Overseas spy SDK illegally steals private data of Chinese users

Noun Explanation:
SDK is the abbreviation of English Software Development Kit, that is, software development kit, which has various types. If the development of a software system is compared to building a "three-room" house, then different SDKs are the "living room", "bedroom", "bathroom", "kitchen" and other functional modules of this house. "bathroom", "kitchen" and other functional modules. To build a good house, we only need to choose the functional modules from different suppliers to assemble, and no longer need to start from the "bricklaying" "wall", thus greatly improving the efficiency of software development.

With the popularity of mobile apps, we are increasingly relying on software development kits (SDKs), but also facing data risks associated with SDKs. Some SDKs may excessively collect user data, which includes personal information unrelated to the provision of services, or even force access to non-essential permissions such as geo-location, call logs, photo albums, etc., with functions such as taking photos and recordings. With the large amount of data collected, these SDKs can profile different user groups and analyze potentially useful information, such as co-worker relationships, unit locations, and behavioral habits. Some offshore SDK service providers offer free services or pay developers in order to obtain data. For example, the developer of an app with 50,000 daily active users in the U.S. can earn $1,500 per month, and in return, the SDK service provider can collect users' location data from the app.

In addition, foreign intelligence agencies also use SDKs as an important data collection channel. According to reports, the United States Special Operations Command has purchased access to "commercial telemetry data sources" from Anomaly Six, a United States-based SDK service provider. According to the service provider, they have embedded the SDK software in more than 500 apps around the world and are able to monitor the location information of approximately 3 billion cell phones. In addition, in April 2022, media outlets exposed a Panamanian company that secretly integrated its SDK code into millions of mobile devices to collect data by paying app developers around the world. The company has close ties to defense contractors that provide cyber intelligence gathering and other services to U.S. intelligence agencies.

According to domestic authoritative organizations, as of December 2022, more than 23,000 cases of samples using foreign SDKs have been detected in 100,000 header applications in China, and there are about 380 million domestic terminals using foreign SDK applications. What should we do about this?

In order to deal with the data risks behind SDKs, we can take the following steps:

For application development companies:

Try to choose to access SDKs that have been filed and certified to ensure their legitimacy and trustworthiness.
Perform security testing and risk assessment before introducing offshore SDKs to ensure they do not pose a risk to user data.
Take a deep dive into the SDK's privacy policy and make sure it is consistent with the app's privacy protection policy.
Using SDK demo examples and APP test environments, compare the consistency of SDK declaration content with actual behavior, and continuously monitor the SDK for abnormal behavior.

For individual users:

Enhance awareness of personal information protection and skills for safe use.
Choose safe and reliable channels to download and use apps, and do not install apps from unknown sources.
Do not blindly authorize sensitive permissions, especially when it is found that the SDK application has nothing to do with the application functionality, keep a high level of vigilance.
These are the countermeasures to SDK data risks, and by taking proper precautions, we can better protect the security and privacy of user data.

Reference: https://mp.weixin.qq.com/s/xq_0nAxzuZ4t0HLXLy8BEg