WeChat - All you want? Or, Buyer Beware?

WeChat - All you want? Or, Buyer Beware?
WeChat is a popular Chinese service managed by Tencent International Service, a Singaporean company, with its servers and operations in China. I would think that non-China companies would be hesitant to use it except, perhaps, to reach consumers in China. There are at least partial adoptions by Starbucks, Linkedin, and others. Note that some more recent implementations employ local servers, which might be the way to go for WeChat use exclusively outside of China.
 
WeChat is powerful and compelling.  There is a bit of a caution about WeChat published in October 2016 by the Nielsen Norman Group (https://www.nngroup.com/articles/wechat-integrated-ux/): "the key UX advantage of WeChat is not that it grew out of a chat service; it’s the integrated user experience. Each individual service is fine, but not necessarily better than those offered by other companies. In fact, our user testing of WeChat revealed many usability problems in various areas. What’s superior is how these services play together and reinforce each other. Most importantly, these benefits are not the result of a superior, simple conversational UI; instead, they are often provided through a simplified graphical user interface (GUI)."
 
WeChat offers strong integration capabilities achieved using plugins and APIs for the individual WeChat services. A good information source and sample source code are available at Programmable Web
 
Third Party plugins are also emerging and expanding WeChat capabilities. There is a variety of integration APIs, e.g., for Web sites; Java; and Python. And, there are more specific API guides that can be found for each API service integration (Social, messaging, chat, video chat, POS, Payment - Wallet, etc.). WeChat administration and integration are managed using the Account Admin Platform. A good guide for this platform can be found at http://admin.wechat.com/wiki/index.php?title=Main_Page
 
A good basic setup guide was published by NEAT Interactive: http://www.neatinteractive.com/news/69-the-complete-wechat-account-setup-guide.The publication calls out the differences between Weixin (Chinese Accounts only), and the international version: WeChat. It focuses on the setup of a Chinese business presence by an international company.
 

WeChat security risk issues include

  1. There are separate Terms & Conditions for PRC and Non-PRC users and entities which need to be fully understood.
     
  2. WeChat Privacy Policy (http://www.wechat.com/en/privacy_policy.html): Needs to be evaluated and aligned with privacy laws and regulations in the various geographies in which it will be used. This can of special concern with regard to WeChat Information Sharing policies and related WeChat and affiliate marketing practices, as well as WeChat Tracking policies.
     
  3. Tencent has received a TRUSTe Privacy Seal. The certification applies to Information that is collected through the WeChat website: (www.wechat.com) and mobile application: WeChat, but, does not cover information collected through other Tencent websites, mobile applications or downloadable software.
     
  4. The Apps within App architecture and the extensive use of WeChat make it a prime target for hackers for malware introduction, information and identity theft, and financial fraud and theft. Developers will need to take great care to assure data protection, privacy, resilience, and self-protection.
     
  5. WeChat in China, like all media things in China, is subject to a strong level of scrutiny and censorship.  The censorship has evolved and gets complicated.  Check the April 2017 Fortune Magazine "Juggernaut" article on the subject at http://fortune.com/2017/04/14/china-wechat-tencent-censorship-709-crackdown/ 
     
  6. Data Compromise: Unencrypted messaging, transactions, and data storage are subject to compromise. In its "Privacy Policy," WeChat only cites SSL encryption but does not speak to storage encryption. Any corporate use of WeChat should be fully encrypted. WeChat's Account Admin Platform Developer Guide provides guidance on the use and implementation of messaging encryption. What is unclear is whether and to what extent WeChat traffic is captured behind the scenes.
     
  7. Transaction Security (Financial Transactions, Wallet, Payments): As with all "Wallet" services, basic concerns exist regarding data privacy; account compromise/take over; and non-repudiation.
     
Authored By - Brian Cummins
TCS Cyber Security Practice
Rate this article: 
0
No votes yet
Article category: 
Keywords: 

Comments

In follow-up, with the continued growth of the Great Chinese Firewall, please note that effective in June 2017, China law requires information collected on Chinese national to be stored within the country's borders.  Also, outsiders cannot use Chinese data to offer services to third parties.  As such, any out-of-country WeChat instance would not be viable for interaction with Chinese citizens.  

Pages