Future Tense

This Popular Chat App Will Not Keep Hong Kong Protesters Safe From Spyware or Surveillance

Tens of thousands pack the streets at the protest site on Oct. 2, 2014, in Hong Kong.

Photo by Paula Bronstein/Getty Images

A version of this post originally appeared on Global Voices Advocacy.

On Monday, Sept. 29, social media enthusiasts and Western media outlets unleashed a flurry of stories about pro-democracy protesters in Hong Kong using the chat app FireChat to stay in touch without being surveiled. But many of these accounts exaggerated the popularity of the app. That’s a relief, because the articles were riddled with misconceptions and false hopes of security.

First off, FireChat is not a messaging app. FireChat is a chatroom, a platform to send insecure and public messages to people over the Internet or within your geographical vicinity.


Once installed, the app requires the user to sign up with her real name (which will be pre-filled with the name she eventually configures on her iOS or Android phone), a username, and an email address. When logged in, a user can join chatrooms, create new ones, or start directly sending messages to everyone in her vicinity who is also connected to FireChat. These direct messages relay from one phone to another through Bluetooth technology. When rumor had it that authorities planned to shutdown mobile networks, FireChat was advertised as a way to chat while “off-the-grid,” as it doesn’t necessarily require an Internet connection.


Not exactly.

FireChat is not secure. It is not designed to preserve user privacy, nor the security and confidentiality of user messages.


FireChat has no system for user authentication. There is no way to verify the legitimacy of messages that appear to have been sent by a protest coordinator or reporters. An attacker could easily impersonate a prominent individual and either spread false information or spread links to download and install spyware.

Security researchers familiar with the technology recommend that activists not to use their real names and avoid sending messages with information that is private or sensitive. There may be infiltrators among the protesters collecting messages through FireChat, which are both stored on your device as well as sent over the network unencrypted. (For more detailed analysis of FireChat, read this study from the University of Toronto’s Citizen Lab.)

There are inherent security risks to using Bluetooth. In general, whether or not you’re using FireChat, having Bluetooth enabled can further expose your phone to attacks, as well as provide means to infiltrators to enumerate and identify connected phones among protesters. In fact, recent days have seen numerous reports of spyware attacks against protesters in Hong Kong.


While some of them are probably groundless, there are credible reports of widespread messages specifically crafted to lure Occupy Central and Hong Kong Student Strike protesters to download and install apps that appear designed to coordinate protests, while in fact they are spyware designed to record phone calls, steal emails, and capture contacts, as well as tracking of your geographical position.


FireChat isn’t the only app protesters need to be careful with—one of these attacks was massively distributed over WhatsApp (which was recently purchased by Facebook). Protesters should be cautious when receiving messages suggesting that they download and installation of applications.

While reports thus far suggest malware is being sent only via WhatsApp, it’s plausible that similar attacks could be distributed through other means including forums and emails, as well as FireChat.


So what should protesters do? Here are some tips from the experts from the Tibet Action Institute, which has issued a CyberSuperHero security toolkit, available in Chinese and English for mobile and fixed line Internet connections. But the basic idea is:

1. Don’t tap on unexpected links sent via SMS, Bluetooth, or group chat broadcast messages from unknown sources.

2. If you don’t need your phone to be connected, set it to airplane mode—you can still take pictures, but it will be harder for you to be tracked or spammed.

3. Make sure to set a PIN or password on your phone, in case you are detained or it is stolen. It will help protect any data related to your friends, groups, networks.

It is important that people in Hong Kong remain conscious of the potential ramifications of using communication and publishing apps and that they stay on the lookout for potential attacks. As protests intensify and as the government receives international pressure to reduce the intervention of police forces, computer and mobile attacks might increase in number.

Nathan Freitas and Oiwan Lam contributed to this article.