love to see what you’re able to get from TikTok, Facebook, Instagram, TH-cam, Twitter/X and so on. It’s important that more laypeople (like me) understand how this traffic works and what of their (my) information is readily accessible. Would love to see a video with simple to advanced advice on protecting your information too.
Matt, As a long time mobile home hacker (not the cool kind, the kind that carrier unlocks phones, flashes custom roms and socially engineers workers to activate non-company phones on their service which should be locked to another carrier...) In my years of experience, I can tell you that running a test like this is already compromised because you used a 3rd party website to download the app and didn't compare the md5 to a copy downloaded from the playstore. We don't know if this APK has been modified or not at this point.
youve got a simple understanding of what youre talking about not comparings the hashes doesnt just throw this out the window. if it were an official paper it could cast doubt. but someone else will do the same tests on the app store version and likely find the same activity. the likelyhood of the app version he used having been tampered with significantly is low. low enough to overlook on a casual inveatigation like this.
If trying to sound alarm bells for the neophytes, demonstrating that a jpeg destined to be posted publicly anyways, won't hit the mark. I was going to link this in a forum but that may be counter-productive because many of those neophytes will just end the video right there.
That is the whole reason ppl are using RedNote. I’m afraid you’ve missed the point. (In fact, I’d argue, basic security flaws and all, as an American, it’s safer to use a data hoarding Chinese social media app than a data hoarding American social media app. Considering the rapidly escalating authoritarianism of the US government and the blurring lines between Silicon Valley & the government, I’d argue, as an American Citizen, putting my data in the hands of any American social media company could pose a very real threat to my physical safety. It can happen here. It is happening here. The treat landscape has changed. Now, does that mean the security flaws you demonstrated aren’t serious? Not at all. It’s just, for the time being, everything is on fire. My main priority is making sure I don’t get burned. That means the main reason not to use such a poorly secured app is the man in the middle who is coming from inside the house (which is also on fire and surrounded by hoards of angry fascists).
Wait!!! Hold up!!! You mean to tell me a Chinese app, built for Chinese people, to use in China, so they can communate with other Chinese people, send data to China??? WHAT?????
Instead of using all that iptables complication, you can simply setup a custom DNS server using something like dnschef with a wildcard record pointing you workstation's external IP. then configure the phones DNS to use your roge DNS server and have the certmitm listen on port 443
CCP United Front psyop apps are widely and liberally distributed, they want people to have them, no matter what. People with the app are the prize! Like randomly finding a USB stick in the parking lot of the business where you work.
@ Psyop is an engineered attack on minds, hacking the sense of reality and replace it with lies and deception, in order to distract while executing a plan requiring your enemy to be distracted (in this case, using foreigners against their own society, institutions, government). A UBS stick in a parking lot is the same, social engineering to disturb a process, bypass a security where you need to either go in and do, or use a useful idiot that will do what you need. Both warfare, both aimed at using what's not yours to gain an advantage you have no right to have. You can outline pedantic differences, yet have to realize they are both hybrid warfare aimed at a unique goal: CCP, and other transnational criminal organizations, want to bring the "West" down and replace it with their system of "governance". All humans, most, are curious, like a free lunch and have issues; making them easy targets of social engineering. Uneducated humans are a great order of magnitude more vulnerable to such engineering. Outraged entitlement, exceptionalism and pride are the fuel of the desire to break rules in a most self-immolating fashion, our enemies understand this and are exploiting it, it's their main "investment", one should realize this by now. We have to educate people, it's really that simple; ostrich policies and treating people like children is also self-immolating: one can't do much, legions can do anything.
sending traffic to Chinese servers is not surprising since it is a Chinese app that was developed for the domestic market. Just like Google & Facebook would send data to US servers from other geographical locations. The laxed security doesn't surprise me either the developers wouldn't add in this functionality unless they deemed it necessary, data privacy is not a big thing in China.
It's not a big thing in the US either, not having data privacy is what makes these apps profitable. It's why so many companies complained about the EU implementing GDPR.
lol, 🤣 it is obvious if you understand how internet app works. I do not understand why the host made video like this. This video just randomly appear on my feed
That at best CCP controlled China often has a terrible standard of software engineering, engineers like myself have know this for a very long time. It's why many western countries backed off from Chinese supplied infrastructure and cancelled 5G projects. Those badly witten apps can be taken advantage of by not only the CCP but anyone.
Just a small note amazing video btw. A ton of open source tools are available to reverse engineer android apps just something to look for maybe in the future and tools like frida for example can help to bypass the ssl pinning if present. But usually in the apps I develop, I put everything behind an api gateway so I really don't understand why they have so many different domains (it makes it harder for them because they need to ssl pin the certs for all the domains because the os's system ca certs can be changed easily on a rooted device)
And the casualty of encrypting everything, caching... If multiple people even on the same LAN are watching the same stream your upstream gets hit multiple times. Its also completely incompatible with multicast. So only the largest providers that can eat the bandwidth costs can survive. Same applies to any sort of video / audio conferencing.
Hey, TBF, maybe the developers don't know any better? If you can, please report this to the developers so they can fix it! Maybe they would pay you as they have been rapidly improving the experience for westerners, no doubt they are investing heavily in improving the app...! I think the app is a net positive and I am more worried about our ISPs monitoring our connections lol
Is the certificate certminm uses installed on the phone? Are you testing to see if the app uses certificate pinning, or if it does not, checking to see if the certificate is trusted by the phones CA store?
Great question! No the certmitm cert is not trusted by the phone and so we are not testing for lack of cert pinning. We're testing if the app checks the validity of the server certificate at all based on what's in the phone's trust store
@ What is realy interesting is why the programming language would ignore certificate trust. I dev apps with C# and you have to go out of your way to ignore certificate trust using the WebClient. I don't do any dev for Android so I don't know how it works but I would imagine it would be similar. Perhaps this approach checks a box for the CN gov accessing the data if they are doing MITM on the incoming traffic.
@@aquatrax123good point, was wondering the same thing. On a side note, came here to comment that indeed you will be able to do q lot more mitm attacks if you add the certmitm certificate to the trusted certificates on the phone. Useful when not testing for attack vectors but want to inspect the traffic.
@@aquatrax123 sometimes your dealing with older and/or poorly maintained APIs that may or may not have a valid certificate at the moment or there are other things that do not fit together for whatever reason. Accepting self-signed certificates would be another reason - though i dont know why anyone would use those for production servers tbh.
Not really lol. Bluesky or mastodon is what I see security people using, but I think by design you're kind of giving up your information just to have a normal experience
just like during my days as an Network Analyst doing wireshark tracers etc for apps like fb ig twitter amazon as well as Eu apps and always noticed dns http etc went to outside countries but never understood why. We believed bc of cdn, backups in case country internet ya, loading more dns for load Balnce, etc, etc. Even us apps sometimes route through outside.
16:47 Interesting, but what keeps you from adding the cert of a CA that you control to the Android phone? Wouldn't this then allow for a MITM attack on *all* of the TLS traffic?
big difference. you can manipulate your own device to make it trust any certs you want, that's not the issue. the issue is if client doesn't check certs or doesn't check it "properly" (there are cases even top tier firewall does that), a third party can do MITM attack without access to your device, you won't even know it. For example, a public wifi router.
@@mattbrwn I dont know what you talking about, every app using OAuth2 framework will send auth token for verify, without token, how server verify your account???
every social media app does that, it boils down to whether you want your data to be stolen by the west or china. But this particular one also has vulnerabilities aside from stealing your data.
Also, if they had a US-based AWS or Azure bucket where they initially push/pull the data, and then dump it to off-site data centers, would we be any wiser?
@@bmacd11b for the user no, but it would definitely satisfy the government as they want access to the servers. For what purpose remains to be a debated thing, security or the ability to control the narrative.
Xi Jinping, “Power Must be Caged by the System”, Qiushi, January 22, 2013: “We should continue to catch “tigers” as well as “flies” when dealing with cases of leading officials in violation of Party discipline and state laws as well as misconduct and corruption problems that directly affect the people’s interests. All are equal before the law and Party discipline; whoever is involved in a corruption case must be thoroughly and impartially investigated.” The results, after 12 years of Xi’s anti-corruption campaign? “Corruption is RAMPANT in China!” -Victor Gao, Al Jazeera, August 2024 in front of a live international audience. The land of arbitrary law enforcement™️.
Thank you , sir. Out of curiosity .. does TikTok have similar vulnerabilities? I don’t (and won’t) use either, but folks don’t seem to comprehend the risks. ✌️
Are you thinking China doesn't have all the data from TicTok? I think the ban will have the effect of making China cool to the younger generation. Data collection for machine learning will continue to be vacuumed up.
You're giving up information to any app you download. They do some cursory vetting but there's still plenty of malicious stuff on the app store. Temu, for example, has been found to send texts on your behalf to your contacts without your knowledge. It also collects more data than any shopping app should, which doesn't sound very secure to me
Could you do vid on the unplugged phone that's out? By Erik Prince? Curious if it actually does what he advertises it's supposed to do. That would be great if ya could. New subscriber here!
Well, for one you should always block OUTBOUND DNS and only have your Local DNS (DNSmasq, Pihole, ...) resolve to a Couple DNS Servers of your Choice (Cloudflare, Google Public DNS, ...)
Hi Matt ,, I would request you to do a tear down on Xiaomi Mobiles as well. Most of the market from India is being taken by these guyes, I myself own a Xiaomi device and wanted to see is there anything that we should be worried about this device and I will send your video as proof of concept to be cautious to buy these devices
this is amazing content. Thank you Matt, this is what youtube is about and i wish i could show my less-than tech savvy family members this.. but they don’t seem to care about their privacy
You clearly didn't understand the significance of the un-encrypted transmission here. Phones via this app are sending data in clear text (un-encrypted). All MIM (all men in the middle) can know whatever the app is sending from millions of devices before the data even reaches the chinese servers. This type of unencrypted data from phones for data-brokers/stealers is like unlimited fish for cats.
my understanding is that it's actually a different word. That Mao's little red book in Chinese is Hongbaoshu, while the "rednote" app is Xiaohongshu. They end up translating the same to English "little red book", now being called "Rednote", but the origins are different. I've seen it explained that the name Xiaohonshu/Rednote, connects to a story in China about a red rope (?) connecting people.
Oh please, Meta and Google have been doing worse for years. Apple just started and TikTok has ramped up since it came ‘back’. It’s funny to think we actually have control of our data.
I do believe the funniest part was the privacy policy and also terms (which I had agreed to ofc) were only in Chinese. We (all of these users) all just blew through that stuff, already knowing full well that the org is gonna just collect all that they can. It's state-affiliated, of course they're going to.
On the topic of HTTP, when you do copy a video link from the XHS app, it does come in the form of a http link, no s to be seen. It also gets sandwiched between a ton of "come check this out" text that I have no idea what it says, followed by the video ID, and there's some Emoji sprinkled in for good measure.
It isnt only outwardly state affiliated apps that collect data , the big ones all do it. Notice how this channel wont ever have an interest in comparing the social media app with some US-based ones and their telemetry
Matt what is your confidence in this app you downloaded outside the official app store? Apkpure😮? When I do test I prefer download in the official app in the AVD phone
(hint: the bad guys, depending on your trust of the 3 letter agencies, perhaps they are the good guys… well they don’t need to sniff anything, they are partners w/Meta and the like - for your own protection of course)
@ "hacker" culture has really evolved since the 90's. there used to be an inherent distrust of our government (as there should be!) but now it's just a bunch of dudes trying to be internet cops and folks who don't believe anything unless it comes from the US state dep't.
hey you do anything with ESP32's? I am developing firmware for a homebrew product. I would like to slow down someone from copying the product.... apparently can encrypt but watching (longtime listener first time caller) your videos I know a lot of stuff can be done so just wondering if you knew or have done anything with those Micros......as always thanks for all the great content
Honestly, I'm not surprised they developed such a technically lousy app. This should be a small development team. They didnt even bother about the international market and only cater for china market. I suspect they dont have that budget to go big.
@@petergerdes1094 I also know of big corporations who have basically this level of security or worse. The size of a team or budget doesn’t necessarily translate into security improvements
I dont think Matt cares much about domestic data collection, which is actually more of a present and clear danger to most individuals than collection by a foreign power
Hey Matt, I really appreciate your videos ! I always learn something new either about hardware, network or software when I tune in. Interesting to see what data you can collect with a "basic" tool like wireshark. Looking forward to more videos like this - cheers ! :)
Do you see similar traffic using TikTok, Matt?
Great question. I'm guessing no. They have a world class bug bounty program that would catch this stuff.
Might be a good follow up video 😁
Thanks for the video, TikTok follow up is a great idea!
@@mattbrwn Not to mention TikTok has had eyes on it for a while, if they were sending any data back to the CCP, it would likely be through much more untraceable and encrypted onion routed proxy stuff.
@@mattbrwnas a tt veteran id looove to see a wireshark charting of tt :)
The sad thing is that many TikTokers have no problem transferring their data to the inhumane Chinese government while they distrust their own western liberal democratic governments.
There’s not a US social media site that wouldn’t sell their mom’s data for a quick buck. I’m all for privacy and security but have no tolerance for hypocrisy.
Pretty much. The working class of all countries are esentially prisoners to the people who run their infrastructure (capitalists).
And some even defend their own overlords. Isnt that the definition of nationalism?
Mark Zukerberg's mom looks ok to me
I would really like to see this same analysis for Facebook. I would be curious to compare the two.
Lol good one. Pretty sure most people are okay with giving up their data
Won't happen because nobody will bribe him to do that.
Oh, sorry... I mean "sponsor" him.😂
Yes. I think everyone has forgotten the Facebook-Cambridge Analytica data scandal. Everyone has also forgotten Edward Joseph Snowden (former NSA intelligence contractor and whistleblower) has been in hiding in Russia as he leaked the US and global surveillance programs on all private citizens. Everyone must note that even the Telcos have massive data breaches. Everyone is constantly stealing our data.
god bless the CCP for opposing the new world order! if we didn't have them, what the fuck could we ever do about it...
He's forbidden to do that . . .
Haha, finally, the video of the Chinese software threat theory has finally appeared. As we Chinese would like to think, the "Chinese threat is always the best reason for the US" propagated by the European and American media.
Wumao
The Israelis pushed exploding hardware to Hezbollah. We get hardware from China. I'm buying hardware from China for others to use. You just never know. I'll beat my brains out trying to make the software secure. But I'll never really know that the hardware can't override the software, turn off the system,...
@@FF-kc7fc 随你怎么说了,哈哈,不在意。你这个反击都很合理的出现。哈哈
@@FF-kc7fc 1450
Yes!
Yeah no shit. Meanwhile the most invasive app on android is? Facebook messenger, literally sniffing all your wifi connected things
Difference is, your data is used to influence ads not politics and narratives.
@@OkItsJustSean Ironic seeing as how much social media influences politics and narratives and even further so by learning your behavior to understand what content you accept and reject to probably enhance its capability in feeding you narratives you would be likely to buy into based on your behavior.
@OkItsJustSean ?????? What about ads about politics and narratives? Lmao. I appreciate your positive thinking but it's woefully naive to think American policies does not influence the ads and content we're served
@ Did you actually comprehend what I said? Data companies aren't using your data to influence politics. Data doesn't influence politics. It influences ads. It tells the person with your data what you like seeing. It doesn't influence politics itself. Whereas its been well warned for about a decade now that China and Russia are using your data to figure out how to sneak misinfo into the media you consume. Diff is, the US government doesn't use your data, FB does to sell to other private interests and ads. China sure does and thats a dictatorship. But I'm sure you don't care.
@ I think you too have reading comprehension issues. US companies aren't using your data to influence your politics. They using it to keep you hooked and to sell ads. China and Russia use your data to spread for political purposes. Difference is, in America your data goes to Private companies for profit, in China your data goes to dictators for political purposes. But the avg brainrotted ticktok user doesn't know this because you only can comprehend memes.
President Xi, please enjoy my clear text cat video. Better story on this app is the us/Chinese interactions on it. Normal people from “enemy” countries speaking directly worries some people.
@@ChasBlobster
1 single American: “I make $50/hr, plus benefits.”
All of China: 😱😱😱
@@mikestewart4752Dude, I remember arguing with you under a china uncensored video 😂
@@joshuain2771 Do you think of me when you fall asleep too? 🌈
Edit: Kidding of course.
@mikestewart4752
It's been a whole lot of Americans going, "no, really. Those are real numbers." and Chinese people going "I think you're lying. I was always told everyone in America has a big house and a new car, throws away their food when they just want something else, and chooses not to save money because they like to consume" and Americans going "my whole paycheck goes to survival. How am I supposed to save money?"
Apparently they thought we have free healthcare, and have also been pretty horrified by the cost of ambulances and the practice of charging people who've just had kids to hold their newborn skin to skin.
Most of them are willing to believe us, but are still shocked by hearing what life is like over here. Some of them are convinced we're outright lying for some unknown reason, though.
@@mikestewart4752 1 single Chinese: "I make $5000/hr, + benefits"
All Americans: We gonna die.
I think that’s the point. The people said fu*k it and exposed it on purpose.
People might think this is an outlandish statement but recently Microsofts own security research team has brought up the same questions surrounding TP-Link Products. Suggesting they may be purposefully exposing their devices in such a way that would aid in chinas cyber offensive operations on edge and IOT devices.
yeap i put it on windows my android iphone etc
💯
I dont think the avg tiktok user knows anything about about this or where their data goes.
@@OkItsJustSean Most know and very much do not care
It would make more sense if you can actually compare it side by side with meta apps, Facebook, TikTok, Instagram, Google apps, etc.
An employee at any of those companies would be laughed out of the room for even suggesting loading resources from the CDN over raw http.
@@TwoTreesStudio Oh no my cat pictures are being sent over HTTP ! Ive been hcked
@ do you think that's the only way privacy is threatened is with a specific "oops, anyone who can sniff can see it" issue? I mean, even if you're not on any Meta properties if any of your friends ever posts about you, they keep a shadow profile around. Normal stuff, right? Nothing to worry about because it's an "American" company right?
@ Of course! Everyone knows that sensitive data can only be accessed by foreign powers through their personally-administered applications hosted on their soil. Other social media companies definitely dont collect dossiers on their users and sell them to data brokers. How ridiculous. If they were doing that everyone would be concerned about national security… right…?
@@ChasBlobster no, I don't think that
As a non-American, who comes from a country whose military dictatorship was admittedly funded by the U.S., and who has a memory and hasn't forgotten the revelations about the NSA, look... I'm soooo worried...
The US has been known to backdoor the communications of other countries they are promising to help. They've offered to do it for the Olympics to "help detect and prevent an attack". But we all know they never leave. They won't stop just because the Olympics are over. They're in now.
Why? The unity and love going on right now Has to be The Coolest thing I have ever seen in my 30+ years of life. It's insanely beautiful.... Its like pushing everyone to be super positive!! ..Imagine if everyone starts saying no more war. No more division..February 1st is when mass boycotts start! Don't support any mainstream bs! Only support locals, neighbors, Amish, ecovillages, homestead, independent farms etc! Only buy as much fuel as you NEED! Do this until the people in power stop being dicks and give us more affordable items/hemp fuels(only known sustainable fuel source , Henry Ford built and ran his 1st cars on it!) It's time for a change!!! The people in power don't need 10 houses and 13 cars! While most can't even afford ONE! Enough is enough!
Also, why would u be more worried about an ap and it's data, over our own gov who quite literally has been exposed killing MILLIONS... not to mention all the humans who "killed themselves " after trying to change things here...I think we better worry bout that sht 1st, no?😂
What does disclosing a security vulnerability have to do with Americans? Security Bugs in software/hardware affects every nationality. To make this issue about Americans is ridiculous and out of pocket.
i think the other two commenters are confused.... lmaao....
You should take a look at how Messenger (Meta) behaves. What it logs, what "telemetry data" sends home and what it does. You'd be surprized.
Device info (id, mac,ip, apps name / use, contacts, etc etc), connection info (networks name, map of the network, info on devices in the network id/name/ip/mac), etc etc.
Have fun.
Nah FB cant be used as a boogeyman to push recruitment and funding for wars . Not as useful to make videos about. Btw this channel glows hard, i highly doubt he’s even allowed to talk about FB
It makes a lot of sense that first-world country of China is spying on third-world country of Murica 🤣🤣🤣
For most people, your personal data is less valuable than you think😢
The true value is when u and millions of others together gives a meaningful statistical trend to the system, but then your data is not personal anymore.
have you tried this approach with Meta and X?
He’s not skilled enough to take on targets like that 😂 that’s why he sticks to random IoT devices 😂
@@huhwhatwho7895Says the guy with no content of his own. 🤦♂️
@@huhwhatwho7895 I just checked Facebook and X, these apps don't send any user data un-encrypted.
Jesus christ all 3 of you need to just put your phones down for a while you have nothing to fight for your lives are boring and it shows
@@mikestewart4752 I don’t think it requires being a content creator to call one out for selective coverage. That’s kind of like saying only journalists can criticize journalists
5:39 Actually the CN name only means it's registered in China, where it is might not be there. I work for Chinese tech giant all our up addresses is CN but actually in our global cloud
Bullsh!t.
Can tell your Chinese.
@@JoelBergmark which “Chinese tech giant”?
Reality-comedian Josh Johnson perfectly explained why TikTok users flooded to XHS, and security vulnerabilities was not the point at all, which is a given on any app; it's U.S. goverment's I own censorship and shadow-ban on certain topics.
Thanks so much for doing this. I’d love to see what you’re able to get from TikTok, Facebook, Instagram, TH-cam, Twitter/X and so on. It’s important that more laypeople (like me) understand how this traffic works and what of their (my) information is readily accessible. Would love to see a video with simple to advanced advice on protecting your information too.
Matt,
As a long time mobile home hacker (not the cool kind, the kind that carrier unlocks phones, flashes custom roms and socially engineers workers to activate non-company phones on their service which should be locked to another carrier...) In my years of experience, I can tell you that running a test like this is already compromised because you used a 3rd party website to download the app and didn't compare the md5 to a copy downloaded from the playstore. We don't know if this APK has been modified or not at this point.
how do you know he didn’t checksums?
Valid point. The website does say "Trusted App" with a green shield though.
youve got a simple understanding of what youre talking about
not comparings the hashes doesnt just throw this out the window.
if it were an official paper it could cast doubt. but someone else will do the same tests on the app store version and likely find the same activity.
the likelyhood of the app version he used having been tampered with significantly is low.
low enough to overlook on a casual inveatigation like this.
@@talkingcureI'm a sub and this dude is smarter than I am but it can't be legally admissible evidence in court for example.
@@Gummibri Setting the bar lower does not make for a more robust defense.
If trying to sound alarm bells for the neophytes, demonstrating that a jpeg destined to be posted publicly anyways, won't hit the mark.
I was going to link this in a forum but that may be counter-productive because many of those neophytes will just end the video right there.
That is the whole reason ppl are using RedNote. I’m afraid you’ve missed the point. (In fact, I’d argue, basic security flaws and all, as an American, it’s safer to use a data hoarding Chinese social media app than a data hoarding American social media app. Considering the rapidly escalating authoritarianism of the US government and the blurring lines between Silicon Valley & the government, I’d argue, as an American Citizen, putting my data in the hands of any American social media company could pose a very real threat to my physical safety. It can happen here. It is happening here. The treat landscape has changed. Now, does that mean the security flaws you demonstrated aren’t serious? Not at all. It’s just, for the time being, everything is on fire. My main priority is making sure I don’t get burned. That means the main reason not to use such a poorly secured app is the man in the middle who is coming from inside the house (which is also on fire and surrounded by hoards of angry fascists).
I'm curious about metas apps, as well as temu and shien
Seriously I think US companies are just as bad
Wait!!! Hold up!!! You mean to tell me a Chinese app, built for Chinese people, to use in China, so they can communate with other Chinese people, send data to China??? WHAT?????
Literally every social media app exposes user data.
Android app reads clipboard every open
tiktok did this too lmao
Instead of using all that iptables complication, you can simply setup a custom DNS server using something like dnschef with a wildcard record pointing you workstation's external IP. then configure the phones DNS to use your roge DNS server and have the certmitm listen on port 443
downloading that app while avoiding a google account... chef's kiss.
@chrisrosenkreuz23 You losers and your catch phrases. The world is always going to be beyond your grasp.
CCP United Front psyop apps are widely and liberally distributed, they want people to have them, no matter what. People with the app are the prize! Like randomly finding a USB stick in the parking lot of the business where you work.
@@PandemoniumMeltDown perfectly eloquent.
@@PandemoniumMeltDown I dont think the two scenarios are that relatable.
@ Psyop is an engineered attack on minds, hacking the sense of reality and replace it with lies and deception, in order to distract while executing a plan requiring your enemy to be distracted (in this case, using foreigners against their own society, institutions, government).
A UBS stick in a parking lot is the same, social engineering to disturb a process, bypass a security where you need to either go in and do, or use a useful idiot that will do what you need. Both warfare, both aimed at using what's not yours to gain an advantage you have no right to have.
You can outline pedantic differences, yet have to realize they are both hybrid warfare aimed at a unique goal: CCP, and other transnational criminal organizations, want to bring the "West" down and replace it with their system of "governance".
All humans, most, are curious, like a free lunch and have issues; making them easy targets of social engineering. Uneducated humans are a great order of magnitude more vulnerable to such engineering.
Outraged entitlement, exceptionalism and pride are the fuel of the desire to break rules in a most self-immolating fashion, our enemies understand this and are exploiting it, it's their main "investment", one should realize this by now.
We have to educate people, it's really that simple; ostrich policies and treating people like children is also self-immolating: one can't do much, legions can do anything.
sending traffic to Chinese servers is not surprising since it is a Chinese app that was developed for the domestic market. Just like Google & Facebook would send data to US servers from other geographical locations. The laxed security doesn't surprise me either the developers wouldn't add in this functionality unless they deemed it necessary, data privacy is not a big thing in China.
It's not a big thing in the US either, not having data privacy is what makes these apps profitable. It's why so many companies complained about the EU implementing GDPR.
lol, 🤣 it is obvious if you understand how internet app works. I do not understand why the host made video like this. This video just randomly appear on my feed
What have you proved?
Watch the video again.
That at best CCP controlled China often has a terrible standard of software engineering, engineers like myself have know this for a very long time. It's why many western countries backed off from Chinese supplied infrastructure and cancelled 5G projects.
Those badly witten apps can be taken advantage of by not only the CCP but anyone.
Just a small note amazing video btw.
A ton of open source tools are available to reverse engineer android apps just something to look for maybe in the future and tools like frida for example can help to bypass the ssl pinning if present. But usually in the apps I develop, I put everything behind an api gateway so I really don't understand why they have so many different domains (it makes it harder for them because they need to ssl pin the certs for all the domains because the os's system ca certs can be changed easily on a rooted device)
I think that was the point, that we really don’t care if the Chinese track is like meta, X, Google, and Microsoft. We just want the content
I don't think anyone on it care about that. It's a big fk you to the government.
And the casualty of encrypting everything, caching...
If multiple people even on the same LAN are watching the same stream your upstream gets hit multiple times. Its also completely incompatible with multicast. So only the largest providers that can eat the bandwidth costs can survive. Same applies to any sort of video / audio conferencing.
Hey, TBF, maybe the developers don't know any better? If you can, please report this to the developers so they can fix it! Maybe they would pay you as they have been rapidly improving the experience for westerners, no doubt they are investing heavily in improving the app...! I think the app is a net positive and I am more worried about our ISPs monitoring our connections lol
Is the certificate certminm uses installed on the phone? Are you testing to see if the app uses certificate pinning, or if it does not, checking to see if the certificate is trusted by the phones CA store?
Great question!
No the certmitm cert is not trusted by the phone and so we are not testing for lack of cert pinning.
We're testing if the app checks the validity of the server certificate at all based on what's in the phone's trust store
I tried to do this on my own but was unable to get past it. it just got stuck at the splash screen
@ What is realy interesting is why the programming language would ignore certificate trust. I dev apps with C# and you have to go out of your way to ignore certificate trust using the WebClient. I don't do any dev for Android so I don't know how it works but I would imagine it would be similar. Perhaps this approach checks a box for the CN gov accessing the data if they are doing MITM on the incoming traffic.
@@aquatrax123good point, was wondering the same thing.
On a side note, came here to comment that indeed you will be able to do q lot more mitm attacks if you add the certmitm certificate to the trusted certificates on the phone. Useful when not testing for attack vectors but want to inspect the traffic.
@@aquatrax123 sometimes your dealing with older and/or poorly maintained APIs that may or may not have a valid certificate at the moment or there are other things that do not fit together for whatever reason. Accepting self-signed certificates would be another reason - though i dont know why anyone would use those for production servers tbh.
NSA is a bigger threat
nobody is being forced to use Red note. I think that is the most important part.
your pronunciation of little red book is spot on.
thanks :) I did take a couple semesters of mandarin.
Saying little red book isn't hard 🤪
yep, not sure about any of the Manderin... but the english part was spot on!
Is there any social media that isn't a major, or even minor privacy concern?
Not really lol. Bluesky or mastodon is what I see security people using, but I think by design you're kind of giving up your information just to have a normal experience
People behave like addicts searching for their fix. They become more mindless every day
Yeah watching ppl on Reddit act like they are in withdrawal is kinda sad and funny at the same time
It is a digital opium, right?
This isn't the reason why people moved to XHS and you know it.
@@mattbrwnyou do realize the US and the companies in it are just as bad if not worse than Chinese ones in terms of data harvesting right?
@@brokencrayon3476I don't think he said that, did he?
The “bro” interface 🤣
This is just the standard interface naming in Linux for a bridge interface starting with 0. It's not showing "bro", it's showing "br0".
@@dj_chateau haha
just like during my days as an Network Analyst doing wireshark tracers etc for apps like fb ig twitter amazon as well as Eu apps and always noticed dns http etc went to outside countries but never understood why. We believed bc of cdn, backups in case country internet ya, loading more dns for load Balnce, etc, etc. Even us apps sometimes route through outside.
Your videos are fantastic. Easy to follow and you put everythign in context.
16:47 Interesting, but what keeps you from adding the cert of a CA that you control to the Android phone? Wouldn't this then allow for a MITM attack on *all* of the TLS traffic?
big difference. you can manipulate your own device to make it trust any certs you want, that's not the issue. the issue is if client doesn't check certs or doesn't check it "properly" (there are cases even top tier firewall does that), a third party can do MITM attack without access to your device, you won't even know it. For example, a public wifi router.
Thanks!
Thanks for the support !!!
So which sensitive user data is being sent?
Auth tokens and content for starters.
@@mattbrwn 🤯
@@mattbrwn when will you travel to Taiwan?
@@mattbrwn I dont know what you talking about, every app using OAuth2 framework will send auth token for verify, without token, how server verify your account???
@@mattbrwn but is it only Rednote’s auth tokens?
Do the same thing with facebook, x, or instagram
Rednote is literally named after Mao's little red book. You deserve to have your data read if you download that
every social media app does that, it boils down to whether you want your data to be stolen by the west or china. But this particular one also has vulnerabilities aside from stealing your data.
@@pvim Well said without bias. Does anybody know Facebook is the worst of all?
From what I've seen, users are aware and they don't care, they say stuff like "take my data" and such
Right? FB messenger is wild as to what it pulls
That is actually not true
Tiktok needs WiFi to connect to the internet, senetor
I am a Singaporean, senetor
Did you ever work for the ccp or owning a Chinese passport?😂😂😂😂
Partially garbled audio for anyone else? So is the implication they're not doing cert-pinning Matt, or does it go beyond that?
Tell me you didn't watch the whole video, without telling me...
Yet, they don’t even want to touch a Instagram Reel.
is this really a surprise for you guys?
Right??? 🤦♂️
It's a surprise to dumb people.
I tried setting up your mitmrouter and my phone (or any device) could connect to the wifi network but had no internet
Also, if they had a US-based AWS or Azure bucket where they initially push/pull the data, and then dump it to off-site data centers, would we be any wiser?
@@bmacd11b for the user no, but it would definitely satisfy the government as they want access to the servers. For what purpose remains to be a debated thing, security or the ability to control the narrative.
Yes, they would definitely give their citizens data to NSA , 2 digit iq ?
The Equation Group
Every app with ads exposes sensitive data !
XHS has no ads except very few users (usually girls) promoting their products (sponsored makeup or outfits)
Well that didn't take too long! I wish people cared more about this stuff..
They didn't even ban Tiktok in my country, but I'm interested in red note
I love the chinese
Xi Jinping, “Power Must be Caged by the System”, Qiushi, January 22, 2013:
“We should continue to catch “tigers” as well as “flies” when dealing with cases of leading officials in violation of Party discipline and state laws as well as misconduct and corruption problems that directly affect the people’s interests. All are equal before the law and Party discipline; whoever is involved in a corruption case must be thoroughly and impartially investigated.”
The results, after 12 years of Xi’s anti-corruption campaign?
“Corruption is RAMPANT in China!”
-Victor Gao, Al Jazeera, August 2024 in front of a live international audience.
The land of arbitrary law enforcement™️.
Thank you , sir. Out of curiosity .. does TikTok have similar vulnerabilities? I don’t (and won’t) use either, but folks don’t seem to comprehend the risks. ✌️
Tiktok has a world class bug bounty program. They have made significant security investments where this RedNote app clearly hasn't
Are you thinking China doesn't have all the data from TicTok? I think the ban will have the effect of making China cool to the younger generation. Data collection for machine learning will continue to be vacuumed up.
I would think these clear text protocols would make it easy for China's auditors to gather evidence or info on their Citizens.
So am i wrong for thinking that the apps in Play Store are secure?
You're giving up information to any app you download. They do some cursory vetting but there's still plenty of malicious stuff on the app store. Temu, for example, has been found to send texts on your behalf to your contacts without your knowledge. It also collects more data than any shopping app should, which doesn't sound very secure to me
Can someone explain the issue I really don't see one
Do you know what "mitm" is? That's the main problem. :)
@@morphingsomething5203 its a chinese video sharing app not a banking app who cares if someone mitm my videos
Don't US apps do that?@@morphingsomething5203
@@morphingsomething5203 So this would go away if they started appropriately utilizing HTTPS and TLS certs?
Your data can be intercepted and read with very little effort
Could you do vid on the unplugged phone that's out? By Erik Prince? Curious if it actually does what he advertises it's supposed to do. That would be great if ya could. New subscriber here!
what is the problem data going to china? rednote was designed for chinese only, rednote didn't invite american users.
Well they probably should not have banned Tiktok. These kids don't care at all about privacy concerns.
Neither do the adults tbh
Unfortunately, I believe your primary audience already knows this and the people who need to learn aren’t watching 😢
I shared it on Reddit to spread the word.
Would PCAPDroid be useful here as an alternative to your script?
What if I host my reverse proxy in Singapore and route the traffic to china?
the first Image was rednotes logo
They didn't do certificate pinning? How embarrassing!
You should totally compare tiktok in the same way. I’m willing to bet it’s not as bad as congress makes it seem.
I would bet the same.
If it was so bad they would have shut it down long ago. They wouldn't have let it be "saved" by the incoming authoritarian regime.
You really know your stuff. I learned some good wireshark and man in the middle knowledge!
How about a look at Eufy security cameras etc. Do they use servers in China? and what might that mean for the people who use their products in the US?
Bro tbh idc id overnight ship a urine sample if they asked
Well, for one you should always block OUTBOUND DNS and only have your Local DNS (DNSmasq, Pihole, ...) resolve to a Couple DNS Servers of your Choice (Cloudflare, Google Public DNS, ...)
Hi Matt ,, I would request you to do a tear down on Xiaomi Mobiles as well. Most of the market from India is being taken by these guyes, I myself own a Xiaomi device and wanted to see is there anything that we should be worried about this device and I will send your video as proof of concept to be cautious to buy these devices
this is amazing content. Thank you Matt, this is what youtube is about and i wish i could show my less-than tech savvy family members this.. but they don’t seem to care about their privacy
What device did you test with? Was it up to date?
What a surprise. An app on your phone exposes sensitive user data.
You clearly didn't understand the significance of the un-encrypted transmission here. Phones via this app are sending data in clear text (un-encrypted). All MIM (all men in the middle) can know whatever the app is sending from millions of devices before the data even reaches the chinese servers. This type of unencrypted data from phones for data-brokers/stealers is like unlimited fish for cats.
@deletevil I thought the bad part was the chinese servers not random US data brokers?
i have people around me that they say i dont care about my data i just want tiktok and this is why i wanted it to be removed cause its a tumor
"Little Red Book"? Seriously? As in Chairman Mao Tse-tung's "Little Red Book"? Classic 😂
my understanding is that it's actually a different word. That Mao's little red book in Chinese is Hongbaoshu, while the "rednote" app is Xiaohongshu. They end up translating the same to English "little red book", now being called "Rednote", but the origins are different. I've seen it explained that the name Xiaohonshu/Rednote, connects to a story in China about a red rope (?) connecting people.
mistranslation into english
Oh please, Meta and Google have been doing worse for years. Apple just started and TikTok has ramped up since it came ‘back’. It’s funny to think we actually have control of our data.
I do believe the funniest part was the privacy policy and also terms (which I had agreed to ofc) were only in Chinese. We (all of these users) all just blew through that stuff, already knowing full well that the org is gonna just collect all that they can. It's state-affiliated, of course they're going to.
On the topic of HTTP, when you do copy a video link from the XHS app, it does come in the form of a http link, no s to be seen. It also gets sandwiched between a ton of "come check this out" text that I have no idea what it says, followed by the video ID, and there's some Emoji sprinkled in for good measure.
It isnt only outwardly state affiliated apps that collect data , the big ones all do it. Notice how this channel wont ever have an interest in comparing the social media app with some US-based ones and their telemetry
maybe you can do a video confirming or dispelling the tiktok meta server switch
Matt what is your confidence in this app you downloaded outside the official app store? Apkpure😮?
When I do test I prefer download in the official app in the AVD phone
Now do a bunch of us social apps
(hint: the bad guys, depending on your trust of the 3 letter agencies, perhaps they are the good guys… well they don’t need to sniff anything, they are partners w/Meta and the like - for your own protection of course)
Not gonna happen. This channel glows way too hard to expose inconvenient truths like that
@ "hacker" culture has really evolved since the 90's. there used to be an inherent distrust of our government (as there should be!) but now it's just a bunch of dudes trying to be internet cops and folks who don't believe anything unless it comes from the US state dep't.
could you do something like this for the Temu app?
hey you do anything with ESP32's? I am developing firmware for a homebrew product. I would like to slow down someone from copying the product.... apparently can encrypt but watching (longtime listener first time caller) your videos I know a lot of stuff can be done so just wondering if you knew or have done anything with those Micros......as always thanks for all the great content
never heard of google?
Dude, jpeg you have extract is just the Rednote logo. No need to encrypt that
Honestly, I'm not surprised they developed such a technically lousy app. This should be a small development team. They didnt even bother about the international market and only cater for china market. I suspect they dont have that budget to go big.
Yah but c'mon, I know lone developers doing hobby projects who do security better than this.
@@petergerdes1094 I also know of big corporations who have basically this level of security or worse. The size of a team or budget doesn’t necessarily translate into security improvements
We already know all apps in this world collect data, some lost them, some sold them, anything new?
Awesome job and impeccable timing!
Love It,! Thanks for quick and very relevant video Matt
Yeah, and how much data was harvested by Facebook? I don't care, still using Red Note.
I dont think Matt cares much about domestic data collection, which is actually more of a present and clear danger to most individuals than collection by a foreign power
Installing Chinese software in 2025 is wild
Tbh most social medias are just as bad if you really care about data.
Excellent video mate!! Thanks.
I knew it, I suspected since the beginning
Excellent stuff ! I learn a lot from you 🙂
Hey Matt, I really appreciate your videos ! I always learn something new either about hardware, network or software when I tune in. Interesting to see what data you can collect with a "basic" tool like wireshark. Looking forward to more videos like this - cheers ! :)
is it dangerous to have the app or is it as much of a risk as meta apps or tiktok?
GrapheneOS user?
I don't see how this is any different than what Facebook Instagram and Google have been doing since their Inception. 🤷🏾♂️
Did the feds pay you for this?