[German]Reolink offers surveillance cameras for various tasks. The Reolink app for Android is available to access the camera. However, the latest app versions come with three Chinese trackers, which were quietly integrated in October 2024.
Advertising
Reolink surveillance cameras
The company Reolink offers a whole range of surveillance cameras for the home and property sector and is also represented on the market in Germany (directly and via platforms such as Amazon or retailers).
Founded in 2009, Reolink claims to be an innovative market leader in the field of intelligent visual technology for the home. According to the company's website, its mission is to lead home security into the future with groundbreaking, reliable and customer-oriented solutions.
The company is Chinese-owned and based in Hong Kong, according to the website's legal notice. Outside of China, Reolink itself has a website, but also has distributors who sell its products.
The Reolink Android app
The company offers software and apps to access the security and surveillance cameras. There is a Reolink app for Android, which has been downloaded over a million times from the Google Play Store.
Advertising
In the app description, the Reolink app is advertised as an easy-to-use "security camera system monitoring app". The app allows users to access cameras and recording devices (NVR) locally or remotely using mobile devices. Users can watch live streaming of the monitored objects anywhere and at any time. If I understand correctly, the app stores the video images from the cameras in the Reolink cloud.
The app comes with chinese trackers
A blog reader pointed out a new discussion about the Reolink Android app to me in a private message on Facebook (thanks for that). There has been a thread Reolink Android App now includes 3 chinese trackers on reddit.com since two days about the Reolink Android app, that now includes 3 Chinese trackers.
The thread starter wonders whether any of the app users have noticed that version 4.50.0.4 of the Reolink Android app, which has been rolled out since October 24, 2024, comes with three Chinese trackers. Reolink has quietly integrated these into its Android app.
The thread creator refers to the analysis by Exodus, which found signatures from the following trackers in the code of the Android app.
Regarding WeChat Location, it is said that this service is affiliated with Tencent and the Chinese government.
The thread starter on reddit.com justifiably asks why the Reolink Android app has to use three Chinese location services if the security or surveillance camera is operated outside China.
But the story goes even further, because the app requests new authorizations from Android that are quite something. These include corrections such as READ_PHONE_STATE (read phone status and identity), or READ_PRIVILEGED_PHONE_STATE, and RECEIVE_BOOT_COMPLETED. DOWNLOAD_WITHOUT_NOTIFICATION, RECORD_AUDIO or ACCESS_FINE_LOCATION don't really sound harmless either.
The list of 38! authorizations can be viewed on the Exodus analysis page. The Exodus history shows that originally only Google Analytics was used as a tracker and fewer permissions were requested.
Why does the Reolink Android app need these permissions? Some authorizations are probably related to app functions. For example, the app owner can communicate with Door Bell cameras via smartphone and talk to the visitor in front of the door.
But in my opinion, the thread starter is right to ask whether the Reolink Android app not only tracks intruders at the monitored objects, but also tracks the app user. Does anyone in the readership use the Reolink cameras and the Reolink software? If so, how do you secure them in a corporate environment? Is there alternative software for capturing the video signals from the cameras and recording them locally?
Advertising
Raising suspicions or accusing Chinese companies of malicious behavior without any evidence has become a risk-free sport in Europe and North America. Before raising suspicions or accusations, it would be a good idea to first question the company in question about why these trackers exist and what their function is. Exodus report states: "This report lists trackers signatures found by static analysis in this APK. This is not a proof of activity of these trackers."
For those concerned, I recommend installing the DuckDuckGo Privacy Browser for Android. It does a pretty good job in blocking 3rd-party trackers embedded in mobile applications even when you're not using them. It does that by blocking tracking requests that occur over HTTPS.
It's rather simple and has nothing to do with "accusation sport": There has been some finding and an explanation, what has been observed. It's not my job, to ask Reolink, whether they are using this or not (they can answer "we don't use it", and switch it on every time – if it's not used, there is no reason to incorporate a framework!).
It's the obligation of Reolink to be transparent and explain "we are using this tracker and this permission, because …". And it's the stuff of Reolink users, to assure, that they are not beeing tracked – may job as a blogger is to point out "somebody found that and that".
Side note: In a business environment, also data protection rules are relevant, in cause you use such equipment and apps.
Concerning your DuckDuckGo Privacy Browser proposal: First of all, thanks for the hint. But for all readers, I strongly recommend, to have a detailed look at DuckDuckGo Privacy Browser. It's not a fool proof thing – from their description:
From a security perspective, I would call it a kind of snake oil – maybe it helps, maybe it helps not. So keep things to a conclusion: The above article shows, that there is something. It's Reolink's obligation to become transparent – and it's open to users, whether they are using that or not. My German readers came back with a more solid feedback. They told me, that they are using the hardware and isolate the software from the Internet. Some mentioned that in newer versions of the firmware the connection to the cloud need to established once to activate local PVR and then abandon any cloud connection.
It seems, that some people in Europe take data privacy and security more seriously as other users around the world, who are willing, to running their environment with secret surveillance features. So don't blame the messengere. Just to mention.
Reolink cameras offer the ability to leverage the Real Time Streaming Protocol (RTSP), which does allow Reolink cameras to be used without the need to use their Reolink app on your phone (see: https://support.reolink.com/hc/en-us/articles/900000630706-Introduction-to-RTSP/).
By leveraging RTSP, one can configure the Reolink camera to communicate directly with an NVR on their personal network to view/record video and block all internet traffic at the firewall level for the camera. This configuration ensure that the camera can ONLY communicate with the local NVR and nothing else. This is how I have all my personal cameras at home configured (regardless of brand).
That's the way it should be handled. Can judge it, but a German user commented here, that the factory settings now has disabled http access to the camera. So users are forced one time to use the app to enable http access again.
I don't consider the DuckDuckGo app to be a deceptive or misleading product (= snake oil). The company is very explicit and transparent, explaining what the application can and cannot do. I have the app installed on my mobile and, for example, in the past hour it has blocked 36 tracking attempts in my GMX Mail app. Google was the tracker, collecting 36 items of information.
I don't talk about transparency, I just looked at the facts. Although DuckDuckGo does a good job and tries to block tracker, it's simply technically not possible, to be 100 % successfully. That's my classification of snake oil – same as Anti Virus software claiming to secure systems.
Some German blog readers told me, they are using a Raspberry Pi in their Networks to isolate Reolink cameras from the Internet and connecting home – and avoid the apps. That's a fundamental different approach that might work. Anyway, I just pointing things out – the decision has to be made bei users …
Thats why i connected the cameras to a Synology Nas in separate Lan.
Hardware from Reolink is fine for the price but i try to avoud Chinese Apps.