Malicious activity of closed-source xray clients?

[gfw-killer]

Hello everyone. Have a good day.

As Happ client is officially promoted by official Xray-core repo and tg channel
I thought it's good to share latest news about this and other closed-source xray client made by unknown developers

In a telegram group, a developer of Happ named Apollo, said Happ sends proxy subscriptions of users to it's remote server!
But after ~30 minutes he removed his messages

Users was in shock, as Happ clients are closed source and their developers are unknown
some users was worry if they run some malware like info-stealer/rat/ransomware/etc. in their desktop devices
then dear @iambabyninja joined and said it's just a normal request to enable push notification and if user choose not to enable the push notification at the first run of the app, then it will not send this request

then a user sniffed the latest android version of the app and found that no matter if user enable or disable push notifiation, almost every time that user runs the app, it will send the same notification to the server, and if user has any subscription, it will instantly reload the subscription, and then real-delay all proxy configs
some people said it could be a Hidden Alert to GFW, If a request sent to check.happ.su or other Happ domains from your IP, GFW knows you started the app right now, and if GFW capture all of your requests in the next 5 seconds, they will also have a list of your Subscription Domain, Proxy Domains and IPs

in this conversation @iambabyninja said if someone thinks Happ is not safe, just use another app, and he thinks it's not important if GFW find out that you use a Proxy! because they already have a lot of other ways to detect that you use a proxy!

Another Important point is that he said other closed-source apps also sends similar requests!
He said v2rayTun directly sends the subscription domain to their servers every time app start!
And he also proved Streisand app do it too!

* response of all of this requests are something like OK, no important data for the client

As personally i have no idea about this issue, i like to hear the opinion of dear @RPRX and other security experts

[gfw-killer]

A solution is to use ECH to connect to their servers, but if it's not banned by their local firewall yet.
If their server is protected by Cloudflare, GFW can't match it by IP too

[Fangliding]

Except for the ios platform, all other clients listed in the readme are open source and are required to be so. In this field, even if the developer has no malicious intent, it may still attract suspicion. The ios client is allowed to be closed source due to the apple app store. That's why I hate apple((

[HappDev]

Thanks for the tip about ECH. My team and I will discuss it tomorrow and try to implement it as soon as possible.
And regarding collecting subscriptions, I simply can't imagine why I continue to work diligently with my team, fixing bugs and collecting people's subscriptions. It's absurd. Our goal is to sell premium accounts that allow access to app functionality that no other VPN provider product on the market even comes close to.

[iambabyninja]

@gfw-killer

My dear friend, thanx you for your issue.
I would like to point out a few inaccuracies.

Just for understanding, this push-notification functionality in Happ was added specifically at the request of VPN sellers, and they needed it to provide better service.

Regarding the push notification service: as I mentioned, indeed, on other platforms disabling notifications prevents them from being sent; the same applies to Android > 15, and on older versions, there is a problem, as it turns out.
However, apparently due to translation errors, you didn’t quite understand: the push token is also sent, but nothing happens with the subscription.

Regarding my statement about proxies: using a proxy clearly reveals not just one request per day to the domain with the proxy backend, but a whole bunch of other things.
Yes, other programs also send information, including those not listed here. For example, OnexRay sends analytics to Firebase, just like many other apps.

Regarding open source code, my position remains unchanged:

“Make the project open source so I can copy it, tweak it a bit, and upload it to the store for money.”

Honestly, I don’t understand what opening the source code would achieve. I just know for a fact that there have been cases where an open‑source project existed in two versions:
• one clean version for the public,
• and another version for the store with a vulnerability

I’m only saying that if someone wants to hack you, you won’t even know — even if the project is open‑source.

What stops me from keeping a repository where everything looks fine, but including a dependency that contains a vulnerability?

For example, what would you do in cases like the XZ INCIDENT, which was open source? The fact that the source is open does not automatically guarantee safety.

Quite often, people push open‑source demands aggressively, but disconnecting from reality and shouting slogans is completely pointless. Someone is spending their time, resources, and taking risks to create this software, and then sharing it for free.

As for the claim that Xray promotes HAPP, that is not true. The link clearly says: SPONSORED. You are always free to choose what you consider necessary.
For example, the same is stated in the sing-box repository.

This is a bit different.

Overall, as I’ve shown above, having a backend for a software product is normal.
I spent my entire workday today replying to everyone in the group chat and explaining, for each app, what it sends and what it collects.
If you’re interested, you can read all 300 of my messages.
I covered this topic from A to Z, and I have nothing more to add.

[HappDev]

1. @gfw-killer, the person you mentioned is not and has never been part of the happ team, and therefore his statements cannot be attributed to our team.
2. We value our reputation as an open and secure product for both users and vendors.
   When adding Happ to the repository xray-core, we offered RPRX and the team access to our GitHub to prove the app's security. README.md: Add Happ to iOS clients Xray-core#4465 (comment) As @iambabyninja described above, we cannot open it to everyone because it is our commercial product. But we trust PRRX and can provide everything, including the backend.
3. Thank you for this issue, we will make our app even more secure.

[RPRX]

我看了 Project XHTTP 群内的相关讨论，但我尚不确定这个功能的原理和作用，有以下几点：

1. 该功能是否需要在无代理环境时直连服务器？若是，建议 CDN ECH + HTTP padding，若不是，再加上通过代理连接服务器
2. 应当详细说明该功能会发送哪些数据到服务器，以及从服务器接收哪些数据，作用是什么，避免别人乱猜
3. 似乎该功能是那些机场要求的，但可能有些用户就是不想启用该功能同时又不清楚怎么关闭，可以提供一个更加直观的选项

软件有后端服务器是正常的，只是代理软件需要处理得更谨慎一些，我们要向着“给用户提供更安全可靠的东西”这个目标不断努力

[HappDev]

1. We studied ECH in more detail and found that the iOS operating system prohibits its use. Therefore, sending data through an active VPN connection will be the most rational approach.

2. We transmit the device Hardware ID (HWID) and a token from Firebase or Apple APNs.

3. All of this is implemented for VPN providers. They can change the subscription URL or application settings for the user via a Push notification without user intervention/action.

[gfw-killer]

All of this is implemented for VPN providers.

What is your idea about not sending any data to anywhere, until user adds a subscription url that has a provider-id?
even for push notification, you can get the permission, but defer contacting APNs/FCM until user adds a subscription that has a provider-id

[gfw-killer]

And as an alternative to the ECH idea :
you can ask every provider to add a new DNS record to a domain of their own and point it to Happ server IP
enable CF protection or make a relay to not let GFW know client is connecting to Happ server
send the domain address along with their provider-id in headers of their subscription update to the client
then Happ can use that domain to connect to Happ server
to prevent possible abuse, you can use cryptography to validate that client is connecting to the real Happ server

[bI4ckb34rd]

3. All of this is implemented for VPN providers. They can change the subscription URL or application settings for the user via a Push notification without user intervention/action.

Since this feature is intended only for a specific group of users, it’s better to keep it disabled by default, and only enable it if the user explicitly turns it on, similar to allowInsecure.

[mehdifirefox]

ممنون از نکته‌ای که در مورد ECH گفتید. من و تیمم فردا در مورد آن صحبت خواهیم کرد و سعی می‌کنیم در اسرع وقت آن را اجرا کنیم. و در مورد جمع‌آوری اشتراک، اصلاً نمی‌توانم تصور کنم که چرا همچنان با پشتکار با تیمم کار می‌کنم، اشکالات را برطرف می‌کنم و اشتراک‌های مردم را جمع‌آوری می‌کنم. این مسخره است. هدف ما فروش حساب‌های پریمیوم است که امکان دسترسی به قابلیت‌های برنامه را فراهم می‌کنند، قابلیت‌هایی که هیچ محصول ارائه دهنده VPN دیگری در بازار حتی به آنها نزدیک هم نمی‌شود.

What features do you have that even other VPNs do not have close to you? I did not find anything at all.

I already installed your program once, there was a problem in the rules section, it did not receive the files, it gave an error, and I saw that there is nothing new, remove the worm.

[bI4ckb34rd]

What features do you have that even other VPNs do not have close to you? I did not find anything at all.

They offer many features that other clients don’t have. You can see these features here:
https://www.happ.su/main/dev-docs/app-management#id-rasshirennyifunkcional-opisanieparametrov

[mehdifirefox]

چه ویژگی‌هایی داری که حتی VPN های دیگه نزدیک به تو ندارن؟ من که چیزی پیدا نکردم.

آنها ویژگی‌های زیادی ارائه می‌دهند که سایر کلاینت‌ها ندارند. می‌توانید این ویژگی‌ها را اینجا مشاهده کنید: https://www.happ.su/main/dev-docs/app-management#id-rasshirennyifunkcional-opisanieparametrov

I did not see anything special.
But some functions should only be created by the server admin. It is not suitable for the user

I don't think any program can compete with these two
v2rayN / karing