This page analyzes the security and privacy implications of the Huepar app based on APK decompilation and protocol analysis.
| Risk Level | Category |
|---|
| MODERATE-HIGH | Overall Privacy Risk |
| HIGH | Google Sign-In Users |
| LOW | Offline-Only Users |
The app requests the most permissive Google Drive OAuth scope:
scopes: ['https://www.googleapis.com/auth/drive'] // FULL access!
| Scope | Access Level | Used by Huepar |
|---|
drive.appdata | Hidden app folder only | No |
drive.file | Only files created by app | No |
drive.readonly | Read-only access | No |
drive | Full read/write/delete | Yes |
After extensive analysis of the decompiled APK:
- No Google Drive API calls exist in the code
- No backup/restore features using Drive
- No file sync functionality
- The OAuth token is sent to Huepar’s backend server
┌─────────────┐ OAuth Token ┌─────────────┐
│ Your │ (with Drive scope) │ Huepar │
│ Phone │ ───────────────────► │ Backend │
└─────────────┘ └─────────────┘
The Huepar backend receives a token that could be used to:
- Read any file in your Google Drive
- Download your personal documents
- Modify or delete files
- Access shared files and folders
If you’ve used Google Sign-In with this app:
- Go to Google Account Permissions
- Find “Huepar” or apps with client ID
218951563723-*
- Click Remove Access
- The app still works - use email/password login instead
| Aspect | Assessment |
|---|
| No pairing required | Reduces attack surface |
| Local-only BLE | Data stays on device |
| Simple protocol | Less room for bugs |
| Issue | Risk | Details |
|---|
| No encryption | Medium | BLE data transmitted in plaintext |
| No authentication | Medium | Anyone in range can send commands |
| MAC in device name | Low | Device name contains last 4 digits of MAC |
| Service | Location | Purpose |
|---|
app.huepar.com | Unknown | User accounts, API |
| Tencent Cloud (qcloudCos) | China | Avatar images, post attachments |
Based on React Native modules in the APK:
| Data Type | When Collected |
|---|
| Battery level | Device connection |
| Device brand/model | App launch |
| Network state | App launch |
| BLE device MAC | Device connection |
| Permission | Purpose | Risk |
|---|
BLUETOOTH_* | Device control | Low |
ACCESS_FINE_LOCATION | BLE scanning (Android 12+) | Medium |
CAMERA | Camera measurement mode | Medium |
RECORD_AUDIO | Voice commands | Medium |
READ_PHONE_STATE | Device identification | Medium |
| Service | Purpose | Privacy Impact |
|---|
| Google Sign-In | Auth | HIGH Full Drive access |
| Apple Sign-In | Auth | LOW Standard scope |
| Tencent Cloud | Storage | MEDIUM China-based |
| Google Translate | UI strings | LOW Minor |
- Use offline mode - Measurement works without network
- Skip account creation - Use “temporary” mode
- Disable network - Turn off WiFi/data when using app
- Revoke Google access - If you ever used Google Sign-In
- Use Apple Sign-In - Standard permissions only
- Use email/password - Avoid OAuth entirely
- Don’t use social features - Forum posts are stored on Tencent
- Power off when not in use - Device is always discoverable
- Use in private spaces - Anyone nearby can interact with device
This analysis was performed by:
- APK Decompilation - Hermes bytecode → readable JavaScript
- Static Analysis - Searching for API calls, OAuth scopes, URLs
- Live Testing - Capturing actual BLE and network traffic
- API Probing - Testing backend endpoints
| File | Size | Contents |
|---|
huepar_decompiled.js | 37 MB | React Native bundle |
AndroidManifest.xml | 6 KB | Permissions, activities |
| btsnoop captures | ~50 KB | BLE packet traces |
