Should We Chat, Too? Security Analysis of WeChat's Mmtls Encryption Protocol

The Chinese government has direct access to the WeChat backend so it's unlikely that these weaknesses were government mandated. Probably just the result of overworked 996 developers:

>The name 996.ICU refers to "Work by '996', sick in ICU", an ironic saying among Chinese developers, which means that by following the "996" work schedule, you are risking yourself getting into the ICU (Intensive Care Unit)

https://github.com/996icu/996.ICU

Yes. The Chinese government likely have "front door" access rather than having to rely on capturing network traffic and exploit some hidden weakness in a protocol.

But why are Chinese companies making their own security protocol / libraries rather adopting "cryptographic best practices"? Do they actually think that common crypto libraries are flawed? Or is this a part of China's deep tech / self-sufficient efforts?

Most of those devs back in 2011 were rookies, and many still are now. It would've been lucky enough for them to have even heard of the word 'asymmetric encryption'. And you can still find many public APIs in the WeChat docs (in 2022) that uses hand-written AES stuff that, unfortunately, uses ECB.

Back in those days where the CN internet infrastructure as we see today was laid down, devs and PMs literally didn't know for sure what were they doing, but they still worked overnight because it the new features must be shipped before next weekend.

And since the services worked pretty well until today it's kinda better to keep the s__tpile there and don't change it. Also there's a lot of unmaintained 'PWA's in the wild that relies on legacy APIs that you dare not to break.

So they are just stupid, overworked and stuck with their own spaghetti?