I live in Canada. My girlfriend is Chinese (also living in Canada), and while we are able to communicate via SMS, her mobile carrier isn’t the best, and so there have often been issues for us with regular texting. She expressed a strong preference to use WeChat, at least as a backup option for when texting fails us. While I have some pretty significant reservations, it’s not the hill I want to die on. So my question is: what can be done to use WeChat without compromising my whole phone? I’m okay with it if our conversations aren’t private, but I’d like to know that I’m not giving unfettered access to all of my phone’s systems and data to the CCP. What can be done to limit the reach of this ubiquitous app on my device?
I’m in China and have to use that piece of crap. So here’s how I locked it down:
- Root your phone with Magisk. There’s no way around it.
- Install Storage Isolation (https://play.google.com/store/apps/details?id=moe.shizuku.redirectstorage) and deny access to all folders.
- Install ApOps (https://play.google.com/store/apps/details?id=rikka.appops) and set pretty much everything to deny or ignore (ignore means the app receives the information “permission granted”, but no data is provided, in case some permissions are “mandatory”). If you intend to use wechat to exchange voice messages or make video calls/send photos, the “use microphone” and “use camera” functions would be required. In a similar fashion the location access if you intend to use the location sharing feature.
- Be acutely aware that wechat is not encrypting messages, neither end to end nor in the server communicaton. Everything you say can (and probably will) be read and archived. Don’t say anything confidential or critical there.
And yeah really, try to convince your
wifegirlfriend to use signal instead. Or hell, even whatsapp is miles ahead.My wife is Chinese as well, so even after we leave here she’ll be using wechat to stay in touch with family, no way around it, but using messengers more commonplace in other countries is definitely better. Personally I will move wechat to another phone once we’re out. For now that’s not feasible as it’s too much integrated into every function of life here.
Don’t forget that AppOps is not really standardized, and even the app admits that some phone’s system does not implement a restriction properly (or at all).
That being said, it’s very good to have, but you have to keep this in mind.
AFAIK lineage os has a more complete implementation.+1 for signal but i doubt whatsapp is ahead at all
Whatsapp uses end to end encryption and is far from as intrusive as wechat.
So they say, but its closed source, so its hard to verify.
Nah it’s rather easy to do and has been done by security experts. If your phone is a rooted android, you can do it yourself using PCAPdroid, it’s basically a network logger that allows to install a trusted certificate as a local proxy and go man in the middle on yourself. That way you can decrypt the https traffic between your phone and the whatsapp server.
whatsapp is certainly backdoored, its closed source and unverifiable.
then so does your claim, unverifiable
my claim is completely open, unlike whatsapp
At least Whaysapp have the content encrypted
its certainly backdoored
- Install Shizuku -> Doesn’t require root
- Install Island and use the built in work profile feature of your android device
- Install AppOps and block most of the app with garbage data
- Be happy without rooting your phone
Yeah I’ve played around with it in the past, but having to re-establish the wireless adb was quite annoying. Plus I need root for AdAway already, I don’t think that can be achieved via Shizuku, but that might not apply to the OP. I’ve tried island back in the beta stage and it wouldn’t work on my phone, but I guess things have change since. Might give it another try.
Can it be used without a smartphone, like in an Android VM?
Yeah I was considering Waydroid but then I lose the ability to connect outside of my PC
I guess it could be, but that kills the use case of being contactable by his GF on the fly.
Second phone just for WeChat.
Failing that use a android work profile and run WeChat inside of that. It should isolate WeChat from the rest of the days on your phone. WeChat would still have access to your location, microphone comment etc but not your data
This is the way. Depending on how much convenience you are willing to sacrifice.
There are one or two apps on F-Droid for using the work partition, and you can force-freeze apps within that, so you can turn wechat actually off when you don’t want it. That also separates wechat from your phone contacts list, without denying it nominal contacts access permission (without which, iirc, it refuses to work).
For extra paranoia, run your dedicated wechat phone permanently through a VPN with location services on the phone turned off. Answer it only in a soundproofed room, Faraday caged with no WiFi connections except the dedicated wechat WiFi. Speak with a funny voice, and if you must show your face, wear a balaclava.
But that might be overdoing it a little.
What about something like Waydroid to avoid spending extra money? Wonder if these are detected on registration.
Was considering Waydroid, but ideally I want something that I can take with me on the go. Some folks have suggested the app Shelter on fdroid though and that seems like an ideal solution for the time being.
It does work pretty well.
Ah, okay. But given the invasiveness of the app - I now really wonder if it is possible for it to detect and shut down registration from desktops this way.
To answer the question: GrapheneOS and a separate profile would be the safest but still…
If you are both outside of china there really is zero reason (other than preference) to use that piece of spyware.
To answer the question: GrapheneOS and a separate profile would be the safest
I appreciate the suggestion, but maybe I should add that I’d like to not have to change up my phone too much. It’s a Fairphone 4 running the OEM Android and my preference would be to keep it that way. Are separate profiles like that a thing on stock Android?
If you are both outside of china there really is zero reason (other than preference) to use that piece of spyware.
She travels back to China sometimes, uses it to contact friends and family back home, and uses it to chat with lots of mainlanders here in Canada. For her it’s not weird at all.
In fact, she expressed to me that she’s perfectly comfortable with the fact that they use WeChat combined facial recognition technology in China for payment processing. When you get on public transit, you can have them scan your face and it will automatically charge you the bus fare. It really skeeves me out, but it’s simply not the hill I want to die on in this relationship. I’m crazy about her in so many ways, it’s okay with me if we don’t see eye-to-eye on digital privacy.
Yes you can use work profiles on stock Android. Look at the shelter app in fdroid to get started
If you’re in the US and mostly worried about one app, you can probably devote a Work folder via an app like Shelter to a GF.
I’m not in the US, but what is this Shelter you speak of?
https://f-droid.org/packages/net.typeblog.shelter/
Shelter is an app that takes advantage of the work profile in android to install apps in that profile and makes shortcuts for the app in the normal profile. So it feels like you’re just using an app as usual but the app is pretty much sandboxed away from all your info.
Thank you! This is exactly the sort of thing I was looking for!
Not OP, but is this any better than the Island app? I’ve been using that for a long time and it seems to use the same android feature.
deleted by creator
https://f-droid.org/packages/net.typeblog.shelter/
https://gitea.angry.im/PeterCxy/Shelter
Shelter is an open source program that can use the mobile device management APIs of Android to create a work profile. It’s used by many people to have app isolation. It works on stock Android as well as most custom ROMs
Android 15 solves your issues -
https://www.androidauthority.com/android-15-private-space-hands-on-3432113/
Private Spaces when they come to Fairphone will be perfect for this.
Personally I’d be way more concerned with using OEM Android in the West than using wechat anywhere but if it’s really an issue for you then I’d say insist on trying session or signal… One of those are probably your best options if you’re worried about being spied on…
If she’s unwilling to try them or doesn’t like them then I guess you have to settle for wechat or traditional SMS (although without RCS I find SMS to be a trip to a previous decade lol)
Devil’s advocate here, session and signal do not work in China without a VPN
deleted by creator
And, let’s be fair, for most people the real loss from this level of compromised privacy/security is far less than the real gain from helping your relationship.
Sometimes I look at products I use from dubious companies, take a step back, and think, this company is actually a blessing in my life even if there is a smaller curse attached. That said, I’m grateful for all the tremendous effort put in by many people to make the digital (and rest of) world a safer, more private, fairer and more honest place. And I try to do at least a little of my share!
Damn that’s wholesome.
If they are actually totally unwilling to use an other messaging app that has fewer of said negatives, is the partner really interested in that relationship?
I mean, just look at the arguments.
Form OP’s side, it’s privacy, respect of the user by the service, human freedoms basically.
From the partners side, as I understand, it is pure convenience.
Please reread my first paragraph after reading this second one. It will now hopefully make sense, if it didn’t at first.But to be honest maybe I’m not qualified for this question or something because I have a different attitude to this problem.
To me it’s not my primary purpose to find a partner, and everything else is secondary.
To me, getting to know that someone is neck deep in mass surveillance tech and is so comfortable with it that they are inseparable, instantly turns me off. I don’t want to live with someone who is perfectly fine with the state messaging app constantly scanning my face with an app on my phone, because that means that our values are clearly very different.If your willing to throw your multi-year relationship away over… software preferences, are you actually interested in the relationship at all?
We’ve only been dating for about 6 months, but I agree with the sentiment of what you’re saying. In any case, we care for each other a lot and want to see the relationship last a long time.
deleted by creator
It’s not at all software preferences. It’s not that I would tell “matrix or I don’t want to see you again”, it’s “switch from that chinese spy tool or we better break up”, as there will be a lot of other things we won’t be able to agree on. Facebook is not even that bad as wechat.
See? It’s not “software preferences”. It’s differences in personal values as big as a chasm. It’s that I value my privacy, and am not willing to give it up, at least absolutely not that much of it. If our values are so very different, that’s a good sign that you shouldn’t ignore.
And then, I’m not sure where you read about a multi-year relationship. I don’t think such a question as OP’s would pop up after multiple years of being used to it.
switch from that chinese spy tool or we better break up
“Hey babe, you know that app which is your only way of communicating with your family and friends back home? Yeah well I’m breaking up with you if you don’t ditch it.”
Obviously I did not mean to delete the app, but instead to not force you to use it, but I guess it’s just easier to read it in a malicious way.
Relationships (of all kinds) are about compromise. You have to recognize that outside of the echo chambers in communities like this one, literally nobody cares about digital privacy to the extent that us nerds do. So you can choose to be dogmatic in your approach and alienate yourself from the >99% of people in the world who don’t care, or you can recognize that your own desires for digital privacy need to be weighed against your desires to form meaningful connections with other people.
Personally I prefer to be pragmatic in my approach. I do what I can to look after my privacy within the constraints of actually doing what I need to do to connect with other people. That’s why I made this post. My mind is made up that I’m going to at least try to use WeChat, but within that constraint, I want to do everything in my control to limit the app’s visibility into the rest of my system.
Relationships (of all kinds) are about compromise.
Exactly. As I have understood, she is not willing to use an other messaging app. It seems as if only you are ready to have a compromise.
to the extent that us nerds do
This is not “not caring to that extent”. This is not even just not caring at all. This is straight out ignoring and nullifying any and all concerns of one of the parties over privacy, by the other one.
So you can choose to be dogmatic in your approach
The only dogmatic thing here would be to say “only matrix”, or “only signal”, or whatever. As I understand you have attempted to offer multiple options.
people in the world who don’t care
It’s mostly irrelevant if they care about it. In a healthy relationship no one is The Boss whose decisions must be accepted. Instead if one party does not care about something, but the other very much does, they can accept that and live with it, if that’s not a terrible choice. For example if your wife does not want to eat meat, would you force them to do so, because you don’t want to deal with making meatless meals? I often eat meat, but I would be ready to give it up regularly doing so if need be. Or if they don’t want to deal with the selfhosted media store, ok, fine, let her keep her Netflix subscription. This however, is not about pleasures, but about giving up or not human rights important to me.
In this situation however, it sounds like as if your girlfriend with be “The Boss”
deleted by creator
when you appear to have very little experience yourself.
I did not say neither mean that.
You could sandbox it into a work profile that doesn’t have access to your main profile. Storage is completely segregated, and the work profile can be easily disabled when you’re not using it.
The best solution is obviously to choose another platform and convince your girlfriend to use that, explaining how this little extra effort on her part to use another app goes a long way with you in terms of appreciation and understanding of a partner’s boundaries and comfort zone.
Shelter is an android app that helps making sandboxed apps
Yeah this is what I use to create and manage a work profile on my device to keep my personal and work data/apps separate.
FWIW, WeChat and 微信 are different apps. With a non-Chinese phone number and Google Play Store download, you’ll be using the international one (WeChat) instead of the Chinese one (微信). There are still privacy concerns, but it’ll be less invasive than what you’d have with the version that people in China are buying their groceries with and stuff.
I’m sorry I don’t have advice for how to actually protect yourself, though… I’ll be keeping an eye on this thread to see what I can learn.
That’s a great point, thanks! I will definitely be using the international one. I expect since I’m getting it through Google Play it’ll be constrained based on the OS permissions I give it. And I don’t intend to give it any permissions
I expect since I’m getting it through Google Play it’ll be constrained based on the OS permissions I give it
Getting it through google play or not does not constrain anything more or less.
And I don’t intend to give it any permissions
Hopefully it won’t require any to be able to keep using it
Ah, that’s interesting and makes sense. So I guess your best option (if you must use WeChat) is to use the international version of the app with as many permissions disabled as possible.
Or maybe look at the Matrix WeChat bridge? https://matrix.org/ecosystem/bridges/wechat/
I’ve heard of matrix bridges before but I’m unfamiliar with how to actually set them up and use them. I understand the basic idea is that they relay messages out of matrix and into some other messaging service, but I don’t understand how to actually enact that onto the element client on my phone. Matrix is so complicated 😅
I’ll level with you… I’ve never used Matrix either. 🤣 But all the cool kids around these parts recommend it, and I fundamentally agree with the cause of the project and saw they had the WeChat bridge, so thought I’d mention it.
I stopped using every messenger besides signal and Matrix. Even my not tech savy parents are using signal now - its in my opinion the better solution to stand your ground and may push others into using the better apps
Maybe get a girlfriend that isn’t a brain washed spy? \s
Just use a different app then? You don’t need to come up with some high tech solution. She won’t use that anyway. But something simple like signal should be sufficient.
Maybe get a girlfriend that isn’t a brain washed spy? \s
Listen here, I like my qt tankie sleeper cell gf. As long as she doesn’t hear anyone say the activation phrase, she’s very sweet.
For real though, this app is pretty culturally ingrained over there and so I don’t really have the option of pushing something else (we all know how real messaging app fatigue has gotten these days). Especially when other apps will be restricted whenever she travels home, and we want something that can serve as a backup when other communication methods aren’t an option. I’m pretty sure WeChat will work through The Great Firewall, so it’s ideal for our purposes. I have no idea if the same can be said for WhatsApp or Signal.
If you love her (and it seems like you do) talk to her openly about your concerns and suggest something else. Heck, even set up a Matrix user for each and tell her you want to use that exclusively for both of you as a romantic gesture. That’s how I got my wife on Matrix (Element).
If you really want to isolate it, grapheneOS lets you put it in its own profile almost totally isolated from anything in any other profile.
But you probably don’t want to buy a g! Pixel.
You could buy a separate phone and only run that app on it. Hassle but it would be secure.
This is good advice. But you can have work profiles on any Android phone. Not just grapheos. Look at shelter in fdroid to get started
If you are serious with this relationship (or you expect to still have Chinese partners in the future), I strongly recommend you buy a separate device for all the Chinese spywares required to maintain communication with your partner(s). At some point you will have to enter China, and it is best that you take only this device with you into it then.
I’ll cross that bridge when I get to it. If I’m going to do that I might as well buy the burner phone once I’m actually in China rather than preemptively get one now. I like her a lot but I’d say we’re at least a year away from going to China together.
The good thing about getting one from the start is that you can set it up to your liking from the get-go and won’t have to do it later. You’ll also get used to using it daily and see how managing two devices works for you.
Brace yourself for a weird recommendation:
Don’t worry about it or switch to ios.
You’re on a different marketplace for phone apps than chinese nationals so you’re not getting the same wechat as they are. If you trust your platforms marketplace and your phones security and privacy tools then just don’t worry about it and use them like a normal person.
If you don’t trust your platforms marketplace or security and privacy tools, switch platforms.
It doesn’t seem from your responses in this thread that you’re in a good spot right now to learn everything required to root and run an alternative os securely and act as your own security auditor. Not a value judgement, I’m not in a position to act as my own diesel mechanic. That’s why I said maybe switch to ios if you feel exposed by stock android instead of saying you ought to try to navigate the alternate os/custom rom world.
It might seem like some people in the replies have given good walkthroughs, and they definitely have, but at some point you’re gonna have to make a decision about something that either isn’t documented on a wiki or no one responds to questions about.
Maybe the best choice is to either not worry about it or switch platforms and no matter what you choose, put the phones security and privacy tools to use and be more considered and self aware about how you use your phone.
E: Jesus Christ. Some of the responses you’ve gotten are astonishing. Maybe ask in hexbear or something just to get an alternative view.
Yeah I ended up installing it in an Android work profile using Shelter, and it is a disaster of an app. I expected a lot more of a professional looking app given how popular the WeChat service is and how big of a company Tencent is, but it’s like a shittier WhatsApp. It’s not even localized properly, a bunch of strings in the app (like error screens and stuff) are in Chinese, and the English is poorly translated. The mechanism to reply to someone’s message is unclear (it’s not just long pressing or dragging on a message like in other apps), and you can’t send a reaction emoji to a message.
It’s always funny to me how people assume the most half-assed software the world has ever seen somehow carries incredibly advanced and impossible to detect tracking deep inside it.
Like we have t-1000 at home! T-1000 at home: that bucket robot that got murdered in Philly.
I just saw you’re from .ca, you may have to make an alt to ask but 100% ask on hexbear. There’s people on there who have dealt with wechat and phones going to and from china and won’t be near as overtly weird and racist as some of the responses here. Maybe differently overtly weird.
use https://f-droid.org/packages/com.oasisfeng.island.fdroid/ (work profile) to isolate. and use a pay as you go number to register (rather than you commonly used one). do not grant any permission. set background restriction to strict. force stop it after every use. i think that would be enough
Why don’t you use a better messaging app? If not matrix, then signal? Even telegram is better compared to both wechat and sms.
She’s not very tech savvy at all. It would be asking a lot. I’d rather stick to something she is comfortable with.
One does not need to be tech savvy for that. All 3 are not like a terminal controlled operating system, but a normal messaging app. But if you are ok with giving up privacy, I shouldn’t tell you what to do instead.
Weird perspective for someone using Google services lmao.
Android does not mean Google necessarily.
He talks about using stock android in one of the comments.
I mean 1 mega corporation having all your data is better than two
And you’re not concerned about Alphabet, Microsoft, Meta or even the NSA?