Network Security Issues in RedNote - The Citizen Lab
citizenlab.ca
Our first network security analysis of the popular Chinese social media platform, RedNote, revealed numerous issues with the Android and iOS versions of the app. Most notably, we found that both the Android and iOS versions of RedNote fetch viewed images and videos without any encryption, which enables network eavesdroppers to learn exactly what content users are browsing. We also found a vulnerability in the Android version that enables network attackers to learn the contents of files on users’ devices. We disclosed the vulnerability issues to RedNote, and its vendors NEXTDATA, and MobTech, but did not receive a response from any party. This report underscores the importance of using well-supported encryption implementations, such as transport layer security (TLS). We recommend that users who are highly concerned about network surveillance from any party refrain from using RedNote until these security issues are resolved.
Key findings
  • We analyzed RedNote on Android and iOS for network security issues and found that all versions of RedNote fetch viewed images and videos over HTTP, which enables network eavesdroppers to learn exactly what content users are browsing.
  • Some versions of RedNote contain a vulnerability that enables network attackers to learn the contents of any files that RedNote has permission to read on the users’ devices. This issue was introduced by an upstream software development kit (SDK) used by RedNote, NEXTDATA, but is not present in Android versions downloaded from the Google Play Store nor in the iOS version.
  • All versions of RedNote that we analyzed also transmitted insufficiently encrypted device metadata, sometimes over TLS without certificate validation, enabling network attackers to learn device and network metadata, such as device screen size and the mobile network carrier. This issue was introduced by an upstream SDK, MobTech.
  • We responsibly disclosed the relevant issues to NEXTDATA on November 13, 2024, to MobTech on November 26, 2024, and to RedNote on January 16, 2025. At the time of publication, no party had responded to our disclosures.
  • All the issues we discovered could be mitigated through the use of TLS. Yet again, this work highlights the importance of using well-supported encryption implementations.
  • Emotional (he/him)@lemmy.blahaj.zoneEnglish
    31·
    17 hours ago

    I’m not particularly worried about those vulnerabilities. Unfortunately, they are pretty common AFAIK, but at-least they pretty much only open a backdoor within whatever network you’re connected to, and can be mitigated with a VPN.

    IMO, there’s much bigger reasons to be worried about RedNote than security or even privacy.

    • aleq@lemmy.worldEnglish
      2·
      3 hours ago

      IMO, there’s much bigger reasons to be worried about RedNote than security or even privacy.

      What are those reasons?

  • Xanza@lemm.eeEnglish
    41·
    20 hours ago

    I’m skeptical. Citizen Lab is great, but just because they didn’t reply doesn’t mean these issues weren’t worked on or fixed. They tested 8.59.2 and the current US version is 8.59.5 with the current Chinese version being 8.70.6.

    There’s been dozens of updates since the test, so it’s hard say if these test are even valid anymore. Additionally;

    Network attackers can read users’ file a contents on the Android versions of the application available for download on RedNote’s website and on the Mi Store, but not in the version downloaded from the Google Play Store or the iOS version.

    The major security issue isn’t even possible as long as you get them directly from the Play Store.

  • sbvEnglish
    5·
    22 hours ago

    Citizen Lab is a national treasure. I really enjoy reading about what they do.