[Mefis]

Can we stop with argumentative and ultimately pointless comparison between the US and China.

For me what's astounding is:

"Lastly, nothing is transmitted from the individuals device to the receiving server over HTTPS — all in plaintext via HTTP — and updates are unsigned. This means all the data the app collects is transmitted to the unknown entity on the receiving end in a way that allows someone with a trivial amount of technical knowledge to intercept and potentially manipulate" [0]

Is there any reason besides incompetence why the apps developers would do this?

[0] https://www.opentech.fund/news/app-targeting-uyghur-populati...

Edited: formatting

[Tsagadai]

It could be that further up the network they are dropping HTTPS packets, or that they plan to in future. It isn't unheard of to simply deny encrypted protocols at the ISP level for a period of time and I could see China doing this in some areas while simultaneously forcing common sites and apps to have functional unencrypted versions to minimise commercial disruption.

[arountheworld]

The EU found a way around that with "content filters" - basically anything you upload will be sent to a government controlled body for inspection. This works fine with encryption and there is no need to ban math.

[est]

> someone with a trivial amount of technical knowledge to intercept and potentially manipulate

You didn't seem to understand, the JingWang app was supposed to be the someone with trivial amount of technical knowledge to intercept and manipulate.

[mikeash]

Is there any good reason why they wouldn’t do this? All the traffic is going over networks under control of their government. If some lone wolf spies on a few people or owns their phones, it doesn’t really matter to the developers.

[gruez]

plausible deniability? that way if you get hacked by the govt, they can blame it on cybercriminals or western intelligence agencies

[cryptonector]

Also cost.

[movedx]

Cost of what, exactly? An (free) TLS certificate from Let's Encrypt?

[stickfigure]

I'm guessing that when you start snooping on the everyday mobile activity of 1.3 billion citizens you hit the kind of scaling problems that usually only Facebook and Google see.

[gscott]

Considering China records and stores millions of hours of video data among other things they are probably getting pretty good at snooping.

[movedx]

There's probably (simple/cheap) ways to overcome that, but I see your point.

[grkvlt]

Cost of servers to handle millions of TLS connection initialisations and HTTPS stream decryptions, versus simple plain-text streaming...

[movedx]

TLS isn't the only option, though. You could use TLS on setup to share a pre-computed secret between the device and the remote server, then bin the TLS connection. After that, encrypt and forward over HTTP.

Laziness isn't an excuse.

[grkvlt]

FYI, the mechanism you describe is (essentially) how TLS works...

[sorokod]

Could be a "pragmatic" way for multiple governmental agencies to deliver payloads and collect data.

[natch]

>Is there any reason besides incompetence why the apps developers would do this?

Well... cheap shot maybe, but it's Android. People are always hating on Apple for having security checks and rules. Android, on the other hand... how did Sundar Pichai put it? "We prioritize openness over security," something like that.

Openness does sound good but positioning it as a tradeoff with security bothers me. Having both would be good.

I'm wondering how this is or will be handled on the Apple platform. When that information comes out, I'm not expecting it will make Apple look good, since they have said they will follow the law (no matter how bad the law is!) wherever they sell their devices. If following the law means allowing a spyware app into the App Store, and they do this, I'll have to reevaluate my expectations of privacy for using Apple devices.

[asdfasgasdgasdg]

> Openness does sound good but positioning it as a tradeoff with security bothers me. Having both would be good.

Letting people write and install whatever program they want necessarily includes letting them write and install shitty programs.

[natch]

Yes. I can write and install any shitty program I want on my Apple device. No problems there.

But when it comes to other people's devices, those other people probably want a say in who the device is open to and when, and for what purpose. Apple helps make it possible for them to have a say.

While I am free to install astoundingly shitty software on my own iPhone/iPad/Mac, Apple makes it difficult for me to install shitty programs on other people's Apple devices without their knowledge or consent.

Seems like a reasonable way of doing things. Open for your own device, and others get to decide for themselves what they are open to for their devices.

[Canada]

How are you free to install software on your own iPhone or iPad when you need a developer account to get a signing certificate to install your app on your own phone?

[natch]

With a developer account.

[edoceo]

And yet Google blocked the app i built while Apple let it pass.

Hmm.

[natch]

Which app was that?

[edoceo]

I would prefer not to say as, after some difficulty, I was able to reach someone at Google, provide necessary details and get approved to resubmit -- but the app name is now locked so I need a new one

[peterashford]

Yes, that was a very cheap shot. It's not Android's fault that China is forcing crappy spyware on users

[sbr464]

I wouldn’t say very. Didn’t Fortnight bypass the play store by using a direct/side-load install? Those things can only be done with design level decisions being made in a product.

[i_cant_speel]

That was to avoid giving Google a cut of in app purchases.

[sbr464]

Definitely, I meant that they were only able to circumvent the Play store because of the settings/admin/root access etc intentionally left open by the core product team.

To clarify, the article doesn't mention that they were stopping iPhone users to install the app, only Android. I'm not too familiar with the method/tech though. If by design, Android had a more closed ecosystem, they couldn't force it so casually. I'm personally not a fan of that approach, but could see the benefits when under this type of government.

[remlov]

Cheap shot indeed. The decision to use HTTP over HTTPS is unquestionably impartial whether it's implemented for an Apple or Android device.

[fourthark]

Unsigned updates? Sounds like it would be relatively easy to disable (in addition to being a vector for malware)

[blotter_paper]

Maybe this is the point? Make the first round of malware easy to circumvent so as to "entice the snakes out of their caves?"

[lozenge]

The police would just come round again if they stop getting data.