I live in Canada. My girlfriend is Chinese (also living in Canada), and while we are able to communicate via SMS, her mobile carrier isn’t the best, and so there have often been issues for us with regular texting. She expressed a strong preference to use WeChat, at least as a backup option for when texting fails us. While I have some pretty significant reservations, it’s not the hill I want to die on. So my question is: what can be done to use WeChat without compromising my whole phone? I’m okay with it if our conversations aren’t private, but I’d like to know that I’m not giving unfettered access to all of my phone’s systems and data to the CCP. What can be done to limit the reach of this ubiquitous app on my device?
You can put it in a work profile and trust that Android is protective enough to keep your data safe and access limited. Otherwise buy a second phone just to put WeChat on it. Don’t know how WeChat works, but if it’s like Whatsapp then you don’t need to bother with a secondary number.
To add to this: you can install an open-source app called Shelter which will let you quickly set up a Work Profile for apps you want to keep isolated.
Indeed. Or otherwise Island as an alternative. Don’t know how those two compare on the security and privacy front.
If you own a Samsung phone, I’d also recommend their Secure Folder, which is apparently pretty damn secure and isolated from the rest of the device.
Maybe meet in the middle? If she’s willing to put up with SMS for you, I think she’ll be fine with Signal.
Why not another app, such as one that offers end to end encryption?
Use an old phone for it?
Shelter?
Yup, that’s what I’ve ended up doing. It wasn’t on my radar before making this post, so I’m thankful for everyone who suggested it.
Phone apps are already fairly sandboxed.
Use your phone’s permission system, look at the app’s permissions, and set them as strict as the app will allow you to while continuing to function. I don’t see any particularly scary permissions that aren’t optional (looking in Google Play/the Android permissions set).
Pretty much anything beyond that you’re wasting your time unless you want to carry two phones.
Edit: I see you went with Shelter; hadn’t heard of that either. Probably overkill, but as long as it doesn’t cause problems/the app works for you, go for it.
Well it means that if I do grant a permission to the app like for example file storage access to send my gf a funny meme I downloaded, it doesn’t get access to all of the pictures and files on my device.
Not sure how wechat works. I vaguely recall being able to restrict apps to pick photos only through the gallery app on recent versions of Android.
It doesn’t seem to use that interface weirdly. It just asks for file storage permission and then has its own explorer to select files.
Ah, then yeah probably best to do what you’re doing … it may very well scan for things or do who knows what.
Yeah exactly. I’ve had to take photos of various ID documents at different points for various reasons and so there are things like photos of my driver’s license stored in my phone’s filesystem. I’m glad Shelter gives a bit of insulation there. It lets me copy files in and out of the sandbox, but by default the sandbox has no files in it.
I’d recommend deleting those when you get the chance … no real reason to tempt fate regardless of what apps are on your phone 😉
If you are into self-hosting: You can use Matrix on your phone with a self hosted Matrix server and a WeChat Bridge.
Afaik there are two different bridges and both are in Alpha, though, so you might need to try what works for you.
For getting the account you might be able to use an Android VM so your main phone stays clean.
That’s an oxymoron. Apart from having a dedicated device, you can’t really sandbox the app since it requires basic permissions to function that give access to core phone functions. See https://reports.exodus-privacy.eu.org/en/reports/com.tencent.mm/latest/
You can try to limit permissions of some features that you don’t intend to use.See Exodus…
Hard for me to take anything they say seriously when they say Facebook does not contain any trackers:
We have not found code signature of any tracker we know in the application.
https://reports.exodus-privacy.eu.org/en/reports/com.facebook.katana/latest/
Edit: I’m not saying WeChat is clean, just that I don’t exactly trust Exodus for tracker reporting.
If you actually bothered to read, you would know that it shows 0 trackers because Facebook doesn’t embed their trackers in the SDK, and inject them later once you grant them the permissions to the device, exactly the same way WeChat does.
If you actually bothered to read…
I did read, and it changed nothing about what I said. Let’s revisit: did it detect Facebook, which I think we can all agree is invasive, as having trackers? No? The “why” of it doesn’t seem particularly relevant as we are just looking for trackers in apps.
https://discuss.grapheneos.org/d/9358-using-apps-with-known-trackers-with-no-google-play-services/6
