TTP - Apple Offers Apps With Ties to Chinese Military
(www.techtransparencyproject.org)
from perishthethought@lemm.ee to privacy@lemmy.ml on 27 May 2025 16:14
https://lemm.ee/post/65137303
from perishthethought@lemm.ee to privacy@lemmy.ml on 27 May 2025 16:14
https://lemm.ee/post/65137303
Millions of Americans have downloaded apps that secretly route their internet traffic through Chinese companies, according to an investigation by the Tech Transparency Project (TTP), including several that were recently owned by a sanctioned firm with links to China’s military.
threaded - newest
Pretty flimsy argument that they’re “linked” to Chinese military for having to comply with local data regulations. By the same argument, every EU, US, and Israeli vpn is as guilty.
From the article:
The department of defense designates every rival as a terrorist or military organization. It’s not really an accusation that holds water at this point.
Are iOS app developers usually considered rivals of the Department of Defense?
Or is it only the ones that work for the PLA?
They didn’t designate all Chinese iOS developers, they singled a few out. Unless you think the DoD is trolling, they must have a reason for accusing this specific app developer.
The DoD is regularly trolling, and designating rival political ideologues as terrorists to justify unwarranted legal maneuvers.
None of that addresses the company at issue.
There are several Chinese developers involved in this investigation.
If the DoD was “designating every rival as a military organization” then why are they singling out specific Chinese developers instead of designating them all as a “Chinese Military Company”? It isn’t because they “have to comply with local data regulations”, all companies have to do that. All Chinese companies have to do that and not all Chinese companies are designated by the DoD as a Military Company.
So, why is this one specific company singled out? Probably because it works for the PLA, as the DoD says.
Your argument is basically “The DoD is lying” which isn’t supported by any evidence in this case. “Trust me bro” from a random social media user isn’t exactly a credible source.
Probably because these companies have some US competitors that want to see them taken out. This is a common tactic.
The DoD is always lying. If you still believe them at this point, you just want to be fooled. Probably appeals to your Sinophobia in this instance.
The linked article:
spoiler
___ Millions of Americans are inadvertently sending their internet traffic to Chinese companies—including several tied to the People’s Liberation Army. Millions of Americans have downloaded apps that secretly route their internet traffic through Chinese companies, according to an investigation by the Tech Transparency Project (TTP), including several that were recently owned by a sanctioned firm with links to China’s military. TTP’s investigation found that one in five of the top 100 free virtual private networks in the U.S. App Store during 2024 were surreptitiously owned by Chinese companies, which are obliged to hand over their users’ browsing data to the Chinese government under the country’s national security laws. Several of the apps traced back to Qihoo 360, a firm declared by the Defense Department to be a “Chinese Military Company." Qihoo did not respond to questions about its app-related holdings. VPNs allow users to mask the IP address that can identify them, and, in theory, keep their internet browsing private. For that reason, they have been used by people around the world to sidestep government censorship or surveillance, or because they believe it will improve their online security. In the U.S., kids often download free VPNs to play games or access social media during school hours. However, VPNs can themselves pose serious risks because the companies that provide them can read all the internet traffic routed through them. That risk is compounded in the case of Chinese apps, given China’s strict laws that can force companies in that country to secretly share access to their users’ data with the government. It would be hard for U.S. users to avoid the Chinese VPNs. The ownership of many appeared deliberately opaque, with several concealing their structure behind layers of offshore shell companies. TTP was able to determine the Chinese ownership of the 20 VPN apps being offered to Apple’s U.S. users by piecing together corporate documents from around the world. None of those apps clearly disclosed their Chinese ownership. The VPN apps identified by TTP have been downloaded more than 70 million times from U.S. app stores, according to data from AppMagic, a mobile apps market intelligence firm. One Chinese VPN has been advertised on Facebook and Instagram to teens as young as 13, and some have targeted ads at Americans looking to keep using TikTok, another Chinese app threatened with a U.S. ban. U.S. lawmakers said they acted on TikTok over concerns it could collect data from its American users on behalf of the Chinese government. However, lawmakers have not given sustained attention to this wider category of VPN apps that could make Americans’ internet traffic available to Chinese authorities. The findings raise questions about Apple’s carefully cultivated reputation for protecting user privacy. The company has repeatedly sought to fend off antitrust legislation designed to loosen its control of the App Store by arguing such efforts could compromise user privacy and security. But TTP’s investigation suggests that Apple is not taking adequate steps to determine who owns the apps it offers its users and what they do with the data they collect. More than a dozen of the Chinese VPNs were also available in Apple’s App Store in France in late February, showing that the issue extends to other Western markets. Apple’s guidelines for app developers state that apps offering VPN services “may not sell, use, or disclose to third parties any data for any purpose.” It isn’t clear how Apple reconciles that policy with the presence of Chinese VPN apps in its App Store, given those apps can be required by law to turn over user data to Chinese authorities. Apple and most of the app developers mentioned in this report did not respond to requests for comment. Emails sent to two of the apps, Thunder VPN and Snap VPN, bounced back as undeliverable, and another app, Speedy Quark VPN, provided an online contact form which was not functional. Background and methodology China has enacted a series of national security laws over the last decade outlining its access to data held by Chinese companies. Chief among these is the country’s National Intelligence Law of 2017, which requires that China-based organizations and individuals cooperate with state intelligence work. According to guidance from the U.S. Department of Homeland Security, in practice, this means that Chinese intelligence agencies may demand access to data of U.S. individuals and businesses held by Chinese entities and even compel the creation of backdoors in equipment and software. The guidance also specifically references apps, stating, “Data collected through software and mobile applications owned or operated by PRC firms is also accessible to the PRC government through its legal system.” Citing the risks of China collecting data on U.S. users, Con
Continued:
spoiler
___ Qihoo 360 did not respond to questions about the current status of its app holdings, but TTP found evidence that suggests the company remains connected to the apps. In its 2020 annual report, Qihoo 360 said it sold something called “Project L,” which appears to be the app-related companies Lemon Seed, Lemon Clove, and Autumn Breeze, to unnamed “external parties.” (Qihoo 360 does not describe Project L, but key pieces of information it does disclose about the project, including how much it cost to acquire and when it was originally acquired, match the information Qihoo provided for the three app-related companies.) The sale occurred in September 2020, according to Qihoo 360, a few months after the U.S. Commerce Department sanctioned the company as a national security threat. However, corporate registration documents for Lemon Seed in the Cayman Islands as well as Lemon Clove, Autumn Breeze, and Innovative Connecting in Singapore suggest an ongoing connection with Qihoo 360. The most recent corporate filings for Lemon Seed, Lemon Clove, Autumn Breeze, and Innovative Connecting, from March 2025, all list one director, Chen Ningyi. (Three of the filings identify this person as a Chinese national.) The name Chen Ningyi is on a Qihoo patent from 2017. The Chinese version of this patent gives Chen’s name in Chinese characters, which matches an individual who was described in 2020 by China Daily, the mouthpiece of the Chinese Communist Party, as a general manager of 360 Mobile Guard, Qihoo 360’s mobile phone security app. This same Chen Ningyi was also named a board member and legal representative of a Qihoo subsidiary when it was sold to another Chinese tech firm in March 2023. (See additional research details at the bottom of the report.) Qihoo 360 may have entered the app business through a little-known Chinese company called Guangzhou Quanyong Information Technology Co., Ltd., TTP’s investigation found. Guangzhou Quanyong developed apps for Apple’s iOS and Android, and corporate records show it created several apps in the Innovative Connecting network. According an undated profile in PitchBook, which collects market data on mergers and acquisitions, Qihoo 360 acquired “SpringTech,” which appears to be the English name for Guangzhou Quanyong. (The “quan” in Quanyong means “spring.”) Guangzhou Quanyong officially dissolved in 2022, but shared the same address as the Qihoo subsidiary described above. TurboVPN, the first VPN mentioned in this section, has been advertising itself on Facebook and Instagram this year. One of its ad campaigns, which ran in January and February, targeted Spanish-speaking users in the U.S., saying Turbo VPN can help with the threatened U.S. TikTok ban. 1 of 4 A recent ad campaign on Facebook and Instagram promoted the Chinese app TurboVPN. Hong Kong shell companies A number of the VPN apps in the Apple App Store traced back to Hong Kong companies, which were ultimately owned by individuals or companies in mainland China. While Hong Kong may conjure up a benign image in the minds of some Americans, owing to its long history of relative autonomy from China, the region since 2020 has experienced a sharp crackdown on pro-democracy activists and opposition leaders orchestrated by the central government in Beijing. New Hong Kong national security laws have been used to justify this crackdown, including a controversial ordinance introduced in March 2024. Last year, the U.S. government issued a warning to American businesses operating in Hong Kong that they face risks of warrantless surveillance and forced surrender of data to authorities due to the region’s national security laws. One of the apps examined by TTP, X-VPN, was the 4th most popular free VPN app in the U.S. for iPhone and iPad in 2024. The app’s page in the Apple App Store gives its developer as Free Connected Limited, a generic-sounding company with no obvious connection to China. However, the app’s privacy policy, which users must click to view outside the App Store, shows that Free Connected is based in Hong Kong. TTP found Free Connected Limited listed in the Hong Kong government’s corporate registry and examined the company’s most recent annual filings. These filings indicate the company is actually owned by a Chinese tech firm, Chengdu Zhuozhuo Technology Co., Ltd. Chengdu Zhuozhuo’s website says the company is focused on “internet transmission and network resources integration.” Free Connected Limited has run multiple ads for X-VPN on Google, with one ad from February promoting it to Americans as a way to get around the TikTok ban. “Best Free VPN for TikTok Ban,” the ad states, adding, “Use TikTok Anytime in US with X-VPN.” 1 of 3 The Chinese firm Free Connected Limited ran an ad campaign for its X-VPN app on Google. Another app called VPNIFY, which ranked 25th among top free VPN apps, gives its developer as Neonetw
Continued:
spoiler
___ Research notes Additional research on Chen Ningyi, the Qihoo 360 subsidiary, and the app developer company Guangzhou Quanyong: According to a Chinese corporate data aggregator, in December 2019—the same month Qihoo 360 purchased the app-related companies Lemon Seed, Lemon Clove, and Autumn Breeze—Qihoo 360 set up a subsidiary in China called Guangzhou Qihoo Technology Co., Ltd. In April 2020, this Qihoo 360 subsidiary changed it address to the same one listed for the app developer company Guangzhou Quanyong (aka SpringTech). The subsidiary then changed its name in January 2021 to Guangzhou Lianchuang Technology Co., Ltd. Qihoo 360 sold the subsidiary in March 2023 to a small tech firm called Beijing Liefeng Technology Co., Ltd. At that time, Chen Ningyi was added to the subsidiary’s board of directors and made its legal representative. He stayed in those positions for a year before being replaced by the owner of Beijing Liefeng. As noted previously, a person named Chen Ningyi worked for Qihoo 360. The above sequence of events, with Chen Ningyi holding a key position at Beijing Liefeng for a year, raises questions about whether Qihoo 360 exercises some control or influence over the smaller tech firm. Qihoo 360 and Beijing Liefeng did not respond to questions about the relationship between the two companies. The subsidiary, Guangzhou Lianchuang, still appears to be active. On one Chinese job website, it describes itself as a company “focusing on the research and development and promotion of mobile Internet apps in overseas markets,” with offices in Singapore, Guangzhou, and Beijing.
Additional research connecting Guangzhou Quanyong Information Technology Co., Ltd. with the Innovative Connecting family of apps: Chinese copyright data maintained by a Chinese corporate data aggregator indicates that Guangzhou Quanyong developed Snap VPN, which has been identified as part of the Innovative Connecting family of apps. The company also developed an app called Muslim Prayer, which is not available in the U.S. Apple App Store but is advertised on the website for ALL Connected, one of the Innovative Connecting entities. Data catalogued by a Chinese corporate record aggregator shows that Guangzhou Quanyong listed the email address coco@allconnected.co in its 2015 annual report, using the same domain as ALL Connected’s website. The following year, Guangzhou Quanyong listed the email coco@acnet.co, using a domain that is registered to Innovative Connecting in Singapore. Additional research showing that “SpringTech” is the English name for Guangzhou Quanyong Information Technology Co., Ltd.: The PitchBook profile showing Qihoo acquired “SpringTech” gave an office address for SpringTech that matched the address for Guangzhou Quanyong in Chinese corporate records. (The profile also listed SpringTech’s website as acnet.co, a domain registered to Innovative Connecting in Singapore.) A profile of Guangzhou Quanyong on Job5156.com, a Chinese job recruitment website, gave “SpringTech” as its English name. A page for “Spring Tech” on the app analytics site Sensor Tower gave the company’s Chinese name as Guangzhou Quanyong. Innovative Connecting is listed as the owner of springtech.info on a list of web publishers maintained by the digital ad platform Liftoff. Following are the remainder of the 20 apps not named in the body of the report. The lifetime U.S. downloads are from AppMagic: #5, Ostrich VPN Listed developer: GeWare Technology Limited Lifetime U.S. downloads according to AppMagic: >5,000,000 According to Hong Kong records, GeWare Technology Limited is a dissolved company whose sole shareholder was a Chinese citizen with a mainland China address. The Ostrich VPN website now gives the company name as Geware Mobile Limited. That is a Hong Kong company owned by a Chinese citizen who lists a Hong Kong address, according to corporate records. (The address, written in Chinese, matches that of a Hong Kong office building, which does not appear to have any residential component, according to its website.) #38, HulaVPN Listed developer: Hula Link Technology Co., Ltd. Lifetime U.S. downloads according to AppMagic: >1,000,000 The app is available both on the Apple App Store and Google Play store, but no information about the company is given on either page. TTP identified nothing with the name “Hula Link Technology” in searches of various global corporate records databases. However, the HTML code on the app’s Google Play page gives the developer’s name, in Chinese, as Guangzhou Hula Network Technology Co. Ltd. and gives an address for the company in Guangzhou, China. #43, VPN Ⓟ (removed from App Store) This app was taken down at some point in 2024 before the URL was archived. Information on the app is still available on AppMagic. Lifetime U.S. downloads according to AppMagic: >200,000 TTP was unable to find information
And practically all western apps are snooped on by western intelligence agencies. So what? This is hardly news.
That’s OK. As long as there are no 3rd party payment methods.
Company? Works with government? In their country? What??? Who could’ve though that could happen!!!
Please stop with these useless articles. Yes, every world power likes gathering metadata. And no, USA is not a “better place” for metadata gathering.
Wait until you find out they offer apps with ties to:
Curious then you pick on vague ties to China to fearmonger.
I mean FFS Microsoft and Google are actively abetting the most documented genocide in a century. Where is the outrage from these garbage people over that? Where’s the push to help boycott and pressure them to stop assisting the slaughter? Children are being killed right now in Gaza with the help of these American companies and where are the stories encouraging people to stop using them?
They offer them, you don’t HAVE to use them. Do ya really expect apple not to cater to a market of 1 billion+ people? Bend the knee a lil?
the day some chinese soldier step on your door, start worrying.
Enough with the Chinese scaremongering. It is getting hysterical !