Police forcing me to install Jingwang spyware app, how to minimize impact?


This is a tricky one. It goes without saying, but it's also a dangerous one. Attempting to circumvent these restrictions and getting caught doing so will potentially cause a lot of legal trouble. If they throw people in jail for refusing to install the app, I wouldn't want to figure out what they do to people circumventing the app restrictions. It is especially relevant because even experts in tech security have gotten caught by their governments despite extensive safeguards (the founder of Silk Road is a great example and is now serving a life sentence). Granted, evading this app is most likely a much less serious "crime", but the Chinese government isn't exactly known for lenience here. So while I would like to answer your question, please don't take this as me suggesting that you actually do any of this. I consider myself a tech-expert, but I still wouldn't do it.

Still, to answer your question, you have a few options. I won't bother mentioning the "Get a second phone" option because you've already ruled that out.

1. Virtual Machine/Dual Boot

There are some options for "dual booting" android phones. I don't have any examples to immediately link to (software suggestions are off topic here anyway) but there are options. If you can get your phone to dual boot then you can install the tracking software on one ROM and then do all your personal stuff on the other. You may need to put some basic information on the ROM with the tracking app installed just so you don't raise too many flags.

Of course there are still risks here: risks that they might reboot your phone and notice, risks that they might realize you have a completely different system installed next to the tracked one, and the simple risk that you would go out and about and forget to reboot into the "tracked" system, allowing a police officer to find and install the tracking app on your actual system.

2. App modification/interceptors

If this app creates enough bad press it is possible that anti-tracking apps or hacked versions of this app may start floating around that try to automatically protect you from it. I would not expect there to be any general tools already available that would protect you from this, so this is something that would simply take lots of googling or (perhaps) requests to the right people. This has a major downside that unless you are an expert at reverse engineering, there isn't much to do to make this happen. It's also hard to estimate what the risks of detection are. That will obviously vary wildly depending on the skill level of the person who put it together.

3. Server Spoofing

Depending on your level of technological know-how you might be able to put something together yourself (note: this is not for novices). Based on what I know and my experience in this area, I'm going to try to summarize some details about what a server-spoofing measure might look like. Again, I'm not summarizing this because I think you should do it, but because understanding how things like this operate can be generally informative and also help understand the risks there-in.

Built-in security

First, we need to understand how this spying app might secure itself. From all information available so-far, the answer is "it doesn't". This is a pretty simple conclusion to come to because the app communicates exclusively through http. It is very easy to intercept http requests, either from the device itself (if your phone is rooted) or with network sniffing tools on a computer attached to the same network as the device. Most likely it is also very possible to easily figure out how the app authenticates itself with the end-server and how the end-server authenticates itself with the app. In all likelihood there is no authentication in either direction, which means that spoofing requests in either direction is trivially easy. This might be hard to believe (given that a country like China sets aside lots of resources to invasive technology like this), but the reality is that if the people who developed this app wanted to secure it from outside tampering, using HTTPS for transit would be the very first step to perform. It is cheap, easy, and very effective. The lack of HTTPS means that it is very likely that there is no actual security in this ecosystem, which is a plus for anyone trying to evade it.

Sniff all traffic coming out of this app to determine what requests/responses it makes

This is the first step. By watching the traffic leaving this app (which can be easily intercepted in the network itself since there is no SSL encryption) you can figure out what requests it sends to the destination server and what responses it expects back. Understanding the underlying API is critical, but easy due to the lack of encryption. This will also let you know if there is any authentication happening in either direction. If there is, you can at least see the full request and responses, so you can most likely figure out how to spoof it. It is possible that there is some hard-to-reverse-engineer authentication going back and forth, but again, given the lack of basic encryption, I doubt there is any such thing built in.

Figure out if the app is talking to a domain name or IP address

The destination server the app is talking to is either found via a DNS lookup or has its IP address hard-coded in the app. In the event of the former you can edit the DNS for your android phone to repoint it to a different server, including one running on your phone. In the event of a hard-coded IP address you will similarly have to redirect all traffic to that IP address to your local android phone (presumably you can do this with Android - you can with other operating systems, but you would definitely have to root your phone).

Setup a replacement server

You then setup a local server that responds to all requests just like the server did in your initial spoofing. You would have to get this server to run on your phone itself, that way it is always available. This doesn't necessarily have to be complicated (although that depends on how detailed the actual server interaction is), as you don't actually care about keeping any data on hand. You just need to make sure that you provide valid responses to all requests.

Risks:

  1. The app may auto-update itself (although your mock-server may make this impossible) and point to new domains/ip addresses, suddenly removing your protections
  2. If there is an auto-update functionality and your end up unintentionally killing it (which would be good per point #1 above), a police officer may notice that it is not properly updated, flag you for "extra" checking, and discover what you are doing.
  3. They may do server-side tracking and discover what you are doing because they don't find any data on their end for your particular IMEI (because your mock-server acts like a black-hole and sucks up everything). Even if you send spoofed requests there will be easy ways for them to determine that (imagine the police copy a blacklisted image to your phone and discover that the app doesn't block/report it)
  4. They may have root-checking in the app itself, which will cause you problems

Actually, that's it

I was trying for a longer list but that is really what it all boils down to. Short of not carrying around a phone or purchasing a separate one, these are about your only options. For reference, I haven't gone into details about the server spoofing because I think you're necessarily going to go out and do it. If anything, I've gone through it because it gives opportunity to talk through the risks in more detail, and those should make it clear that there are a lot of risks. Even if you find a solution from someone, they have to deal with all of these same risks (or ones like it). Right now this app sounds like it is poorly executed and easily fooled, but depending on how much the Chinese government decides it cares, that could change very quickly. At that point in time not getting caught basically turns into a cat-and-mouse game with the Chinese government, and that isn't realistically something that someone can continue to win for an extended period of time. There are a lot of risks, so tread lightly.