As the Clubhouse live audio chat app gains in popularity around the world, concerns about its data practices are also increasing.
The app is currently only available on iOS, so some developers have entered a race to create Android, Windows, and Mac versions of the service. While these efforts are not ill-intentioned, the fact that it takes little effort for programmers to reverse engineer and fork Clubhouse – that is, when developers create new software. based on its original code – sounds an alarm on app security.
The common goal of these unofficial apps, as of now, is to deliver real-time Clubhouse audio streams to users who cannot access the app otherwise because they don’t have an iPhone. One such effort is called Open Clubhouse, which describes itself as a “third party flask-based web application for playing Clubhouse audio.” The developer confirmed to TechCrunch that Clubhouse blocked their service five days after launch without providing an explanation.
“[Clubhouse] requests a lot of information from users, analyzes this data and even abuses it. Meanwhile, it limits the way people use the app and doesn’t give them the rights they deserve. For me, that constitutes a monopoly or an exploitation, ”said the developer of Open Clubhouse nicknamed AiX.
The clubhouse cannot be contacted immediately for comment on this story.
AiX wrote the program “for fun” and wanted it to expand Clubhouse access to more people. Another similar effort came from a developer named Zhuowei Zhang, who created Hipster House to allow those who don’t have an invite to browse rooms and users, and those who are invited to join rooms as that listener although they cannot speak – Clubhouse is by invitation only at the moment. Zhang stopped developing the project, however, after noticing a better alternative.
These third-party services, despite their harmless intentions, can be exploited for surveillance purposes, like Jane Manchun Wong, a researcher known to reverse-engineer upcoming features in popular apps, Noted in a tweet.
“Even though the intention of this webpage is to bring Clubhouse to non-iOS users, without protection it could be abused,” Wong said, referring to a website redirecting audio from Clubhouse public rooms. .
Clubhouse allows users to create public chat rooms, which are available to any user who joins before a room reaches its maximum capacity, and private rooms, which are only accessible to room hosts and guests. users authorized by hosts.
But not all users are aware of the open nature of the Clubhouse’s public rooms. During its brief window of availability in China, the app has been inundated with mainland Chinese debating politically sensitive issues from Taiwan to Xinjiang, which are heavily censored in Chinese cyberspace. Some vigilant Chinese users have speculated the possibility of being questioned by the police for making sensitive comments. Although no such event has been publicly reported, Chinese authorities have banned the app since February 8.
The design of the Clubhouse is inherently at odds with the state of communication it aims to achieve. The app encourages people to use their real identities – registration requires a phone number and an invitation from an existing user. In one room, everyone can see who else is there. This setup instills confidence and comfort in users when they speak as if they were speaking at a networking event.
But third-party apps capable of extracting audio streams from Clubhouse show that the app isn’t even semi-public: it’s public.
Most annoying is that users can “listen to ghosts”, as developer Zerforschung has found. In other words, users can overhear a room’s conversation without having their profile displayed to room attendees. Listening is made possible by establishing direct communication with Agora, a service provider employed by Clubhouse. As several security researchers have found, Clubhouse relies on Agora’s real-time audio communication technology. Sources have also confirmed the partnership with TechCrunch.
A technical explanation is needed here. When a user joins a Clubhouse chat room, they make a request to the Agora infrastructure, as the Stanford Internet Observatory discovered. To make the request, the user’s phone contacts the Clubhouse Application Programming Interface (API), which then creates “tokens,” the basic building block of programming that authenticates an action, to establish a path. communication for the audio traffic of the application.
The problem now is that there may be a disconnection between Clubhouse and Agora, allowing the Clubhouse end, which manages user profiles, to be inactive while the Agora end, which transmits audio data, remains active, as technology analyst Daniel Sinclair Noted. Therefore, users can continue to listen to a room without having their profile displayed to room attendees.
The Agora partnership has given rise to other forms of concern. The company, which operates primarily in the United States and China, noted in its IPO prospectus that its data may be subject to China’s cybersecurity law, which requires network operators in China to assist with investigations. policewomen. This possibility, as the Stanford Internet Observatory points out, depends on whether Clubhouse stores its data in China.
While the Clubhouse API is banned in China, the Agora API appears to be unlocked. TechCrunch testing shows that users currently need a VPN to join a room, an action handled by Clubhouse, but can eavesdrop on the room conversation, facilitated by Agora, with the VPN disabled. What’s the safest way for China-based users to access the app, given that the official attitude is that it shouldn’t exist? It’s also worth noting that the app was not available on the Chinese App Store even before it was banned and Chinese users had downloaded the app through workarounds.
The Clubhouse team may have been overwhelmed with questions about the data in recent days, but these early observations from researchers and hackers could urge them to fix their vulnerabilities sooner, paving the way for growth. beyond its multi-million loyal users and billion dollar valuation value.