I live in Canada. My girlfriend is Chinese (also living in Canada), and while we are able to communicate via SMS, her mobile carrier isn’t the best, and so there have often been issues for us with regular texting. She expressed a strong preference to use WeChat, at least as a backup option for when texting fails us. While I have some pretty significant reservations, it’s not the hill I want to die on. So my question is: what can be done to use WeChat without compromising my whole phone? I’m okay with it if our conversations aren’t private, but I’d like to know that I’m not giving unfettered access to all of my phone’s systems and data to the CCP. What can be done to limit the reach of this ubiquitous app on my device?

  • viking@infosec.pub
    link
    fedilink
    arrow-up
    48
    ·
    edit-2
    8 months ago

    I’m in China and have to use that piece of crap. So here’s how I locked it down:

    1. Root your phone with Magisk. There’s no way around it.
    2. Install Storage Isolation (https://play.google.com/store/apps/details?id=moe.shizuku.redirectstorage) and deny access to all folders.
    3. Install ApOps (https://play.google.com/store/apps/details?id=rikka.appops) and set pretty much everything to deny or ignore (ignore means the app receives the information “permission granted”, but no data is provided, in case some permissions are “mandatory”). If you intend to use wechat to exchange voice messages or make video calls/send photos, the “use microphone” and “use camera” functions would be required. In a similar fashion the location access if you intend to use the location sharing feature.
    4. Be acutely aware that wechat is not encrypting messages, neither end to end nor in the server communicaton. Everything you say can (and probably will) be read and archived. Don’t say anything confidential or critical there.

    And yeah really, try to convince your wife girlfriend to use signal instead. Or hell, even whatsapp is miles ahead.

    My wife is Chinese as well, so even after we leave here she’ll be using wechat to stay in touch with family, no way around it, but using messengers more commonplace in other countries is definitely better. Personally I will move wechat to another phone once we’re out. For now that’s not feasible as it’s too much integrated into every function of life here.

    • ReversalHatchery@beehaw.org
      link
      fedilink
      English
      arrow-up
      3
      ·
      8 months ago

      Don’t forget that AppOps is not really standardized, and even the app admits that some phone’s system does not implement a restriction properly (or at all).

      That being said, it’s very good to have, but you have to keep this in mind.
      AFAIK lineage os has a more complete implementation.

      • viking@infosec.pub
        link
        fedilink
        arrow-up
        15
        arrow-down
        1
        ·
        8 months ago

        Whatsapp uses end to end encryption and is far from as intrusive as wechat.

          • viking@infosec.pub
            link
            fedilink
            arrow-up
            10
            ·
            8 months ago

            Nah it’s rather easy to do and has been done by security experts. If your phone is a rooted android, you can do it yourself using PCAPdroid, it’s basically a network logger that allows to install a trusted certificate as a local proxy and go man in the middle on yourself. That way you can decrypt the https traffic between your phone and the whatsapp server.

        • umbrella@lemmy.ml
          link
          fedilink
          arrow-up
          6
          arrow-down
          4
          ·
          8 months ago

          whatsapp is certainly backdoored, its closed source and unverifiable.

    • Ainz@lemmy.world
      link
      fedilink
      arrow-up
      2
      ·
      8 months ago
      1. Install Shizuku -> Doesn’t require root
      2. Install Island and use the built in work profile feature of your android device
      3. Install AppOps and block most of the app with garbage data
      4. Be happy without rooting your phone
      • viking@infosec.pub
        link
        fedilink
        arrow-up
        1
        ·
        8 months ago

        Yeah I’ve played around with it in the past, but having to re-establish the wireless adb was quite annoying. Plus I need root for AdAway already, I don’t think that can be achieved via Shizuku, but that might not apply to the OP. I’ve tried island back in the beta stage and it wouldn’t work on my phone, but I guess things have change since. Might give it another try.

      • bionicjoey@lemmy.caOP
        link
        fedilink
        arrow-up
        3
        ·
        8 months ago

        Yeah I was considering Waydroid but then I lose the ability to connect outside of my PC

      • viking@infosec.pub
        link
        fedilink
        arrow-up
        2
        ·
        8 months ago

        I guess it could be, but that kills the use case of being contactable by his GF on the fly.

  • jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    25
    ·
    edit-2
    8 months ago

    Second phone just for WeChat.

    Failing that use a android work profile and run WeChat inside of that. It should isolate WeChat from the rest of the days on your phone. WeChat would still have access to your location, microphone comment etc but not your data

    • milicent_bystandr@lemm.ee
      link
      fedilink
      arrow-up
      11
      ·
      8 months ago

      This is the way. Depending on how much convenience you are willing to sacrifice.

      There are one or two apps on F-Droid for using the work partition, and you can force-freeze apps within that, so you can turn wechat actually off when you don’t want it. That also separates wechat from your phone contacts list, without denying it nominal contacts access permission (without which, iirc, it refuses to work).

      For extra paranoia, run your dedicated wechat phone permanently through a VPN with location services on the phone turned off. Answer it only in a soundproofed room, Faraday caged with no WiFi connections except the dedicated wechat WiFi. Speak with a funny voice, and if you must show your face, wear a balaclava.

      But that might be overdoing it a little.

    • EngineerGaming@feddit.nl
      link
      fedilink
      arrow-up
      6
      arrow-down
      1
      ·
      8 months ago

      What about something like Waydroid to avoid spending extra money? Wonder if these are detected on registration.

      • bionicjoey@lemmy.caOP
        link
        fedilink
        arrow-up
        4
        ·
        8 months ago

        Was considering Waydroid, but ideally I want something that I can take with me on the go. Some folks have suggested the app Shelter on fdroid though and that seems like an ideal solution for the time being.

  • 🦄🦄🦄@feddit.de
    link
    fedilink
    arrow-up
    21
    arrow-down
    2
    ·
    8 months ago

    To answer the question: GrapheneOS and a separate profile would be the safest but still…

    If you are both outside of china there really is zero reason (other than preference) to use that piece of spyware.

    • bionicjoey@lemmy.caOP
      link
      fedilink
      arrow-up
      9
      arrow-down
      1
      ·
      8 months ago

      To answer the question: GrapheneOS and a separate profile would be the safest

      I appreciate the suggestion, but maybe I should add that I’d like to not have to change up my phone too much. It’s a Fairphone 4 running the OEM Android and my preference would be to keep it that way. Are separate profiles like that a thing on stock Android?

      If you are both outside of china there really is zero reason (other than preference) to use that piece of spyware.

      She travels back to China sometimes, uses it to contact friends and family back home, and uses it to chat with lots of mainlanders here in Canada. For her it’s not weird at all.

      In fact, she expressed to me that she’s perfectly comfortable with the fact that they use WeChat combined facial recognition technology in China for payment processing. When you get on public transit, you can have them scan your face and it will automatically charge you the bus fare. It really skeeves me out, but it’s simply not the hill I want to die on in this relationship. I’m crazy about her in so many ways, it’s okay with me if we don’t see eye-to-eye on digital privacy.

    • milicent_bystandr@lemm.ee
      link
      fedilink
      arrow-up
      14
      arrow-down
      2
      ·
      8 months ago

      And, let’s be fair, for most people the real loss from this level of compromised privacy/security is far less than the real gain from helping your relationship.

      Sometimes I look at products I use from dubious companies, take a step back, and think, this company is actually a blessing in my life even if there is a smaller curse attached. That said, I’m grateful for all the tremendous effort put in by many people to make the digital (and rest of) world a safer, more private, fairer and more honest place. And I try to do at least a little of my share!

    • ReversalHatchery@beehaw.org
      link
      fedilink
      English
      arrow-up
      3
      arrow-down
      7
      ·
      edit-2
      8 months ago

      If they are actually totally unwilling to use an other messaging app that has fewer of said negatives, is the partner really interested in that relationship?

      I mean, just look at the arguments.
      Form OP’s side, it’s privacy, respect of the user by the service, human freedoms basically.
      From the partners side, as I understand, it is pure convenience.
      Please reread my first paragraph after reading this second one. It will now hopefully make sense, if it didn’t at first.

      But to be honest maybe I’m not qualified for this question or something because I have a different attitude to this problem.
      To me it’s not my primary purpose to find a partner, and everything else is secondary.
      To me, getting to know that someone is neck deep in mass surveillance tech and is so comfortable with it that they are inseparable, instantly turns me off. I don’t want to live with someone who is perfectly fine with the state messaging app constantly scanning my face with an app on my phone, because that means that our values are clearly very different.

      • jet@hackertalks.com
        link
        fedilink
        English
        arrow-up
        11
        ·
        8 months ago

        If your willing to throw your multi-year relationship away over… software preferences, are you actually interested in the relationship at all?

        • bionicjoey@lemmy.caOP
          link
          fedilink
          arrow-up
          5
          ·
          8 months ago

          We’ve only been dating for about 6 months, but I agree with the sentiment of what you’re saying. In any case, we care for each other a lot and want to see the relationship last a long time.

        • ReversalHatchery@beehaw.org
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          2
          ·
          8 months ago

          It’s not at all software preferences. It’s not that I would tell “matrix or I don’t want to see you again”, it’s “switch from that chinese spy tool or we better break up”, as there will be a lot of other things we won’t be able to agree on. Facebook is not even that bad as wechat.

          See? It’s not “software preferences”. It’s differences in personal values as big as a chasm. It’s that I value my privacy, and am not willing to give it up, at least absolutely not that much of it. If our values are so very different, that’s a good sign that you shouldn’t ignore.

          And then, I’m not sure where you read about a multi-year relationship. I don’t think such a question as OP’s would pop up after multiple years of being used to it.

          • bionicjoey@lemmy.caOP
            link
            fedilink
            arrow-up
            4
            ·
            8 months ago

            switch from that chinese spy tool or we better break up

            “Hey babe, you know that app which is your only way of communicating with your family and friends back home? Yeah well I’m breaking up with you if you don’t ditch it.”

            • ReversalHatchery@beehaw.org
              link
              fedilink
              English
              arrow-up
              1
              ·
              8 months ago

              Obviously I did not mean to delete the app, but instead to not force you to use it, but I guess it’s just easier to read it in a malicious way.

      • bionicjoey@lemmy.caOP
        link
        fedilink
        arrow-up
        7
        ·
        8 months ago

        Relationships (of all kinds) are about compromise. You have to recognize that outside of the echo chambers in communities like this one, literally nobody cares about digital privacy to the extent that us nerds do. So you can choose to be dogmatic in your approach and alienate yourself from the >99% of people in the world who don’t care, or you can recognize that your own desires for digital privacy need to be weighed against your desires to form meaningful connections with other people.

        Personally I prefer to be pragmatic in my approach. I do what I can to look after my privacy within the constraints of actually doing what I need to do to connect with other people. That’s why I made this post. My mind is made up that I’m going to at least try to use WeChat, but within that constraint, I want to do everything in my control to limit the app’s visibility into the rest of my system.

        • ReversalHatchery@beehaw.org
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          3
          ·
          edit-2
          8 months ago

          Relationships (of all kinds) are about compromise.

          Exactly. As I have understood, she is not willing to use an other messaging app. It seems as if only you are ready to have a compromise.

          to the extent that us nerds do

          This is not “not caring to that extent”. This is not even just not caring at all. This is straight out ignoring and nullifying any and all concerns of one of the parties over privacy, by the other one.

          So you can choose to be dogmatic in your approach

          The only dogmatic thing here would be to say “only matrix”, or “only signal”, or whatever. As I understand you have attempted to offer multiple options.

          people in the world who don’t care

          It’s mostly irrelevant if they care about it. In a healthy relationship no one is The Boss whose decisions must be accepted. Instead if one party does not care about something, but the other very much does, they can accept that and live with it, if that’s not a terrible choice. For example if your wife does not want to eat meat, would you force them to do so, because you don’t want to deal with making meatless meals? I often eat meat, but I would be ready to give it up regularly doing so if need be. Or if they don’t want to deal with the selfhosted media store, ok, fine, let her keep her Netflix subscription. This however, is not about pleasures, but about giving up or not human rights important to me.

          In this situation however, it sounds like as if your girlfriend with be “The Boss”

  • wpuckering@lm.williampuckering.com
    link
    fedilink
    arrow-up
    17
    ·
    edit-2
    8 months ago

    You could sandbox it into a work profile that doesn’t have access to your main profile. Storage is completely segregated, and the work profile can be easily disabled when you’re not using it.

    The best solution is obviously to choose another platform and convince your girlfriend to use that, explaining how this little extra effort on her part to use another app goes a long way with you in terms of appreciation and understanding of a partner’s boundaries and comfort zone.

  • thanks_shakey_snake@lemmy.ca
    link
    fedilink
    arrow-up
    13
    arrow-down
    1
    ·
    8 months ago

    FWIW, WeChat and 微信 are different apps. With a non-Chinese phone number and Google Play Store download, you’ll be using the international one (WeChat) instead of the Chinese one (微信). There are still privacy concerns, but it’ll be less invasive than what you’d have with the version that people in China are buying their groceries with and stuff.

    I’m sorry I don’t have advice for how to actually protect yourself, though… I’ll be keeping an eye on this thread to see what I can learn.

    • bionicjoey@lemmy.caOP
      link
      fedilink
      arrow-up
      4
      ·
      8 months ago

      That’s a great point, thanks! I will definitely be using the international one. I expect since I’m getting it through Google Play it’ll be constrained based on the OS permissions I give it. And I don’t intend to give it any permissions

      • ReversalHatchery@beehaw.org
        link
        fedilink
        English
        arrow-up
        2
        ·
        8 months ago

        I expect since I’m getting it through Google Play it’ll be constrained based on the OS permissions I give it

        Getting it through google play or not does not constrain anything more or less.

        And I don’t intend to give it any permissions

        Hopefully it won’t require any to be able to keep using it

      • bionicjoey@lemmy.caOP
        link
        fedilink
        arrow-up
        3
        ·
        8 months ago

        I’ve heard of matrix bridges before but I’m unfamiliar with how to actually set them up and use them. I understand the basic idea is that they relay messages out of matrix and into some other messaging service, but I don’t understand how to actually enact that onto the element client on my phone. Matrix is so complicated 😅

        • a1studmuffin@aussie.zone
          link
          fedilink
          English
          arrow-up
          4
          ·
          8 months ago

          I’ll level with you… I’ve never used Matrix either. 🤣 But all the cool kids around these parts recommend it, and I fundamentally agree with the cause of the project and saw they had the WeChat bridge, so thought I’d mention it.

  • John
    link
    fedilink
    arrow-up
    8
    arrow-down
    1
    ·
    8 months ago

    I stopped using every messenger besides signal and Matrix. Even my not tech savy parents are using signal now - its in my opinion the better solution to stand your ground and may push others into using the better apps

  • EunieIsTheBus@feddit.de
    link
    fedilink
    arrow-up
    13
    arrow-down
    7
    ·
    8 months ago

    Maybe get a girlfriend that isn’t a brain washed spy? \s

    Just use a different app then? You don’t need to come up with some high tech solution. She won’t use that anyway. But something simple like signal should be sufficient.

    • bionicjoey@lemmy.caOP
      link
      fedilink
      arrow-up
      9
      ·
      edit-2
      8 months ago

      Maybe get a girlfriend that isn’t a brain washed spy? \s

      Listen here, I like my qt tankie sleeper cell gf. As long as she doesn’t hear anyone say the activation phrase, she’s very sweet.

      For real though, this app is pretty culturally ingrained over there and so I don’t really have the option of pushing something else (we all know how real messaging app fatigue has gotten these days). Especially when other apps will be restricted whenever she travels home, and we want something that can serve as a backup when other communication methods aren’t an option. I’m pretty sure WeChat will work through The Great Firewall, so it’s ideal for our purposes. I have no idea if the same can be said for WhatsApp or Signal.

      • youmaynotknow@lemmy.ml
        link
        fedilink
        arrow-up
        3
        ·
        8 months ago

        If you love her (and it seems like you do) talk to her openly about your concerns and suggest something else. Heck, even set up a Matrix user for each and tell her you want to use that exclusively for both of you as a romantic gesture. That’s how I got my wife on Matrix (Element).

  • guyrocket@kbin.social
    link
    fedilink
    arrow-up
    6
    arrow-down
    1
    ·
    8 months ago

    If you really want to isolate it, grapheneOS lets you put it in its own profile almost totally isolated from anything in any other profile.

    But you probably don’t want to buy a g! Pixel.

    You could buy a separate phone and only run that app on it. Hassle but it would be secure.

    • jet@hackertalks.com
      link
      fedilink
      English
      arrow-up
      3
      ·
      8 months ago

      This is good advice. But you can have work profiles on any Android phone. Not just grapheos. Look at shelter in fdroid to get started

  • Antitoxic9087@slrpnk.net
    link
    fedilink
    arrow-up
    5
    arrow-down
    1
    ·
    8 months ago

    If you are serious with this relationship (or you expect to still have Chinese partners in the future), I strongly recommend you buy a separate device for all the Chinese spywares required to maintain communication with your partner(s). At some point you will have to enter China, and it is best that you take only this device with you into it then.

    • bionicjoey@lemmy.caOP
      link
      fedilink
      arrow-up
      5
      ·
      8 months ago

      I’ll cross that bridge when I get to it. If I’m going to do that I might as well buy the burner phone once I’m actually in China rather than preemptively get one now. I like her a lot but I’d say we’re at least a year away from going to China together.

      • wpuckering@lm.williampuckering.com
        link
        fedilink
        arrow-up
        4
        ·
        8 months ago

        The good thing about getting one from the start is that you can set it up to your liking from the get-go and won’t have to do it later. You’ll also get used to using it daily and see how managing two devices works for you.

  • bloodfart@lemmy.ml
    link
    fedilink
    arrow-up
    3
    ·
    edit-2
    8 months ago

    Brace yourself for a weird recommendation:

    Don’t worry about it or switch to ios.

    You’re on a different marketplace for phone apps than chinese nationals so you’re not getting the same wechat as they are. If you trust your platforms marketplace and your phones security and privacy tools then just don’t worry about it and use them like a normal person.

    If you don’t trust your platforms marketplace or security and privacy tools, switch platforms.

    It doesn’t seem from your responses in this thread that you’re in a good spot right now to learn everything required to root and run an alternative os securely and act as your own security auditor. Not a value judgement, I’m not in a position to act as my own diesel mechanic. That’s why I said maybe switch to ios if you feel exposed by stock android instead of saying you ought to try to navigate the alternate os/custom rom world.

    It might seem like some people in the replies have given good walkthroughs, and they definitely have, but at some point you’re gonna have to make a decision about something that either isn’t documented on a wiki or no one responds to questions about.

    Maybe the best choice is to either not worry about it or switch platforms and no matter what you choose, put the phones security and privacy tools to use and be more considered and self aware about how you use your phone.

    E: Jesus Christ. Some of the responses you’ve gotten are astonishing. Maybe ask in hexbear or something just to get an alternative view.

    • bionicjoey@lemmy.caOP
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      8 months ago

      Yeah I ended up installing it in an Android work profile using Shelter, and it is a disaster of an app. I expected a lot more of a professional looking app given how popular the WeChat service is and how big of a company Tencent is, but it’s like a shittier WhatsApp. It’s not even localized properly, a bunch of strings in the app (like error screens and stuff) are in Chinese, and the English is poorly translated. The mechanism to reply to someone’s message is unclear (it’s not just long pressing or dragging on a message like in other apps), and you can’t send a reaction emoji to a message.

      • bloodfart@lemmy.ml
        link
        fedilink
        arrow-up
        2
        ·
        8 months ago

        It’s always funny to me how people assume the most half-assed software the world has ever seen somehow carries incredibly advanced and impossible to detect tracking deep inside it.

        Like we have t-1000 at home! T-1000 at home: that bucket robot that got murdered in Philly.

        I just saw you’re from .ca, you may have to make an alt to ask but 100% ask on hexbear. There’s people on there who have dealt with wechat and phones going to and from china and won’t be near as overtly weird and racist as some of the responses here. Maybe differently overtly weird.

  • ReversalHatchery@beehaw.org
    link
    fedilink
    English
    arrow-up
    6
    arrow-down
    5
    ·
    8 months ago

    Why don’t you use a better messaging app? If not matrix, then signal? Even telegram is better compared to both wechat and sms.

    • bionicjoey@lemmy.caOP
      link
      fedilink
      arrow-up
      5
      ·
      8 months ago

      She’s not very tech savvy at all. It would be asking a lot. I’d rather stick to something she is comfortable with.

      • ReversalHatchery@beehaw.org
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        One does not need to be tech savvy for that. All 3 are not like a terminal controlled operating system, but a normal messaging app. But if you are ok with giving up privacy, I shouldn’t tell you what to do instead.