“Mini programs” in WeChat ecosystem share more data than expected
WeChat is China’s largest social media platform, and the third largest globally with about 1.2 billion users. Since its debut in 2011 the WeChat ecosystem has expanded to a scope beyond most of its social media peers, acting as a widely-used payment and ride sharing system and what is essentially an app store with its massive collection of “mini programs” that install and run through the platform. At times, the platform has made up about a third of the total annual internet traffic in China.
Over the last decade, WeChat’s sprawling functionality and widespread acceptance has gradually made it essential for daily life to a significant portion of the Chinese population. But though it has been around for nearly as long as its major rivals in the global market, research has been more limited due in part to its use of a proprietary encryption protocol (MMTLS) that masks most of its network communications. The Citizen Lab project had to develop its own unique tools to explore the WeChat ecosystem and capture meaningful information about the regular flow of network requests.
Mini programs have opaque data policies
Most of the trouble in the WeChat ecosystem originates when users download mini programs. WeChat facilitates access to assorted sensitive device operating system functions, in addition to providing the developer access to user contact and stored payment information.
Mini programs have already been the focus of controversy, with prior research finding that a good deal of them were not encrypting sensitive user data in transit or properly notifying users of information sharing with third parties. WeChat has responded to these issues by forcing mini programs to make requests through its own API, which imposes things like encryption standards. But the Citizen Lab study finds that this also provides WeChat with an alternate pipeline of first-party data that the user might not otherwise share with the app, and that it is unclear what is being done with this data as it passes through WeChat servers.
The Citizen Lab report acknowledges that it must make inferences based on the proprietary nature of the platform, but that it is likely that the “WeAnalyze” analytics component of the platform is privy to user data shared with mini programs. The report bases this on observable logging data, and compares it to a hypothetical scenario of Google forcibly injecting its internal analytics tools into everything listed on the Play Store.
And due to the structure of the platform, any operating system permission granted to a mini program must also be granted to WeChat by default. Non-mainland accounts might not normally be subject to granting this level of access during basic use of the app, but will unwittingly provide it upon installing a particular mini program.
Unexpected data access for non-Chinese WeChat accounts
While the vast majority of the app users are in China, the WeChat ecosystem has millions of users spread throughout Southeast Asia, and an additional two to three million or so in the United States. These users are routed to servers located in Hong Kong and Singapore. There are two separate privacy policies, with mainland China users subject to the “Weixin” policy (named for the parent company).
Citizen Labs recommends that foreign users of the WeChat ecosystem avoid any in-app features labeled with the Weixin name, and make use of Android’s inherent permission restriction system to have the app and mini programs manually request these as needed (and deny them when they are not necessary). The report also notes that the more modern the version of Android is, the stronger and more granular this permission system will be.