A recent investigation has unveiled an app being used to check foreigners' phones in Xinjiang. Concerns about such tools being used elsewhere in China have also led to a new tool to undermine these surveillance efforts. So how much do you need to fear for your digital privacy in China?

The latest reports -- the result of an investigation involving five media organizations -- deals specifically with an app used to check phones at the Kyrgyzstan-Xinjiang border in western China.

The investigation uncovered that Chinese border police have been using a forensics app, called Fengcai or BXAQ, to check the phones of foreign travellers. The app reportedly uses a list of more than 73,000 items to scour devices for various documents, videos, photos and audio. The list includes files related to religion, especially Islam, and some pretty bizarre things like music from Japanese metal band Unholy Grave, according to reports.

The news is the first one to confirm that tools like this have been used against foreigners in addition to Chinese citizens, but rumors and reports about similar apps have been swirling around for a while. In fact, some netizens are already fighting back by building their own tools to counter China’s intrusion into people’s digital privacy.

One app said to be similar to Fengcai is called MFSocket, and an anonymous developer has already created an anti-hack tool to try to thwart it.

The developer told us that a person in China discovered MFSocket after being checked by the police in a subway station.

“I asked him to send it to me,” the person said. “Then I spent an hour writing this thingy.”

The result was an app that’s supposed to replace identifying information picked up by mobile forensics tools with false data.

Abacus was unable to verify whether the phone check cited by the developer actually happened. However, in late June, many people in China were alarmed by a video circulating online of policemen allegedly checking the phones of random subway passengers.

The grainy video showed policemen standing at one of the exits of a Beijing subway station and checking passengers one by one. Beijing police refuted the claims, saying that it was only checking ID cards.

Image shows police officers stopping passengers at Beijing’s Dongzhimen subway station on May 28th, 2019. Checks have become a regular sight at this station. (Picture: RF Parsley/Twitter)

Harlo Holmes, director of digital security at Freedom of the Press Foundation, noted that run-of-the-mill beat cops usually don't have the forensic know-how to deeply analyze a phone. They could be checking photos of IDs or screening for certain apps and suspicious images, she added. The police said they were using official phones designed to check IDs.

“Ultimately, it doesn't matter -- any surveillance, no matter how brief or incomplete, is surveillance,” said Holmes. “And it's an affront to privacy everywhere.”

Even before this incident, MFSocket has been popping up in other anonymous online testimonies, as gathered by ChinaFile editor Muyi Xiao. Now news of the Fengcai app is adding to concerns after the detailed report from The Guardian, Vice’s Motherboard, The New York Times and German media Süddeutsche Zeitung and NDR.

The tool is ostensibly being used to combat extremism in China’s Xinjiang province, where the country’s Muslim Uygur minority is heavily monitored and believed to be subjected to mass detention and human right abuses. Media has already reported on the use of mobile surveillance apps in the region.

A report from Human Rights Watch published in May 2019 found that apps such as WhatsApp, Viber and virtual private networks (VPNs) are among the 51 network tools said to raise suspicions among Xinjiang police. (Picture: Greg Baker/AFP)

It’s not surprising that there might be multiple apps with this functionality. China is home to quite a few companies that create mobile forensics software.

There is Meiya Pico, the company believed to be behind MFSocket (Abacus has reached out to Meiya Pico and will update if we receive a reply) and Starry Sky, the company behind Fengcai. Many, like Anxintech and Huayi, sell their equipment to the Chinese government. Some even export the tech to other countries, like the oddly-named Smile, where such tools could also be used by law enforcement.

Proponents argue that the tools help find evidence of crimes, such as child pornography. However, their use is considered controversial. In many countries like the US, searching electronic devices requires a warrant (unless you’re crossing the border, in which case refusing to unlock your device could get it confiscated for weeks).

Much of the concern stems from how incredibly invasive it is to search through someone’s personal phone these days. According to the investigation, the Fengcai app collects a phone's calendar entries, phone contacts, call logs and text messages, then uploads it all to a server. MFSocket was found to behave similarly.

But there are ways to protect yourself, which for regular travelers may simply mean limiting the type of content on your phone.

Warm reminder: Do not set your password to 123456. (Picture: Shutterstock)

“People who need to take extra precaution gathering media (like photos and video) might want to look for apps that strongly encrypt content, upload them to the cloud immediately, and do not save originals in their unencrypted form directly on the device (i.e. to your media gallery or camera roll),” Holmes said.

As for defending yourself with an anti-police tool, experts warn it’s a solution with its own dangers. One such app requires rooting your device, which could make it less secure. Rooting might make it easier for forensics apps to get around your phone’s security settings and could also make it harder to get rid of malware.