TikTok alternative, RedNote, leaking user data

TikTok alternative, Xiaohonghsu, transmitting user data in plaintext.

The news that Donald Trump has intervened to keep TikTok accessible for American users may slow the exodus of “TikTok refugees” to Xiaohongshu, also known as Rednote. However, given the rapidly evolving situation, it’s impossible to predict how this story will unfold.

Efforts to ban TikTok, which began during President Trump’s first term, are driven by concerns that the Chinese government could exploit the app for national security purposes to the detriment of the United States. However, there’s also a more practical reason to be cautious about Chinese social media platforms and consumer tech: their failure to consistently adhere to basic cybersecurity standards when transmitting user data over the internet.

One of Corrata’s key features is its ability to monitor the quality of encryption between a user’s mobile device and the services they access. Frequently, we flag cases where websites use outdated cryptographic suites or TLS versions. Such vulnerabilities leave users exposed to potential interception by skilled hackers with the motivation and expertise to exploit these weak connections.

In examining traffic to and from Chinese apps, we often encounter a more glaring issue: data being sent “in the clear,” meaning without any encryption. This problem is common with Chinese consumer IoT devices, but it also extends to other popular Chinese apps in the West. E-commerce platforms are frequent offenders. Thankfully, the data exposed is often limited to non-sensitive information, such as app analytics or performance metrics.

However, there are occasions when we uncover far more concerning issues—like the one involving Rednote.

Thumbnails in the clear

Last week, our systems began flagging unusual activity related to the app, prompting a deeper investigation. While requests to view videos and the videos themselves are transmitted securely using TLS 1.3, we discovered HTTP GET requests for image resources, such as WebP thumbnails, being sent to content delivery network (CDN) hosts like sns-na-i9.xhscdn.com. These requests, which include formats like WEBP, JPG, PNG, and potentially a proprietary format labeled REIF, are not encrypted.

This unencrypted traffic exposes users’ viewing activity to anyone monitoring the network, whether it’s a neighbor on shared Wi-Fi, colleagues on a corporate network, or even state actors. Moreover, plaintext HTTP traffic lacks authenticity, leaving it vulnerable to tampering or spoofing. Our investigation revealed that even simple actions like registering for the app can generate upwards of 16,000 unencrypted traffic frames, making the scale of exposure significant. This issue appears to be linked to the app’s configuration, as its XML definitions indicate a base configuration that permits cleartext traffic—a setting that Android security guidelines strongly discourage due to the risks of data manipulation and exposure.

We’ve shared our findings with Xiaohongshu and are currently awaiting their response. For more technical details, please refer to the full incident report.