Crimson Memo: Analyzing the Privacy Impact of Xianghongshu AKA Red Note
Early in January 2025 it seemed like TikTok was on the verge of being banned by the U.S. government. In reaction to this imminent ban, several million people in the United States signed up for a different China-based social network known in the U.S. as RedNote, and in China as Xianghongshu (小红书/ 小紅書; which translates to Little Red Book).
RedNote is an application and social network created in 2013 that currently has over 300 million users. Feature-wise, it is most comparable to Instagram and is primarily used for sharing pictures, videos, and shopping. The vast majority of its users live in China, are born after 1990, and are women. Even before the influx of new users in January, RedNote has historically had many users outside of China, primarily people from the Chinese diaspora who have friends and relatives on the network. RedNote is largely funded by two major Chinese tech corporations: Tencent and Alibaba.
When millions of U.S. based users started flocking to the application, the traditional rounds of pearl clutching and concern trolling began. Many people raised the alarm about U.S. users entrusting their data with a Chinese company, and it is implied, the Chinese Communist Party. The reaction from U.S. users was an understandable, if unfortunate, bit of privacy nihilism. People responded that they, “didn’t care if someone in China was getting their data since US companies such as Meta and Google had already stolen their data anyway.” “What is the difference,” people argued, “between Meta having my data and someone in China? How does this affect me in any way?”
Even if you don’t care about giving China your data, it is not safe to use any application that doesn’t use encryption by default.
Last week, The Citizen Lab at The Munk School Of Global Affairs, University of Toronto, released a report authored by Mona Wang, Jeffrey Knockel, and Irene Poetranto which highlights three serious security issues in the RedNote app. The most concerning finding from Citizen Lab is a revelation that RedNote retrieves uploaded user content over plaintext http. This means that anyone else on your network, at your internet service provider, or organizations like the NSA, can see everything you look at and upload to RedNote. Moreover someone could intercept that request and replace it with their own media or even an exploit to install malware on your device.
In light of this report the EFF Threat Lab decided to confirm the CItizen Lab findings and do some additional privacy investigation of RedNote. We used static analysis techniques for our investigation, including manual static analysis of decompiled source code, and automated scanners including MobSF and Exodus Privacy. We only analyzed Version 8.59.5 of RedNote for Android downloaded from the website APK Pure.
EFF has independently confirmed the finding that Red Note retrieves posted content over plaintext http. Due to this lack of even basic transport layer encryption we don’t think this application is safe for anyone to use. Even if you don’t care about giving China your data, it is not safe to use any application that doesn’t use encryption by default.
Citizen Lab researchers also found that users’ file contents are readable by network attackers. We were able to confirm that RedNote encrypts several sensitive files with static keys which are present in the app and the same across all installations of the app, meaning anyone who was able to retrieve those keys from a decompiled version of the app could decrypt these sensitive files for any user of the application. The Citizen Lab report also found a vulnerability where an attacker could identify the contents of any file readable by the application. This was out of scope for us to test but we find no reason to doubt this claim.
The third major finding by Citizen Lab was that RedNote transmits device metadata in a way that can be eavesdropped on by network attackers, sometimes without encryption at all, and sometimes in a way vulnerable to a machine-in-the middle attack. We can confirm that RedNote does not validate HTTPS certificates properly. Testing this vulnerability was out of scope for EFF, but we find no reason to doubt this claim.
Permissions and Trackers
EFF performed further analysis of the permissions and trackers requested by RedNote. Our findings indicate two other potential privacy issues with the application.
RedNote requests some very sensitive permissions, including location information, even when the app is not running in the foreground. This permission is not requested by other similar apps such as TikTok, Facebook, or Instagram.
We also found, using an online scanner for tracking software called Exodus Privacy, that RedNote is not a platform which will protect its users from U.S.-based surveillance capitalism. In addition to sharing userdata with the Chinese companies Tencent and ByteDance, it also shares user data with Facebook and Google.
Other Issues
RedNote contains functionality to update its own code after it’s downloaded from the Google Play store using an open source library called APK Patch. This could be used to inject malicious code into the application after it has been downloaded without such code being revealed in automated scans meant to protect against malicious applications being uploaded to official stores, like Google Play.
Recommendations
Due to the lack of encryption we do not consider it safe for anyone to run this app. If you are going to use RedNote, we recommend doing so with the absolute minimum set of permissions necessary for the app to function (see our guides for iPhone and Android.) At least a part of this blame falls on Google. Android needs to stop allowing apps to make unencrypted requests at all.
Due to the lack of encryption we do not consider it safe for anyone to run this app.
RedNote should immediately take steps to encrypt all traffic from their application and remove the permission for background location information.
Users should also keep in mind that RedNote is not a platform which values free speech. It’s a heavily censored application where topics such as political speech, drugs and addiction, and sexuality are more tightly controlled than similar social networks.
Since it shares data with Facebook and Google ad networks, RedNote users should also keep in mind that it’s not a platform that protects you from U.S.-based surveillance capitalism.
The willingness of users to so quickly move to RedNote also highlights the fact that people are hungry for platforms that aren’t controlled by the same few American tech oligarchs. People will happily jump to another platform even if it presents new, unknown risks; or is controlled by foreign tech oligarchs such as Tencent and Alibaba.
However, federal bans of such applications are not the correct answer. When bans are targeted at specific platforms such as TikTok, Deepseek, and RedNote rather than privacy-invasive practices such as sharing sensitive details with surveillance advertising platforms, users who cannot participate on the banned platform may still have their privacy violated when they flock to other platforms. The real solution to the potential privacy harms of apps like RedNote is to ensure (through technology, regulation, and law) that people’s sensitive information isn’t entered into the surveillance capitalist data stream in the first place.
We need a federal, comprehensive, consumer-focused privacy law. Our government is failing to address the fundamental harms of privacy-invading social media. Implementing xenophobic, free-speech infringing policy is having the unintended consequence of driving folks to platforms with even more aggressive censorship. This outcome was foreseeable. Rather than a knee-jerk reaction banning the latest perceived threat, these issues could have been avoided by addressing privacy harms at the source and enacting strong consumer-protection laws.
Figure 1. Permissions requested by RedNote
|
Permission |
Description |
|
android.permission.ACCESS_BACKGROUND_LOCATION |
This app can access location at any time, even while the app is not in use. |
|
android.permission.ACCESS_COARSE_LOCATION |
This app can get your approximate location from location services while the app is in use. Location services for your device must be turned on for the app to get location. |
|
android.permission.ACCESS_FINE_LOCATION |
This app can get your precise location from location services while the app is in use. Location services for your device must be turned on for the app to get location. This may increase battery usage. |
|
android.permission.ACCESS_MEDIA_LOCATION |
Allows the app to read locations from your media collection. |
|
android.permission.ACCESS_NETWORK_STATE |
Allows the app to view information about network connections such as which networks exist and are connected. |
|
android.permission.ACCESS_WIFI_STATE |
Allows the app to view information about Wi-Fi networking, such as whether Wi-Fi is enabled and name of connected Wi-Fi devices. |
|
android.permission.AUTHENTICATE_ACCOUNTS |
Allows the app to use the account authenticator capabilities of the AccountManager, including creating accounts and getting and setting their passwords. |
|
android.permission.BLUETOOTH |
Allows the app to view the configuration of the Bluetooth on the phone, and to make and accept connections with paired devices. |
|
android.permission.BLUETOOTH_ADMIN |
Allows the app to configure the local Bluetooth phone, and to discover and pair with remote devices. |
|
android.permission.BLUETOOTH_CONNECT |
Allows the app to connect to paired Bluetooth devices |
|
android.permission.CAMERA |
This app can take pictures and record videos using the camera while the app is in use. |
|
android.permission.CHANGE_NETWORK_STATE |
Allows the app to change the state of network connectivity. |
|
android.permission.CHANGE_WIFI_STATE |
Allows the app to connect to and disconnect from Wi-Fi access points and to make changes to device configuration for Wi-Fi networks. |
|
android.permission.EXPAND_STATUS_BAR |
Allows the app to expand or collapse the status bar. |
|
android.permission.FLASHLIGHT |
Allows the app to control the flashlight. |
|
android.permission.FOREGROUND_SERVICE |
Allows the app to make use of foreground services. |
|
android.permission.FOREGROUND_SERVICE_DATA_SYNC |
Allows the app to make use of foreground services with the type dataSync |
|
android.permission.FOREGROUND_SERVICE_LOCATION |
Allows the app to make use of foreground services with the type location |
|
android.permission.FOREGROUND_SERVICE_MEDIA_PLAYBACK |
Allows the app to make use of foreground services with the type mediaPlayback |
|
android.permission.FOREGROUND_SERVICE_MEDIA_PROJECTION |
Allows the app to make use of foreground services with the type mediaProjection |
|
android.permission.FOREGROUND_SERVICE_MICROPHONE |
Allows the app to make use of foreground services with the type microphone |
|
android.permission.GET_ACCOUNTS |
Allows the app to get the list of accounts known by the phone. This may include any accounts created by applications you have installed. |
|
android.permission.INTERNET |
Allows the app to create network sockets and use custom network protocols. The browser and other applications provide means to send data to the internet, so this permission is not required to send data to the internet. |
|
android.permission.MANAGE_ACCOUNTS |
Allows the app to perform operations like adding and removing accounts, and deleting their password. |
|
android.permission.MANAGE_MEDIA_PROJECTION |
Allows an application to manage media projection sessions. These sessions can provide applications the ability to capture display and audio contents. Should never be needed by normal apps. |
|
android.permission.MODIFY_AUDIO_SETTINGS |
Allows the app to modify global audio settings such as volume and which speaker is used for output. |
|
android.permission.POST_NOTIFICATIONS |
Allows the app to show notifications |
|
android.permission.READ_CALENDAR |
This app can read all calendar events stored on your phone and share or save your calendar data. |
|
android.permission.READ_CONTACTS |
Allows the app to read data about your contacts stored on your phone. Apps will also have access to the accounts on your phone that have created contacts. This may include accounts created by apps you have installed. This permission allows apps to save your contact data, and malicious apps may share contact data without your knowledge. |
|
android.permission.READ_EXTERNAL_STORAGE |
Allows the app to read the contents of your shared storage. |
|
android.permission.READ_MEDIA_AUDIO |
Allows the app to read audio files from your shared storage. |
|
android.permission.READ_MEDIA_IMAGES |
Allows the app to read image files from your shared storage. |
|
android.permission.READ_MEDIA_VIDEO |
Allows the app to read video files from your shared storage. |
|
android.permission.READ_PHONE_STATE |
Allows the app to access the phone features of the device. This permission allows the app to determine the phone number and device IDs, whether a call is active, and the remote number connected by a call. |
|
android.permission.READ_SYNC_SETTINGS |
Allows the app to read the sync settings for an account. For example, this can determine whether the People app is synced with an account. |
|
android.permission.RECEIVE_BOOT_COMPLETED |
Allows the app to have itself started as soon as the system has finished booting. This can make it take longer to start the phone and allow the app to slow down the overall phone by always running. |
|
android.permission.RECEIVE_USER_PRESENT |
Unknown permission from android reference |
|
android.permission.RECORD_AUDIO |
This app can record audio using the microphone while the app is in use. |
|
android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS |
Allows an app to ask for permission to ignore battery optimizations for that app. |
|
android.permission.REQUEST_INSTALL_PACKAGES |
Allows an application to request installation of packages. |
|
android.permission.SCHEDULE_EXACT_ALARM |
This app can schedule work to happen at a desired time in the future. This also means that the app can run when youu2019re not actively using the device. |
|
android.permission.SYSTEM_ALERT_WINDOW |
This app can appear on top of other apps or other parts of the screen. This may interfere with normal app usage and change the way that other apps appear. |
|
android.permission.USE_CREDENTIALS |
Allows the app to request authentication tokens. |
|
android.permission.VIBRATE |
Allows the app to control the vibrator. |
|
android.permission.WAKE_LOCK |
Allows the app to prevent the phone from going to sleep. |
|
android.permission.WRITE_CALENDAR |
This app can add, remove, or change calendar events on your phone. This app can send messages that may appear to come from calendar owners, or change events without notifying their owners. |
|
android.permission.WRITE_CLIPBOARD_SERVICE |
Unknown permission from android reference |
|
android.permission.WRITE_EXTERNAL_STORAGE |
Allows the app to write the contents of your shared storage. |
|
android.permission.WRITE_SETTINGS |
Allows the app to modify the system’s settings data. Malicious apps may corrupt your system’s configuration. |
|
android.permission.WRITE_SYNC_SETTINGS |
Allows an app to modify the sync settings for an account. For example, this can be used to enable sync of the People app with an account. |
|
cn.org.ifaa.permission.USE_IFAA_MANAGER |
Unknown permission from android reference |
|
com.android.launcher.permission.INSTALL_SHORTCUT |
Allows an application to add Homescreen shortcuts without user intervention. |
|
com.android.launcher.permission.READ_SETTINGS |
Unknown permission from android reference |
|
com.asus.msa.SupplementaryDID.ACCESS |
Unknown permission from android reference |
|
com.coloros.mcs.permission.RECIEVE_MCS_MESSAGE |
Unknown permission from android reference |
|
com.google.android.gms.permission.AD_ID |
Unknown permission from android reference |
|
com.hihonor.push.permission.READ_PUSH_NOTIFICATION_INFO |
Unknown permission from android reference |
|
com.hihonor.security.permission.ACCESS_THREAT_DETECTION |
Unknown permission from android reference |
|
com.huawei.android.launcher.permission.CHANGE_BADGE |
Unknown permission from android reference |
|
com.huawei.android.launcher.permission.READ_SETTINGS |
Unknown permission from android reference |
|
com.huawei.android.launcher.permission.WRITE_SETTINGS |
Unknown permission from android reference |
|
com.huawei.appmarket.service.commondata.permission.GET_COMMON_DATA |
Unknown permission from android reference |
|
com.huawei.meetime.CAAS_SHARE_SERVICE |
Unknown permission from android reference |
|
com.meizu.c2dm.permission.RECEIVE |
Unknown permission from android reference |
|
com.meizu.flyme.push.permission.RECEIVE |
Unknown permission from android reference |
|
com.miui.home.launcher.permission.INSTALL_WIDGET |
Unknown permission from android reference |
|
com.open.gallery.smart.Provider |
Unknown permission from android reference |
|
com.oplus.metis.factdata.permission.DATABASE |
Unknown permission from android reference |
|
com.oplus.permission.safe.AI_APP |
Unknown permission from android reference |
|
com.vivo.identifier.permission.OAID_STATE_DIALOG |
Unknown permission from android reference |
|
com.vivo.notification.permission.BADGE_ICON |
Unknown permission from android reference |
|
com.xiaomi.dist.permission.ACCESS_APP_HANDOFF |
Unknown permission from android reference |
|
com.xiaomi.dist.permission.ACCESS_APP_META |
Unknown permission from android reference |
|
com.xiaomi.security.permission.ACCESS_XSOF |
Unknown permission from android reference |
|
com.xingin.xhs.permission.C2D_MESSAGE |
Unknown permission from android reference |
|
com.xingin.xhs.permission.JOPERATE_MESSAGE |
Unknown permission from android reference |
|
com.xingin.xhs.permission.JPUSH_MESSAGE |
Unknown permission from android reference |
|
com.xingin.xhs.permission.MIPUSH_RECEIVE |
Unknown permission from android reference |
|
com.xingin.xhs.permission.PROCESS_PUSH_MSG |
Unknown permission from android reference |
|
com.xingin.xhs.permission.PUSH_PROVIDER |
Unknown permission from android reference |
|
com.xingin.xhs.push.permission.MESSAGE |
Unknown permission from android reference |
|
freemme.permission.msa |
Unknown permission from android reference |
|
freemme.permission.msa.SECURITY_ACCESS |
Unknown permission from android reference |
|
getui.permission.GetuiService.com.xingin.xhs |
Unknown permission from android reference |
|
ohos.permission.ACCESS_SEARCH_SERVICE |
Unknown permission from android reference |
|
oplus.permission.settings.LAUNCH_FOR_EXPORT |
Unknown permission from android reference |
Source: https://www.eff.org/deeplinks/2025/02/crimson-memo-analyzing-privacy-impact-xianghongshu-aka-red-note
Anyone can join.
Anyone can contribute.
Anyone can become informed about their world.
"United We Stand" Click Here To Create Your Personal Citizen Journalist Account Today, Be Sure To Invite Your Friends.
Before It’s News® is a community of individuals who report on what’s going on around them, from all around the world. Anyone can join. Anyone can contribute. Anyone can become informed about their world. "United We Stand" Click Here To Create Your Personal Citizen Journalist Account Today, Be Sure To Invite Your Friends.
LION'S MANE PRODUCT
Try Our Lion’s Mane WHOLE MIND Nootropic Blend 60 Capsules
Mushrooms are having a moment. One fabulous fungus in particular, lion’s mane, may help improve memory, depression and anxiety symptoms. They are also an excellent source of nutrients that show promise as a therapy for dementia, and other neurodegenerative diseases. If you’re living with anxiety or depression, you may be curious about all the therapy options out there — including the natural ones.Our Lion’s Mane WHOLE MIND Nootropic Blend has been formulated to utilize the potency of Lion’s mane but also include the benefits of four other Highly Beneficial Mushrooms. Synergistically, they work together to Build your health through improving cognitive function and immunity regardless of your age. Our Nootropic not only improves your Cognitive Function and Activates your Immune System, but it benefits growth of Essential Gut Flora, further enhancing your Vitality.
Our Formula includes: Lion’s Mane Mushrooms which Increase Brain Power through nerve growth, lessen anxiety, reduce depression, and improve concentration. Its an excellent adaptogen, promotes sleep and improves immunity. Shiitake Mushrooms which Fight cancer cells and infectious disease, boost the immune system, promotes brain function, and serves as a source of B vitamins. Maitake Mushrooms which regulate blood sugar levels of diabetics, reduce hypertension and boosts the immune system. Reishi Mushrooms which Fight inflammation, liver disease, fatigue, tumor growth and cancer. They Improve skin disorders and soothes digestive problems, stomach ulcers and leaky gut syndrome. Chaga Mushrooms which have anti-aging effects, boost immune function, improve stamina and athletic performance, even act as a natural aphrodisiac, fighting diabetes and improving liver function. Try Our Lion’s Mane WHOLE MIND Nootropic Blend 60 Capsules Today. Be 100% Satisfied or Receive a Full Money Back Guarantee. Order Yours Today by Following This Link.
| Online: | |
| Visits: | 1,676,556,468 |
| Stories: | 8,351,214 |
Whistler Blowers, Insiders
