Clubhouse Reverse Engineering: Security Risks & Concerns

Clubhouse Security Concerns Rise with Popularity

The increasing global popularity of the live audio chat application, Clubhouse, is accompanied by growing apprehension regarding its data handling procedures.

Currently exclusive to the iOS platform, the app has spurred developers to create versions compatible with Android, Windows, and macOS.

While these initiatives aren't necessarily malicious, the relative ease with which Clubhouse can be reverse-engineered and forked – meaning new software is created from its original code – is raising security concerns.

Unofficial Apps and Clubhouse's Response

The primary objective of these unofficial applications is to provide real-time access to Clubhouse audio streams for users lacking iPhones.

One such project, Open Clubhouse, identifies itself as a “third-party web application based on flask to play Clubhouse audio.”

The developer of Open Clubhouse confirmed to TechCrunch that Clubhouse blocked their service just five days after launch, without offering a reason.

“Some companies collect extensive user data, analyze it, and even misuse it,” stated Open Clubhouse’s developer, known as AiX. “They also restrict app usage and fail to respect user rights. This, in my view, represents monopolistic practices or exploitation.”

Clubhouse maintains that “recording or streaming without explicit speaker permission violates the Clubhouse terms of service.”

A Clubhouse spokesperson explained to TechCrunch, “An individual temporarily streamed multiple rooms from their feed to a website over the weekend. This account has been permanently banned, and we’ve implemented additional security measures to prevent future occurrences.”

Developer Motivations and Potential Risks

AiX developed the program “for fun,” aiming to expand Clubhouse’s accessibility.

Another developer, Zhuowei Zhang, created Hipster House, allowing users without invitations to browse rooms and users, and those with invites to listen – though speaking is currently restricted to invitees.

Zhang discontinued the project after discovering a superior alternative.

Despite their seemingly harmless intentions, these third-party services could be leveraged for surveillance, as Jane Manchun Wong, a researcher specializing in app feature discovery, pointed out on Twitter.

“Reverse engineering itself is a neutral practice,” Wong told TechCrunch. “The ethical implications depend on the intent. However, the source code can be taken, repurposed, and used in ways that could endanger specific groups of people.”

Ultimately, the ease of replicating Clubhouse’s functionality highlights potential vulnerabilities and the need for robust security measures to protect user privacy.

An Identity and Privacy Dilemma for Clubhouse

Clubhouse facilitates the creation of both public chat rooms, open to all users until capacity is reached, and private rooms, accessible only to hosts and their designated invitees.

However, a significant portion of the user base remains unaware of the fundamentally open nature of Clubhouse’s public spaces. During a limited period of operation within China, the platform experienced a surge in discussions concerning sensitive political topics – including Taiwan and Xinjiang – subjects typically subject to rigorous censorship within the Chinese internet environment.

Concerns arose among some Chinese users regarding potential police inquiries stemming from the expression of sensitive opinions. Although no such instances have been officially documented, Chinese authorities subsequently prohibited the application as of February 8th.

The Conflict Between Design and Intended Communication

The core design principles of Clubhouse present an inherent contradiction to the level of secure communication it intends to provide. The application promotes the use of verified identities; registration necessitates a phone number and an invitation from an existing user.

Within each room, participant visibility is standard, allowing users to see who else is present. This feature fosters a sense of trust and familiarity, mirroring the atmosphere of a professional networking gathering.

Despite this, the emergence of third-party applications capable of capturing Clubhouse audio streams demonstrates that the platform is, in reality, entirely public, rather than possessing even a degree of privacy.

Implications of Audio Extraction

“These external applications underscore areas where Clubhouse can enhance its security and privacy measures,” notes security researcher Wong. “The programmatic possibility of broadcasting audio from the app implies a potential for automated collection of audio data from Clubhouse rooms.”

Wong suggests a potential solution: “Clubhouse could address this vulnerability by restricting users to listening to only one room concurrently.”

Security Concerns with Clubhouse's Backend

A significant issue has emerged regarding Clubhouse's functionality: the ability for users to engage in "ghost listening," as identified by developer Zerforschung. This allows individuals to hear conversations within a room without their user profile being visible to other participants.

This eavesdropping capability stems from a direct connection established with Agora, the real-time audio communication service provider utilized by Clubhouse. Multiple security researchers have confirmed Clubhouse’s reliance on Agora’s technology.

Understanding the Technical Details

When a user enters a Clubhouse chatroom, a request is sent to Agora’s infrastructure, as discovered by the Stanford Internet Observatory. This request is initiated through the user’s device contacting Clubhouse’s application programming interface (API).

The API then generates “tokens,” fundamental programming elements used for authentication, to create a communication channel for the audio stream.

A critical vulnerability arises from a potential disconnect between Clubhouse and Agora. Technology analyst Daniel Sinclair highlights that the Clubhouse side, responsible for user profile management, can become inactive while the Agora side, handling audio transmission, remains operational.

Consequently, users can continue to listen to a room’s conversation even without their profile being displayed to those present.

Data Security and Chinese Cybersecurity Law

The partnership with Agora has also raised concerns regarding data security. Agora, with operations in both the U.S. and China, has disclosed in its IPO prospectus that data may be subject to China’s cybersecurity law.

This law mandates that network operators within China assist in police investigations. The Stanford Internet Observatory notes that the applicability of this law depends on whether Clubhouse stores user data within China.

Access from China and VPN Usage

Despite the Clubhouse API being blocked in China, the Agora API remains accessible. TechCrunch’s testing reveals that while a VPN is currently required to join a room – a measure implemented by Clubhouse – users can listen to the conversation facilitated by Agora without the VPN enabled.

This presents a challenge for users in China, given the official stance that the app should not be available. It’s important to remember that the app was not available on the Chinese App Store even prior to the ban, necessitating workarounds for Chinese users to download it.

Implications for Clubhouse's Future

The Clubhouse team is currently addressing numerous data-related inquiries. However, these early findings from researchers and security experts may accelerate the process of fixing these vulnerabilities.

Addressing these issues is crucial for Clubhouse to expand beyond its current user base and maintain its $1 billion valuation.

This story was updated on February 23, 2020, to include comments from Clubhouse and industry experts.