During the 2019 National Cybersecurity Awareness Week, Yang Chunyan, first-level inspector and deputy director of the Cybersecurity Coordination Bureau of the Central Internet Information Office (CNIO), introduced that, in response to the current data security issues of mandatory authorization of apps, excessive claiming of rights, collection of personal information in excess of the scope of personal information, and illegal and unlawful use of personal information, the CNIO drafted a series of institutional documents, such as the Measures for the Management of Data Security, Measures for the Security Assessment of Personal Information Exit, and the App illegal collection and use of personal information behavior determination method" "mobile Internet application (App) collection of personal information basic norms" and other series of institutional documents, has been open for comments.

Cybersecurity Expo displays blackmail tools (Li Zhengwei/photo)

App's relationship with app stores and SDKs should not be ignored

"App is the centralized point of user data. Among them, the app store is an important channel for App distribution, many device manufacturers will also have pre-installed the App, as well as the third-party SDK is also an important part of App development." At the Personal Information Protection Forum held during the publicity week, Wei Liang, director of the Security Research Institute of the China Academy of Information and Communications Technology, said.

He mentioned that from the operator's point of view, the more personal information an app collects, the more valuable services it can provide to users. Therefore, there is a natural contradiction between convenient services and personal information protection. "The process of providing services also weakens the autonomy and decision-making power of personal information, and through big data analysis all this information may be reduced to personal information or even sensitive information, so it is important to balance the relationship between personal information protection and convenient services."

Nowadays, most apps contain an SDK (software development kit). In this regard, Wei Liang said that the use of SDK can improve efficiency and reduce costs, many times manufacturers do not want to use SDK can not. For example, to do a catering App, but there is no map and payment of the relevant licenses, you must use a third-party SDK; but the subsequent collection of information in the process of rights, responsibilities, etc., need to be further studied.

In addition, not to be ignored is the relationship between the App and the app store. Wei Liang introduced, the application store on the App has the management responsibility, but the scope of management responsibility, where the boundaries is an important issue. "In use we also found that the App can bypass the app store, to be updated after the software may have new code as well as new claims."

Concealed collection, misleading collection of user information phenomenon is obvious

In January this year, the Central Internet Information Office and other four departments jointly issued the "App illegal collection of personal information use of special governance action" announcement. As of August 31, the special governance group received more than 8,000 reports from the public through the WeChat public number "App personal information report", selected nearly 600 users, and people's lives are closely related to the assessment of the App, and urged more than 200 App serious problem rectification, involving the rectification of the issue of the point of view of the The company's website has been updated with more than 800 problems.

In this regard, He Yanzhe, a member of the Working Group on Special App Governance, summarized the situation: there are only a few cases of no privacy policy, which mainly require users to open multiple permissions to collect personal information at one time, as well as applying for permissions without synchronizing with the user's explanation of the purpose, and so on.

In terms of typical problems with apps, Wei Liang believes that the situation of "covert collection of personal information" is serious. Some apps start collecting and uploading personal information without the user's consent, such as cell phone numbers, mac addresses (LAN addresses), account passwords, etc., and some of them obtain high-risk permissions on the system without the user realizing it.

In addition, Wei Liang mentioned that there is also the phenomenon of collecting personal information beyond the user's expectation. For example, after the user turns off the GPS, it is assumed that the personal location information is no longer collected, but in fact, the location may also be monitored through the user's wifi.

"There are also cases where users are misled into agreeing to the collection of personal information. For example, 'Allow to open the phone address book permissions in order to read the contact phone number to recharge', this is misleading information, the other party wants to access the user's address book." Wei Liang said.

About the third-party SDK security risks, also can not be ignored. "A large number of App are embedded in the SDK, and the third-party SDK itself has security loopholes, it is easy to become a malicious code dissemination path, especially in the hidden collection of personal information when the App side is also very difficult to grasp the situation."

Ren Yan, director of the National Internet Emergency Response Center (NIERC), mentioned that the third-party SDKs of many apps have been "exploited" by the black industry. In the first half of this year, there are more than 1 million malicious programs were captured, the SDK hidden access to personal information special analysis found that there are 3,600 chatting apps there are a lot of illegal pornographic phenomenon, these are mostly malicious SDK stole the user's personal information.

The need for enterprise self-discipline, but also standards first

From the people's daily use of mobile applications, it involves the complexity and diversity of personal information security, and involves a number of subjects, "the need for the government departments, the relevant enterprises, App companies, SDK companies, cell phone companies, app stores, enterprises, industry organizations, research institutions and other stakeholders. enterprises, industry organizations, research institutions and other **** with the processing." Talking about the solution idea, Wei Liang said this.

"To accelerate legislation to refine the norms for the collection and use of personal information." Wei Liang said, now the legal norms can not meet the real needs, to promote the personal information protection law as soon as possible, to clarify the rights and obligations of personal information protection, and strengthen the pursuit of violations of the law; at the same time, the ownership of data, data asset protection and other issues to analyze and study, clarify the legal boundaries, sorting out the lines of legislation.

"One is through technical means, and the other is through scientific management means. The former from data identification, use to behavioral analysis, etc., to prevent information from being leaked, improve the personal information systematic protection means; the latter involves the staff's security awareness as well as technical support management system." Sky Guardian technical expert Yang Mingfei said.

Tang Xin, director of the Comprehensive Division of the Network Security Coordination Bureau of the Central Office of Internet Information Office, believes that the enterprise should do self-regulation at the same time, but also to do the "standard first". Many applications of additional features in the collection of information, but not because the user refuses to provide information on the use, not because of the refusal of one or two authorizations to prohibit the use of, "I hope that through the standard specification, to solve these problems".