Our first network security analysis of the popular Chinese social media platform, RedNote, revealed numerous issues with the Android and iOS versions of the app. Most notably, we found that both the Android and iOS versions of RedNote fetch viewed images and videos without any encryption, which enables network eavesdroppers to learn exactly what content users are browsing. We also found a vulnerability in the Android version that enables network attackers to learn the contents of files on users’ devices. We disclosed the vulnerability issues to RedNote, and its vendors NEXTDATA, and MobTech, but did not receive a response from any party. This report underscores the importance of using well-supported encryption implementations, such as transport layer security (TLS). We recommend that users who are highly concerned about network surveillance from any party refrain from using RedNote until these security issues are resolved.
Key findings
We analyzed RedNote on Android and iOS for network security issues and found that all versions of RedNote fetch viewed images and videos over HTTP, which enables network eavesdroppers to learn exactly what content users are browsing.
Some versions of RedNote contain a vulnerability that enables network attackers to learn the contents of any files that RedNote has permission to read on the users’ devices. This issue was introduced by an upstream software development kit (SDK) used by RedNote, NEXTDATA, but is not present in Android versions downloaded from the Google Play Store nor in the iOS version.
All versions of RedNote that we analyzed also transmitted insufficiently encrypted device metadata, sometimes over TLS without certificate validation, enabling network attackers to learn device and network metadata, such as device screen size and the mobile network carrier. This issue was introduced by an upstream SDK, MobTech.
We responsibly disclosed the relevant issues to NEXTDATA on November 13, 2024, to MobTech on November 26, 2024, and to RedNote on January 16, 2025. At the time of publication, no party had responded to our disclosures.
All the issues we discovered could be mitigated through the use of TLS. Yetagain, this work highlights the importance of using well-supported encryption implementations.
I’m skeptical. Citizen Lab is great, but just because they didn’t reply doesn’t mean these issues weren’t worked on or fixed. They tested 8.59.2 and the current US version is 8.59.5 with the current Chinese version being 8.70.6.
There’s been dozens of updates since the test, so it’s hard say if these test are even valid anymore. Additionally;
Network attackers can read users’ file a contents on the Android versions of the application available for download on RedNote’s website and on the Mi Store, but not in the version downloaded from the Google Play Store or the iOS version.
The major security issue isn’t even possible as long as you get them directly from the Play Store.
I’m skeptical. Citizen Lab is great, but just because they didn’t reply doesn’t mean these issues weren’t worked on or fixed. They tested
8.59.2and the current US version is8.59.5with the current Chinese version being8.70.6.There’s been dozens of updates since the test, so it’s hard say if these test are even valid anymore. Additionally;
The major security issue isn’t even possible as long as you get them directly from the Play Store.