Is Reliance Jio sending unsecured Indian data into China?

The Wire
June 19, 2015

A group of hackers calling itself AnonOps India on Thursday tweeted what it called evidence of the Reliance Jio Chat app transmitting geolocation data to Chinese servers – a potentially illegal act that compromises user privacy because the data is being transmitted through an unsecured connection. The purported exposé was possible after AnonOps members decompiled the binary code running in the app, an intricate piece of reverse engineering which in turn is also illegal.

The group had launched a video on YouTube on June 13 alleging that the Reliance Jio enterprise was engaging in widespread surveillance and privacy violations, and that the group was launching Operation Reliance (#OpStopReliance) in an effort to corroborate its allegations. The latest volley in this campaign is the geolocation data transmission.

AnonOps India posted screenshots to Facebook, Twitter and its Tumblr showing data – not necessarily geolocation data – being sent to Chinese IP addresses via an HTTP connection. Trak.in had reported that the addresses were 124.193.183.96:8086, poc.gongsunda.com:8083, www.rsocial.net:8087 and acp.jiobuzz.com:8090.

HTTP is a protocol that transmits textual data between two nodes using hyperlinks. The secured version of this protocol is called HTTPS, whose use on a website is popularly indicated by an image of a lock placed in or near the URL bar. That the data was transmitted to Chinese servers at all is of little concern – Facebook, for example, regularly redirects user data through servers in the US. The concern is that the data was not encrypted, being sent through an HTTP and not an HTTPS connection, putting it up for grabs for anyone with the know-how to find it.

Their tweets prompted Gautam Chikermane, New Media Director of Reliance Industries, Ltd., to retort that AnonOps didn’t know what it was talking about, that its data had always been encrypted, and that the group was wasting Reliance’s time. However, security experts weren’t convinced. Specifically, Chikermane had said the transmitted data had always been encrypted by “binary encoded protocol”, and that the app had recently been switched to using AES (Advanced Encryption Standard).

Aditya Anand, the founder of a software services firm in Mumbai, clarified that HTTPS was for data transfer over the Internet and AES for saving data, probably on disk, and that there was no excuse for not using HTTPS because AES didn’t forestall the risks that only HTTPS could guard against. He added that implementing great software security could be a nightmare. If that lets Reliance off the hook just a little bit for sending unencrypted data into China, it climbs back up by sending it into servers that aren’t using HTTPS either, and by denying anything is amiss.

Apart from Chikermane’s tweets, no official statement has emerged from Reliance Industries, Ltd. He, however, also said that the data was being sent to China from within the app for users there, billing Jio as a global product. China doesn’t allow Google Maps in the country’s network so apps that seek to provide geolocation facilities must rely on Chinese services, he added. In reply, AnonOps asked why data was being transmitted from India to China and why they were accompanied by errors logs in Chinese.

The dust on this debate hasn’t settled yet. It was only a month ago that Reliance had announced it was launching 4G-enabled mobile devices priced around Rs.2,000 – a bargain any which way – and signalled Mukesh Ambani’s intentions to re-breach the telecom market. Reliance had also said that it was in talks with cheap handset manufacturers like Huawei and Xiaomi in China for hardware support.