Cyber Security Expo showcases tools for black goods (photo by Li)
The relationship between App and app store and SDK can not be ignored.
"App is the focus of user data. Among them, the App store is an important channel for App distribution, and many equipment manufacturers will also pre-install apps. The third-party SDK is also an important part of app development. " At the "Personal Information Protection Forum" held during the publicity week, Wei Liang, director of the Security Research Institute of China Information and Communication Research Institute, said.
He mentioned that from the operator's point of view, the more personal information the App collects, the more valuable services it can provide to users. Therefore, there is a natural contradiction between convenient service and personal information protection. "The process of providing services also weakens the autonomy and decision-making power of personal information, which may be restored to personal information or even sensitive information through big data analysis. Therefore, it is necessary to balance the relationship between personal information protection and convenient services. "
Today, most applications include SDK (Software Development Kit). In this regard, Wei Liang said that using SDK can improve efficiency and reduce costs, and many times manufacturers don't want to use SDK. For example, if you do a catering App, but you don't have a map and payment-related license, you must use a third-party SDK;; However, the rights and responsibilities in the follow-up information collection process need further study.
In addition, the relationship between App and app store can not be ignored. Wei Liang introduced that App store has management responsibility for App, but the scope and boundary of management responsibility is an important issue. "When using it, we also found that the App can bypass the app store, and there may be new codes and new ideas after the software is updated."
Implicit collection and misleading collection of user information are obvious.
In June of this year, 5438+ 10, the Central Network Information Office and other four departments jointly issued the announcement of "Special Governance Action for Illegal Collection and Use of Personal Information by App". As of August 3 1 day, the special governance group received more than 8,000 reports from the masses through the official WeChat account "App Personal Information Report", and selected nearly 600 apps with large users and closely related to people's lives for evaluation, urging more than 200 apps with serious problems to be rectified, involving more than 800 problems.
In this regard, He Yanzhe, a member of the App special governance working group, summed up and listed: there are few cases where there is no privacy policy, mainly requiring users to open multiple permissions at one time to collect personal information, and failed to explain the purpose to users at the same time when applying for permissions.
In view of the typical problems in application, Wei Liang thinks that the phenomenon of "hidden collection of personal information" is serious. Some apps start collecting and uploading personal information without the user's personal consent, such as mobile phone number, mac address (local area network address), account password and so on. , some users inadvertently gained high-risk permissions of the system.
In addition, Wei Liang mentioned that there is a phenomenon of collecting personal information beyond users' psychological expectations. For example, after the user turns off the GPS, he thinks that he will no longer collect personal location information, but in fact, he may also monitor the location through the user's wifi.
"There are also cases that mislead users to agree to collect personal information. For example,' allow permission to open the phone address book in order to read the phone number of the contact person and recharge it', which is misleading information, and the other party wants to obtain the user address book. " Wei Liang said.
The security risks of third-party SDK can not be ignored. "A large number of apps are embedded in the SDK, and the third-party SDK itself has security loopholes, which can easily become a way for malicious code to spread, especially when it is hidden to collect personal information."
Ren Yan, director of the National Internet Emergency Center, mentioned that the third-party SDK of many apps has been "utilized" by the black industry. In the first half of this year, more than 1 10,000 malicious programs were captured. The special analysis of SDK's covert access to personal information found that there were many kinds of illegal pornography in 3600 chat apps, most of which were malicious SDK stealing users' personal information.
Enterprises need self-discipline, and standards should be put in the first place.
Judging from the mobile applications people use daily, the personal information security involved is complex and diverse, involving multiple subjects. "It needs government departments, related companies, App companies, SDK companies, mobile phone companies, application store companies, industry organizations, research institutions, etc." Speaking of solutions, Wei Liang said.
"It is necessary to speed up legislation and improve the norms for the collection and use of personal information." Wei Liang said that at present, legal norms can not meet the actual needs. It is necessary to promote the introduction of the personal information protection law as soon as possible, clarify the rights and obligations of personal information protection, and strengthen the investigation and punishment of violations of laws and regulations; At the same time, analyze and judge the ownership of data and the protection of data assets, clarify the legal boundaries, and sort out the legislative context.
"One is through technical means, and the other is through scientific management. The former, from data identification and use to behavior analysis, prevents information leakage and improves the systematic protection means of personal information; The latter involves employees' safety awareness and technical support management system. "Yang, a technical expert of Sky Guard, said.
According to Tang Xin, director of the Comprehensive Division of the Network Security Coordination Bureau of the Central Network Information Office, enterprises should be self-disciplined and "standards first". The additional functions of many applications are also collecting information, but they cannot be blocked because users refuse to provide information, nor can they be blocked because they refuse authorization once or twice. "I hope to solve these problems through standards and specifications."