编程知识 cdmana.com

impossible to guard against! Mobile app is doing "bad things" behind your back. CCTV has exposed more than 50 apps' SDK plug-ins to steal user information. Netizens: we must strictly investigate

Technology has developed to this day , There's still nowhere to hide our privacy .

315 Exposure 50 Balance App The thief plug-in for


yesterday , Because of the late arrival of the epidemic 315 The party exposed the existence of third parties in some mobile applications SDK plug-in unit , Stealing user information . These illegal plug-ins can not only send all your messages away , Even including the network transaction verification code .

 impossible to guard against ! mobile phone  App  I'm doing it behind your back “ Bad thing ”, CCTV exposure  50  Balance  App  Of  SDK  Plug ins steal user information , Net friend : It must be investigated


According to the 315 Party report ,2019 year 11 month , In Shanghai, the Consumer Protection Commission commissioned a third-party company to conduct research on some mobile phone software SDK Plug in testing , Just a few SDK There are some problems in it .

SDK yes Software Development Kit Abbreviation , namely " Software development kit ", Generally speaking ,SDK Can implement Android development tools 、 Advertising push 、 Image recognition or mobile payment . adopt SDK plug-in unit ,App Developers no longer need to develop for every feature , Greatly shorten the product development cycle .

The technicians tested 50 A variety of mobile phone software , These softwares include the software of Shanghai krypton Information Technology Co., Ltd. and Beijing Zhaocai Wangwang Information Technology Co., Ltd SDK plug-in unit . And the plug-ins of these two companies , They all exist without the user's knowledge , The problem of stealing users' private information . Mobile phones involved App reach 50 Many kinds of , Including Gome e-card 、 The remote control 、 The strongest flashlight 、 All round remote control 、91 Fast buy 、 Recycle every day 、 Flash to 、 Radish mall, etc .

 impossible to guard against ! mobile phone  App  I'm doing it behind your back “ Bad thing ”, CCTV exposure  50  Balance  App  Of  SDK  Plug ins steal user information , Net friend : It must be investigated

 impossible to guard against ! mobile phone  App  I'm doing it behind your back “ Bad thing ”, CCTV exposure  50  Balance  App  Of  SDK  Plug ins steal user information , Net friend : It must be investigated


According to introducing , These two plug-ins will read the device IMEI、IMSI、 Operator information 、 Phone number 、 SMS record 、 Mail list 、 Application installation list and sensor information .

 impossible to guard against ! mobile phone  App  I'm doing it behind your back “ Bad thing ”, CCTV exposure  50  Balance  App  Of  SDK  Plug ins steal user information , Net friend : It must be investigated

 impossible to guard against ! mobile phone  App  I'm doing it behind your back “ Bad thing ”, CCTV exposure  50  Balance  App  Of  SDK  Plug ins steal user information , Net friend : It must be investigated


Do you think it's over , It's even scarier , these App Inside SDK After reading , It will also quietly transfer the data to the designated server for storage .

Consider very fear ! Scared me to delete all the messages .

Besides , The inspectors also pointed out that :

“ although SDK It's just an ordinary plug-in , But because it's for all mobile phones App It's universal , A lot of mobile phone software may have embedded the same SDK, So once a SDK Stealing user's personal privacy , It's going to involve a lot of mobile software .”

Regarding this , Netizens also call :“ Big data era , We have no security to speak of ”.

 impossible to guard against ! mobile phone  App  I'm doing it behind your back “ Bad thing ”, CCTV exposure  50  Balance  App  Of  SDK  Plug ins steal user information , Net friend : It must be investigated


From face recognition 5 From Mao to Bei App Steal information without permission , How should we talk about our privacy security , This topic is also hotly debated .

SDK How plug-ins steal user privacy ?


As mentioned above , uninstall App It's not a perfect solution , therefore , People are more curious SDK How plugins steal privacy ?

Before I answer that question , Let's get to know SDK Information collection of plug-ins .

According to the previous release of Nandu 《 Third parties are often used SDK Collect and use personal information evaluation reports 》( hereinafter referred to as 《 The report 》) Show :

 impossible to guard against ! mobile phone  App  I'm doing it behind your back “ Bad thing ”, CCTV exposure  50  Balance  App  Of  SDK  Plug ins steal user information , Net friend : It must be investigated


Through to 60 paragraph App Conduct 5-30 After testing one by one for different minutes, we found that , Can be SDK The information actually collected is divided into five categories :

  • Mobile device information ( Such as IMEI、IMSI And so on Identification code );

  • Internet Information ( Such as IP Address 、MAC Address 、Wi-Fi Hot spots, etc );

  • Mobile phone status information ( If installed / Application information in operation );

  • User behavior information ( Such as lock screen 、 install 、 upgrade 、 Uninstall the application software );

  • User profile ( Such as telephone number 、 Location 、 Call record ).

Collection of user information , According to statistics , Within detection time ,60 paragraph App The use of 966 individual SDK in , Yes 150 Got it IMEI、IMSI Waiting for mobile device information , The most frequent of all categories ; The second is Wi-Fi Connection information ( IP Address 、MAC Address )、 Scan for hot spots around 、Wi-Fi hot spot information (SSID)、 Operators and base station information and other network information , There are 35 More than SDK obtain ; also 10 individual SDK Access to user behavior information , Like lock screen 、 install / upgrade / uninstall App.

 impossible to guard against ! mobile phone  App  I'm doing it behind your back “ Bad thing ”, CCTV exposure  50  Balance  App  Of  SDK  Plug ins steal user information , Net friend : It must be investigated


Besides , User's phone number 、 Location 、 Personal information such as mobile videos and photo albums are also being used SDK obtain , Especially location information , By 32 individual SDK obtain .

It is worth noting that , nailing 、 The railway 12306、 Idle fish, etc App Alipay used SDK, Faction 、 Strangers, etc App Sound network used SDK , Baidu post bar App And the railway 12306 App Bang Bang Bang Bang safety SDK All collected sensor information . In many cases , They count 、 Heart rate and other health-related personal information is through “ sensor ” Permission collection .

 impossible to guard against ! mobile phone  App  I'm doing it behind your back “ Bad thing ”, CCTV exposure  50  Balance  App  Of  SDK  Plug ins steal user information , Net friend : It must be investigated


The sensor in the mobile phone is mainly used for motion measurement . It works like a microphone , It's all about recording vibrations . Every time a phone speaker makes a sound , These vibrations are recorded by acceleration sensors . Just restore these subtle vibration changes , You can identify and decode the conversation in the speakers .

It's even scarier , mobile phone App The call to the acceleration sensor , It's not high authority , It can be opened quietly without asking . under these circumstances , Whether it's an apple , Or Android phones , It's hard to escape the fate of eavesdropping .

therefore , You know the importance of this information .

 impossible to guard against ! mobile phone  App  I'm doing it behind your back “ Bad thing ”, CCTV exposure  50  Balance  App  Of  SDK  Plug ins steal user information , Net friend : It must be investigated


that , The key is coming. , these SDK Why can plug-ins get so much information so easily ?

One of the most important reasons is that a lot of App There are no limits in the privacy policy .

《 The report 》 Show , not a few App I didn't tell you before I collected it . such as , Pleasant wealth App And pleasant loan App The use of TalkingData SDK Get the user's geographic location , But two App None of the privacy policies mentioned that location information would be collected . in other words , The privacy of users is likely to be compromised without their knowledge SDK Collected .

 impossible to guard against ! mobile phone  App  I'm doing it behind your back “ Bad thing ”, CCTV exposure  50  Balance  App  Of  SDK  Plug ins steal user information , Net friend : It must be investigated


therefore , Collecting user information is the first step , Use the information collected to “ evil ” That's the second step , Of course , This is not about the companies themselves .

Because except for App The need for personalized push , We can't do without a large scale 、 Chain length 、 Black industrial chain with big interests .

What's going on behind this industry chain , You know something about it .

Simply speaking , Upstream is responsible for supply ; Midstream is responsible for information processing and reprocessing , Form a large-scale market ; Downstream responsible “ Application cash ”, Fraud through telecommunications 、 Malicious marketing and other illegal channels to make high profits . Complete industrial chain structure , Price of all kinds of information .

according to 2017 Published in 《 E-commerce ecological security white paper 》 speculation , China “ Internet blackout ” The number of employees has exceeded 150 ten thousand , The market scale is as high as 100 billion level .

The most important trading product in the black industry —— personal App Account password as an example . Billions of accounts and passwords , Controlled by the black and gray industry , Most of them hit the library 、 Account theft caused by library swiping , And the annual profit of the industry chain derived from number theft exceeds 10 billion yuan .

According to the statistics , Everyone has an average of 56 paragraph App, A little less may be more than ten , A little bit more , Hundreds of them are possible . The number of app stores in China is 200 A number of , On the shelf App Yes 500 More than ten thousand .

that , these App Is it possible to stop collecting your data ?

The answer is : impossible .

App Not mining user data , It's hard to get user pain points and preferences , No insight into user pain points and preferences , We can't provide the right products and solutions , You can't create business value .

How to avoid such privacy exposure infringement ?


that , A common question is how to prevent our information from being stolen ? Maybe the first thought of many people is, of course, to uninstall this kind of App , But absolute prohibition is obviously not a good way , We should start from the source .

First , For enterprises , Recording user data cannot be avoided . A lot of vendors record users' anonymous data , But the key to invading users' privacy is , Is there any desensitization after getting user data , How to use the data . therefore , For manufacturers , The more important work should be through the system level update , Regulate developer behavior as strictly as possible , Instead of having developers hold user licenses that you don't even know how to read , Take your privacy away with dignity .

For developers , We should try our best to choose a third party with a certain market base SDK, Try to use what you choose from apple and Google stores SDK To integrate .

secondly , From the policy level to regulate ,《 Data security management measures ( Solicitation draft )》 Article 30 provides that , Network operators have access to third-party applications on their platforms , Data security requirements and responsibilities should be clarified , Urge and supervise third-party application operators to strengthen data security management .

《 Information security technology Personal information security code 》 The revised draft requires , involve SDK Personal information controllers of automated tools embedded or accessed by third parties , Technical testing should be carried out to ensure the collection of personal information by third parties 、 The use behavior meets the agreed requirements ; It is appropriate to audit their behavior of collecting personal information , Cut off the access in time in case of exceeding the agreed behavior .

 impossible to guard against ! mobile phone  App  I'm doing it behind your back “ Bad thing ”, CCTV exposure  50  Balance  App  Of  SDK  Plug ins steal user information , Net friend : It must be investigated


stay 315 After exposure , The Ministry of industry and information technology also said today that it would organize relevant units to carry out serious verification as soon as possible , Strictly investigate and deal with the enterprises involved according to laws and regulations .

next step , Regular regulatory measures will be taken , Enhance mobile Internet applications App Comprehensive management . Gathering industrial strength , Promoting the construction of technical means , Greatly improve the level of technical testing . Strengthen supervision and inspection , We will intensify efforts to deal with and expose all kinds of violations , To collect and use user's personal information without user's consent , Investigate and deal with according to law , Safeguard the legitimate rights and interests of users .

Last , On a personal level , In the download App when , It's best to choose an app store with low malicious density , Like Apple's Appstore、 Android mobile app store , Don't be malicious in some way App High density app store downloads .

In the installation App when , Various permission applications will pop up , Pay attention to the location information at this time 、 Mobile phone address book and other privacy rights , Don't give those you don't often use .

Besides , Clean up the memory data of mobile phone regularly , Don't take photos of your ID card 、 Key information such as bank card number is left in the mobile phone , Check mobile app permissions regularly .

Also be wary of QR code scanning from unknown sources 、 Registration application, etc , Some subsidies 、 The gift is likely to be a bait produced by black ash to collect personal information ,2 You can sell the data you get for $1 10 Yuan .

After discovering that the information was leaked , And don't think it's bad luck . According to the relevant regulations , Consumers have the right to ask Internet service providers to delete their personal privacy information , They can also make complaints and reports to the public security and Internet management departments .

Of course , No one likes to sell their privacy , No one will think that it is reasonable for data to be called privately , Once these background behavior calls become clear and clear , The system is also willing to give more restrictive means , Keep your private data , Maybe it won't be a problem .

Lei Feng net Lei Feng net Lei Feng net

Reference material :

【1】https://www.zhihu.com/question/407312260

【2】https://www.toutiao.com/a6850075339721310724/

【3】http://www.cfca.com.cn/upload/cpbg.pdf

【4】https://mp.weixin.qq.com/s/juIfg8EYI9cAaJ_bwcl-Hw

版权声明
本文为[Moon shadow dune]所创,转载请带上原文链接,感谢
https://cdmana.com/2020/12/20201225020913753P.html

Scroll to Top