Daily NK has obtained both the original and upgraded versions of an app North Korea uses to identify mobile phone users. A comparison of the two versions shows that the app transformed from a basic data collection module into a comprehensive surveillance platform that permanently monitors smartphones.
The core function of the app “Mobile User Identification,” obtained by Daily NK, is to issue and verify individual “digital numbers” that the state manages for every smartphone user and device.
This isn’t an ordinary app that users download and install themselves. The app remains hidden—it doesn’t even appear in the app folder—and quietly activates when other service apps, such as games or e-payment platforms, require subscriptions or verifications. The app works similarly to how financial apps in South Korea require users to verify their identities using digital certificates or mobile phone verification.
After verification, the server assigns a 10-digit caller ID, or CID, to the user and device. Once issued, this number becomes a permanent “digital citizen ID number” linked to the user’s personal data, SIM card International Mobile Subscriber Identity (IMSI), and device International Mobile Equipment Identity (IMEI).
When users later subscribe to other apps, such as the Samhung Wallet, they must enter the CID, giving the state the technical foundation to comprehensively track and manage the user’s personal activity across all digital services.
From simple module to surveillance platform
Daily NK obtained versions 1.0 and 1.0.2 of the app—the first digit indicates the major release, the second the minor release, and the third a patch. While the jump from version 1.0 to 1.0.2 might suggest minor improvements, analysis revealed substantial changes that fundamentally altered the app’s identity.
Version 1.0 didn’t require any internet access permissions. It used only SMS communication functions in a simple and discreet manner. When users needed verification, the app collected and encrypted the device’s unique IMSI and other key data, then sent it in “data SMS” format—invisible to the user—to North Korea’s specific server number (+8501950003). The amount of data that could be transferred was limited, creating clear restrictions for transmitting complex information in real-time.
However, version 1.0.2 underwent dramatic changes—so significant that it can now be called a “platform.” The most important change is that it adopted the internet as its primary communication channel. This means the “internet access permission” requested by the app is for accessing North Korea’s closed national intranet, not for connecting to the global internet.
Expanded permissions and capabilities
Version 1.0.2 requests several concerning permissions:
INTERNET: The primary channel for exchanging data with servers. This represents the biggest change from version 1.0, which required no such permissions.
READ_PHONE_STATE: Enables user identification by reading the smartphone’s unique ID numbers, such as the IMSI.
RECEIVE_BOOT_COMPLETED: Allows continuous surveillance by automatically launching the app whenever the phone is turned on.
WRITE_EXTERNAL_STORAGE: Permission to read or write files on the device, suggesting the ability to extract data or download additional files.
SEND_SMS / RECEIVE_SMS: Backup communication channel when internet communication isn’t possible.
Analysis of the internal code, which underwent obfuscation, revealed that the app uses “ryomyong.com” as its specific API for communication. This not only provides intranet access but also strictly controls communications, with the app designed to communicate securely only with authorized servers using a public key infrastructure (PKI) that trusts only private certificates issued by the state.
Always-on surveillance
The updated app now runs constantly, representing a complete transformation in its nature. The app automatically launches whenever the phone is turned on and requests permission to read and write files stored on the device. Essentially, the function extends far beyond verification and can potentially spy on the phone, accessing files while permanently residing on the device.
The updated version is no longer a passive “module” that runs only when external services need it, but an active “surveillance platform” embedded on the device that carries out its own objectives.
The updated version demonstrates North Korean authorities’ goals to comprehensively manage all digital activity by citizens using “digital IDs” issued by a central server. This can be seen as building robust infrastructure for digital population control.
Version comparison
| Feature | Version 1.0 (Simple Module) | Version 1.0.2 (Surveillance Platform) |
|---|---|---|
| Core Goals | Issue single-use device registrations and CIDs | Continuously manage IDs and verifications |
| Execution | Passively runs when called by external apps | Automatically starts at boot and runs in background |
| Communication | Exclusively uses SMS (discrete, low bandwidth) | Primarily internet with SMS fallback (high functionality) |
| Security | Basic data hash (SHA256) | Independent PKI, native codes, and AES encryption |
| Data Access | IMSI and basic personal data | ICCID support and file system access |
| Dependencies | Standard Android library | Standard library and native library |
| Server Endpoint | Phone number (+8501950003) | https://www.ryomyong.com/?page=cid.gen&action=reg&cert=p12&data= |
