Crimson Memo: Analyzing the Privacy Impact of Xianghongshu AKA Red Note

Early in January 2025 it seemed like TikTok was on the verge of being banned by the U.S. government. In reaction to this imminent ban, several million people in the United States signed up for a different China-based social network known in the U.S. as RedNote, and in China as Xianghongshu (小红书/ 小紅書; which translates to Little Red Book). 

RedNote is an application and social network created in 2013 that currently has over 300 million users. Feature-wise, it is most comparable to Instagram and is primarily used for sharing pictures, videos, and shopping. The vast majority of its users live in China, are born after 1990, and are women. Even before the influx of new users in January, RedNote has historically had many users outside of China, primarily people from the Chinese diaspora who have friends and relatives on the network. RedNote is largely funded by two major Chinese tech corporations: Tencent and Alibaba. 

When millions of U.S. based users started flocking to the application, the traditional rounds of pearl clutching and concern trolling began. Many people raised the alarm about U.S. users entrusting their data with a Chinese company, and it is implied, the Chinese Communist Party. The reaction from U.S. users was an understandable, if unfortunate, bit of privacy nihilism. People responded that they, “didn’t care if someone in China was getting their data since US companies such as Meta and Google had already stolen their data anyway.” “What is the difference,” people argued, “between Meta having my data and someone in China? How does this affect me in any way?”

Even if you don’t care about giving China your data, it is not safe to use any application that doesn’t use encryption by default. 

Last week, The Citizen Lab at The Munk School Of Global Affairs, University of Toronto, released a report authored by Mona Wang, Jeffrey Knockel, and Irene Poetranto which highlights three serious security issues in the RedNote app. The most concerning finding from Citizen Lab is a revelation that RedNote retrieves uploaded user content over plaintext http. This means that anyone else on your network, at your internet service provider, or organizations like the NSA, can see everything you look at and upload to RedNote. Moreover someone could intercept that request and replace it with their own media or even an exploit to install malware on your device. 

In light of this report the EFF Threat Lab decided to confirm the CItizen Lab findings and do some additional privacy investigation of RedNote. We used static analysis techniques for our investigation, including manual static analysis of decompiled source code, and automated scanners including MobSF and Exodus Privacy. We only analyzed Version 8.59.5 of RedNote for Android downloaded from the website APK Pure.

EFF has independently confirmed the finding that Red Note retrieves posted content over plaintext http. Due to this lack of even basic transport layer encryption we don’t think this application is safe for anyone to use. Even if you don’t care about giving China your data, it is not safe to use any application that doesn’t use encryption by default. 

Citizen Lab researchers also found that users’ file contents are readable by network attackers. We were able to confirm that RedNote encrypts several sensitive files with static keys which are present in the app and the same across all installations of the app, meaning anyone who was able to retrieve those keys from a decompiled version of the app could decrypt these sensitive files for any user of the application. The Citizen Lab report also found a vulnerability where an attacker could identify the contents of any file readable by the application. This was out of scope for us to test but we find no reason to doubt this claim. 

The third major finding by Citizen Lab was that RedNote transmits device metadata in a way that can be eavesdropped on by network attackers, sometimes without encryption at all, and sometimes in a way vulnerable to a machine-in-the middle attack. We can confirm that RedNote does not validate HTTPS certificates properly. Testing this vulnerability