A version of this story was published at Ulyces.co.
In Jane Manchun Wong’s Hong Kong apartment, the Skype tone rings. “Oh, excuse me, that’s me,” she says into the phone. The young woman is so used to opening a series of apps as soon as she has a moment of free time that they sometimes open on their own. It’s 6:30 pm on 15 November, and she hasn’t finished using the software. “Sometimes I turn off the screen and explore the city without a phone,” the introvert says. “I buy something to eat, I take pictures. I like that too. If the weather isn’t too bad, I’ll even take a hike.”
Of course, Jane Wong doesn’t have almost 12,000 Twitter followers for her photographic or gastronomic advice. It’s because she tracks and exposes bugs, malfunctions and other flaws in mobile apps, particularly those that put users’ personal information at risk. A student at the University of Massachusetts Dartmouth, she’s taken a sabbatical year to see family and relax. From Hong Kong, she teaches architecture classes online part time, and with the rest of her days she deftly explores the code of the biggest applications. At 23 years old, she already has more than 17 years of experience.
How do you get inside these applications?
It’s through what’s called reverse engineering. To identify a bug, you have to figure out what’s behind the scenes. The best way to do that is to deconstruct the app’s structure in such a way that you can recreate it yourself. That lets you analyze it and identify its weaknesses. Once you know the infrastructure, you just have to figure out how to improve it. Personally, I design my own tools. It’s more work, but I know more about the overall operation.
What got you interested in this kind of complex engineering?
It comes from a passion for computers. I was born in Hong Kong to a pretty normal family. My mother manages a boutique and my father is an electrical engineer. He had a computer in the house. The Internet was amazing to me because it could connect me with anyone in the world, thousands of kilometers away in a matter of seconds. Except my father put a password on Internet Explorer to prevent me from surfing freely when I was a kid. So when I was six, I went to the library and borrowed a CD with Firefox to install at the house. Seeing that I now had free access to the web, my father protected Windows with a password. So I installed Linux. This time, he put the password on the computer, which pushed me to reset it by removing and replacing the battery. Eventually he gave up and let me do what I wanted.
Would you call that an early vocation?
Either way, it’s what I loved to do early on. I was one of those mischievous kids who tampers with the code in Internet minigames to get impossible scores. It wasn’t just the idea of being connected with what others were doing far away without even moving that attracted me, but also the possibility that I could do anything with this software. So I loved taking computing classes, and I soon imagined it as a career. My maternal grandmother wanted me to become a doctor, because she’d worked in the medical industry. But once my father finally gave up control of the computer, they all supported me.
At what point did it become serious?
I never thought for a moment that companies would consider my hobby as something important. At first, I tinkered with websites for fun. For example, I made it so that I won a typing contest in 0.00001 seconds. One day, I wondered if my approach would translate to apps. So I set out to uncover their vulnerabilities, which got me into a bit of trouble. That was almost a bad idea. But once I saw the bug chaser Philippe Harewood at work, I realized it was possible to expose flaws without putting myself in danger. I just had to follow the same protocol.
That’s how I started reverse engineering. I like uncovering what companies want to hide in the apps they want me to download. They put a lot of effort into preventing people like me from reverse engineering. Those efforts give me the motivation to prove that these apps can always be decrypted and that there’s always something they’re trying to hide.
Is that difficult?
Sometimes, yes. I can spend six to 18 hours a day working. I do that making sure I have enough free time to recover from the mental fatigue it causes. When I finally do succeed, dopamine explodes through my body. I jump up from my seat and scream with joy. Then I tweet and have sweet dreams.
When did you start using Twitter?
It was in May. Before that I published in a Facebook group, which interested a lot of people but not as much as on Twitter. Also, my messages there were posted as screenshots. At one point, I decided I could do it myself and that would allow me to join the discussions. I like Twitter because it’s fast and the messages can’t be edited. My content gets more credibility without much effort. Plus, journalists hang out on Twitter. All they have to do is like me, retweet me, and include one of my writings in an article.
You have a certain interest in Twitter, don’t you?
Yes, but in terms of scale and hidden technology, Facebook is much more interesting. It’s the app with the most going on behind the scenes that I’ve ever seen. There’s so many lines of code left behind. The fact that they’re able to manage it and make it accessible to millions of users worldwide is fascinating. Especially since they’re constantly adding new pieces to this massive puzzle. Obviously I’m interested in new features. The first time the press talked to me was in October 2017, when I mentioned the resume section Facebook was envisioning. Matt Navarra, the journalist from The Next Web, shared my message.
How are you able to be the first one to discover these kinds of things?
Maybe other people operate using sources that are company insiders, but personally I get most of my information directly from the application itself. During the final development step for a feature, companies like Facebook have them tested by employees or by a small sample of people. That’s called the A/B test. The code for these features that aren’t yet activated is often embedded somewhere else in the app’s code. When you install an update, it can be accompanied by several pending features. That’s why tech giants are so vague about what’s included in updates. For my part, I try to find out what they’re installing on my phone because it’s my phone.
Which discovery are you most proud of?
In 2017, Facebook gave its users a questionnaire called “Did you know?” Some of the questions were really strange, to the point where you might wonder where they came from. And I figured out who was behind it. It wasn’t Facebook employees, but rather hackers. I alerted Mark Zuckerberg’s company, and his team paid me for that. I’m proud of that because I made the platform a bit more secure. My goal is not to get scoops, it’s to improve security.
It’s impossible to design a perfect software. I always warn companies when I find a bug or a flaw. Nowadays, they have protocols for that. They compensate or credit those who find them. But I’m not making a living from that. I know that their reactions are mitigated although I have no agenda against them. You can consider me a big fan of their apps, so much so that I reverse engineer them in order make them as good as possible. Besides, I don’t do this as a job, and I’ve never found myself in an open conflict.
What are your limits?
I’d like to explore banking apps, but I wouldn’t dare. I’d be happy to report bugs if it weren’t so risky.
Do you work with a team?
No, I do this on my own, but little by little I’ve developed a method. Before, I often lost track of new updates and features. I didn’t organize my files or my time. Now that I do, I can compare different versions of apps.
Do you ever get job offers?
Yeah, that happened particularly when I was in Milwaukee, but I’m still a student. On the job market, there is certainly a big demand for information security, or for cybersecurity. Technology has always fascinated me in its capacity to transform people’s lives, so I’d love to be able to work in that industry. I would like to join Facebook or any of companies I grew up with.