China. Some of my favorite things are from China. Technically, all my favorite things could be traced back to “Made in China”, but some of them are:
- Riot Games (VALORANT, League of Legends)
- CORSAK (music artist)
- My LED light
Let’s focus on the last one. Last year, I bought an LED light strip from Amazon. There’s a whole industry for it on the market, and you can find ones with varying features. This one, in particular, can be controlled via an app called “Magic Home Pro”, which comes with pretty cool features like candle-like lighting (if you need to set that romantic tone) and syncing with your music (highly inaccurate, works best with EDM songs).
I’ve been using it for a while now, and it’s been great. However, the incorrect music syncing bothered me a bit and I tried to reverse-engineer the app to send my custom requests to the light so that I could sync it with my Spotify (instead of having to rely on the app). Controlling the lights from my computer would be cool, right?
Unfortunately, the app or the light doesn’t have a documented API for me to use. The closest I came to was a GitHub repository that reverse-engineered the protocol used by the app to communicate with the light. It did work, but I wanted to build my version of it so that I could use it however I liked. Most repos required a Raspberry Pi, and in case you didn’t know, those are extremely hard to come by for the right price in the MENA.
While monitoring the mobile app for any network requests I could reverse engineer, I noticed a couple of weird TCP requests being sent to a few servers in China. Because the LED light runs on the local network, any request made to anything other than a local IP address (192.168.x.x) was suspicious. (The app seemingly doesn’t use any external resources either, so it was a bit concerning.)
Further attempts to reproduce these requests have failed.
The first request was a POST to 14.22.7.140.
POST /rqd/async?aid=<UUID_V4_HERE> HTTP/1.1
wup_version: 3.0
secureSessionId: REDACTED_SZ
strategylastUpdateTime: 1550481301000
appVer: 1.9.3%28219%29
bundleId: com.zengge.wifi
sdkVer: 2.8.6
prodId: 956393cf2b
cmd: 840
platformId: 1
A37: WIFI
A38: WIFI
Content-Type: application/x-www-form-urlencoded
User-Agent: Dalvik/2.1.0 (Linux; U; Android 14; <MY ANDROID MODEL> Build/UP1A.230620.001)
Host: android.bugly.qq.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 1056a7 60 e3 2a e9 08 af d8 4f 48 10 8a 0a 60 51 db .`.*.... OH...`Q.
c7 09 3e c6 52 67 8d c9 5c 7e 3a 0d 81 58 35 36 ..>.Rg.. \~:..X56
83 9e 90 b3 cb 07 b5 28 66 6d bf b7 f5 62 7a 81 .......( fm...bz.
49 0e 2f 6b 46 ec e1 d6 4d 99 36 02 09 21 27 01 I./kF... M.6..!'.
...60 more linesThe POST body and response were gibberish (probably encrypted, if anyone knows how to make meaning of it, please let me know).
Let’s focus on a few things here.
The bundleId is com.zengge.wifi. Zengge is a company that makes LED lights among other smart home devices. On the LED market, I’d say they’re a bit more premium than the rest. According to their website, they are a supposedly renowned brand, even used by Walmart in China. A Facebook page reads [sic]
ZENGGE Co., Ltd is a world’s leading smart light bulb and controller enterprise which locates in Shenzhen China and established in 2008.
The Magic Home Pro app (and my LED) is also made by Zengge, which would explain the bundleId.
The User-Agent reads “Dalvik”. A quick search shows that Dalvik is a discontinued VM for Android, last used in Android 4.4. This, again, is weird because according to the Play Store, the app was released in late 2016, which would mean it should be using ART (the successor of Dalvik).
A WHOIS for the address 14.22.7.140 shows
ISP ChinaNet Guangdong Province Network
Hostname android.bugly.qq.com
Domain Name chinatelecom.com.cn
Country China
City Guangzhou, GuangdongAnd here we see android.bugly.qq.com once again.
Tencent QQ (Chinese: 腾讯QQ), also known as QQ (qq.com), is an instant messaging software service and web portal developed by the Chinese technology company Tencent. QQ offers services that provide online social games, music, shopping, microblogging, movies, and group and voice chat software. As of March 2023, there were 597 million monthly active QQ accounts. Wikipedia
Visiting bugly.qq.com, I managed to understand the website contents because of Duolingo (and Google Translate). The website reads
A pleasant way to develop
Tencent Bugly provides mobile developers with professional exception reporting and operation statistics, helping developers quickly discover and resolve exceptions, while also grasping product operation dynamics and following up on user feedback in a timely manner.
Turns out, it was a crash-reporting service.
Overkill for an app that controls your LED lights, but at least it’s for a valid reason (hopefully).
What I do love about Bugly is its detailed Privacy Policy, which is unlike any Privacy Policy I’ve ever seen, most of them consisting of layers of legalese and eighteenth-century English. It includes a table of data that it collects from devices and how it uses them, such as the phone model, whether the device is rooted or not, and the network - standard requirements for a crash reporting service. Even the Android permissions requested by the app are listed in the Privacy Policy, probably due to Chinese regulations.
What’s interesting is this part:
(3) According to the provisions of laws and regulations, the following are exceptions to which user consent is required:
- In order to respond to public health emergencies, or necessary to protect the life, health and property safety of end users in emergencies;
4. Carry out news reporting, public opinion supervision and other activities for the public interest, and process the personal information of end users within a reasonable scope;
A bit excessive for a crash reporting service, no?