Are Chinese android OEMs unsecure?

I am looking for SECURITY advice. i am currently using an Android phone from a China-based OEM that still receives security updates albeit 1-2 months delayed.

There have been reports of possible back-doors in Chinese android phones 1,2. Is there any validity to these claims or is it just powered by FUD and “China bad” ?

I am not in China. My threat model is remote targeted surveillance by the state that i reside in and protection against physical access. I believe that i am currently under some form of surveillance as i have received some tips with that information. It is a fascist state that goes after anyone who is vocally critical of their policies. Their use of pegasus against high level targets has been documented before. They also deploy DPI systems for mass surveillance.

I don’t want my communications over encrypted apps (Signal, WA) to be compromised. I am not a high level target and i am not trying to be anonymous. I do not know enough about the subject to determine what kind of surveillance i am currently subjected to.

These questions come to mind:

  • Do i need a phone that gets instant security updates ? (Google & Apple)
  • If i go for a pixel, is the stock OS safe against my threat model ?
      I am willing to compromise on privacy for a secure phone that “just works”.

Your input is appreciated. Thanks.

Following.

‘‘Is there any validity to these claims or is it just powered by FUD and “China bad” ?’’
Its as valid as claims that google pixels have back-doors or windows have back-doors.So yeah its mostly part of the red scare.
‘‘Do i need a phone that gets instant security updates’’
If your threat model is a fascist state?Of course you need the most immediate and best updates(i also guess its either Ukraine or Israel because of mentioning of pegasus)
‘‘If i go for a pixel, is the stock OS safe against my threat model’’
Maybe.Graphene os have much better protection against physical access.Better be safe then dead.
‘‘secure phone that “just works’’
Graphene os on pixel is definition of a phone that both secure and just works.

4 Likes

Well that’s 1-2 months for those exploits to be used against you I guess. Make of that what you want.

One is an opinion piece the other is a report that links to three crappy phones. Huawei typically doesn’t allow you to flash alternative OS or unlock bootloader on modern devices, Xiaomi doesn’t allow you to re-lock the bootloader with custom root of trust like GrapheneOS. Xiaomi devices running alternative OSes also doesn’t support verified boot which means no verification during boot flow or dm-verity. We don’t recommend LinageOS as those are typically userdebug builds with weakened SELinux policies.

If I remember correctly Xiaomi also has quite a lot of analytics in their official apps anyway and aren’t known for privacy. We recommend Divest OS as a harm reduction effort.

Just get a pixel if you can.

The pixel 8 series have 7 years of updates which is probably more than you’ll get with those chinese vendors.

4 Likes

Can share a few things. First, China is a bad country for privacy, as the government could compell to install backdoors. Second, it depend wheter you purchase the chinese version (ROM) or the international ROM. Third, I purchased a Xiaomi (Chinese ROM) and the security updates come in quarterly batches or so. Fourth, this Xiaomi ROM need me to complete ID verification to unlock it to put another OS. That being said, Xiaomi is the only major OEM that allows fastbooting AFAIK. Five, Xiaomi had a scandal where their browser sent some data home, but after a backlash they “fixed” it. Six, Xiaomi permissions management is more fine-grained than Samsung

For any mainstream phone, use Universal Android Debloater Next Generation to remove the bloatware. I am actually writing a guide on this.

3 Likes

This simply uninstalls for current user, doesn’t remove from system partition. It’s really no better than just “disabling” the app with the UI as I pointed out in this post.

I disagree though. First, there are many apps that you can’t even disable or even see, so this is useful to remove them. This removes them from user0, so indeed they would come back in a work profile or another profile.

I personally removed many Samsung System Apps, like Contacts and replaced them with an FOSS alternative. On Samsung, you can’t even disable the news app, so ADB is very useful.

Of course if you have a Pixel, download Graphene. But you need to realise that Google Pixel Android is far less restricted than other ROMs, so your claim that you can just disable in the settings is partially wrong.

3 Likes

Figures samsung would do something like that. Even in the stock Google OS you can normally disable all those things. It has been a while since I’ve owned a samsung device, because theyr’e generally just quite terrible for privacy/alternative OSes (esp with all the bixby thing).

3 Likes

Removing apps with ADB is putting your head in the sand when you still have a bunch of daemons running in the background.

If it is your only option, then fine, but it overlooks a lot.

6 Likes

Not death, you will just get disappeared and get a good old zapping.

AOSP is functional but bare bones, It misses a lot of the niceties that you come to expect from a modern device. In my opinion it still seems stuck in the Android ~8 era.

My current device is a oneplus (international version) which also doesn’t support relocking the bootloader with custom roms but does support verified boot. This makes it unsecure against physical access though.

Is there an overlap between “Play system updates” (project mainline) and OTA system updates from the manufacturer? or do i still need both to be up to date to patch all vulnerabilities? I didn’t find much info about this from my searches. If we disregard the spying claims then this question might be the determining factor for a phone switch for me.

I note the count of issues patched via Play System updates here: Patch Counts - DivestOS Mobile

edit: replaced with updated table

3 Likes

Just my 2 cents, i am just a normal user with little tech knowledge, the “Souces” I supplied are not research papers so take with a (huge) grain of salt.

If your concerns including your device being decrypted by your own government, look away from brands like Xiaomi and Samsung, consider Apple iPhone & Google Pixel instead (1).

One thing people might overlook is the CA your phones installs. I don’t own a Chinese brand device so I cannot check myself but I would suggest you go through the certificates, lookup each authority and remove anything you find uncomfortable with. I personally remove all CA issued by companies within several countries.

If you don’t care your data being scooped by Chinese Big Tech and being sold back to other Big Techs, and potentially affect what you see when you search and browse the internet, which would be leveraged to track you down(2), and keep seeing ads in your phone, you don’t need to worry about China too much, unless China is a friendly state of your home country.(3)(4)

The bloatware that chinese brands includes also open a giant attack surface as Chinese Apps are both privacy and security nightmare in general.

If you believe you are more than just Normie, get an iPhone / Pixel device and be cautious about what you install on your phone(s).

As always, your usage habit will determine the final outcome.

1 Like

This is satire, right ?

There is only little you can do when having a Mainstream phone, so hardening it, be cautious, etc. might only make it 50% safer and more private, as the other 50% is all the closed source spyware that you can’t remove. The CA tip is good, although.

Thanks for the sources, the Wired article looks quite interresting.

Um, its like holes in the bucket.

Wow that’s way worse than i thought. Mainline offers no improvement in terms of timely security patches. That seals the case for getting a pixel then. Thanks.

They are friendly with the Chinese. I believe sources 3 & 4 point to the same link that mentions xiaomi stock browser spying.

2 Likes

Of course it isn’t true. Any vulnerabilities inside the software would have been detected already. Those companies have no incentives to implement backdoors. I also think that nowadays RAM is encrypted (as is memory) and so the amount of information of a compromised CPU will be limited. Of course, they will break encryption, but to do anything with that will require an enorm amount of engineering, likely reserved for high targets. Don’t fall for Fear Uncertainty and Doubt (FUD). It’s impossible to argue against someone who is saying “we don’t have prove it’s safe + they look like they would do it for x (subjective) reason”.

Since US law can’t force companies to implement backdoors, I don’t except them to.

I own a Chinese ROM Xiaomi device. In short, yes Chinese android OEMs are insecure. Chinese phones are insecure too.

  1. lack of hardware security chips like Titan/Knox
  2. poor bootloader unlocking policy
  3. priviledged OEM apps. This is the most severe problem. These apps often have lots of vunerabilities and cannot be removed. Report 1 2 . It’s basiclly frontdoor rather than backdoor.
  4. late and maybe incomplete security updates.
3 Likes

I recommend installing a custom rom like divest os.

The verified boot of some Chinese phones are flawed and the os usually have a lot of bloatware and reskins. MIUI even has their own analytics enabled by default.

2 Likes

That’s what happened as well with my old Xiaomi with global rom, unlocking the bootloader requires you to login to your Xiaomi account.

1 Like