Mobile phone software (App) has traffic hijacking, malicious advertisement push, illegal collection of personal information, etc., perhaps the embedded third-party software development kit (SDK) is at fault——

Beware of "inner ghosts" in mobile software

  Recently, the National Computer Virus Emergency Response Center found that 15 mobile apps and 1 SDK had privacy violations, and were suspected of collecting personal privacy information beyond the scope.

In February of this year, the Information and Communication Administration of the Ministry of Industry and Information Technology also notified the first batch of apps that violated user rights and interests this year, and 13 embedded third-party SDKs were illegally collecting user device information.

  With the advent of the mobile Internet era, apps are increasingly related to people's work and life.

Today, a large number of apps rely on SDK to achieve specific functions, provide convenient services, and meet the diverse needs of users.

However, the related security issues cannot be ignored either.

What is SDK?

How is it related to the App?

  The latest data shows that there are 2.52 million apps in the domestic market.

At present, the complexity of App functions and the speed of version iteration have been greatly improved, and it has entered the stage of providing refined and scenario-based services for the public.

  "In order to improve iteration speed, reduce development cost and enrich business functions, application developers not only develop independently, but also embed SDK to quickly access and realize certain business functions." said Chen Jialin, Senior Vice President of Antiy Mobile Security.

  According to the statistics of Antiy Mobile Security Risk Application Detection and Early Warning Platform, at present, more than 80% of apps in my country have integrated third-party SDKs, with an average of nearly 20 integrations per app.

According to the "Software Development Kit (SDK) Security Research Report (2021)" jointly released by China Academy of Information and Communications Technology and Tencent, more than 30,000 third-party SDKs have been integrated by more than 100 apps.

  What is SDK?

"TC260-PG-20205A Third-party Software Development Kit (SDK) Security Guidelines in Mobile Internet Applications (App) (Draft for Comment)" defines it as the relevant documents, examples and A collection of tools; third-party SDKs refer to toolkits provided by third-party service providers or developers.

  "Just like when a factory manufactures TVs or cars, in order to achieve better performance, it buys some parts with specific functions from the outside and assembles them into the products." Tian Qiang, an engineer from an information platform, likened this.

  The reporter learned that the App function services provided by the third-party SDK include message push, payment, advertising, behavior analysis statistics, third-party login, etc.

Some SDKs are used in specific categories of applications. For example, social apps usually access instant messaging SDKs, while online earning apps access security risk control SDKs.

Embedded convenience, embedded risk

  From the SDK violations reported by the Ministry of Industry and Information Technology this time, it can be seen that in addition to a number of SDKs involved in illegally obtaining device IDs, there is also one involving illegally collecting device sensor information, and one involving illegally collecting device installation lists.

  In this regard, Chen Jialin admitted that the current ecosystem of third-party SDKs on the market is relatively complex. For app developers, the runtime behavior of third-party SDKs may not be transparent; the same SDK is introduced into different apps or different versions of apps, its version, There may be differences in functions and modules.

"In many scenarios, it is difficult for App developers to fully evaluate the security of the SDK, and it is difficult to grasp all the running behavior of the SDK." Chen Jialin said.

  "We used to use an SDK component that records log operation data. A vulnerability occurred in this SDK component a few years ago, and the platform data security was seriously threatened." Tian Qiang recalled that hackers could log in to the server and obtain access to the third-party SDK vulnerability through the third-party SDK vulnerability. Operation authority, arbitrarily dispose of user data in it.

  Antiy Mobile Security recently released the "Research Report on Behavior Security of Mobile Internet Application Supply Chain (SDK)", which mentioned that SDK malicious behaviors include traffic hijacking, privacy theft, silent download and installation, malicious advertisements, remote control, etc.; SDK risks Behaviors include illegal collection of personal information, cloud control of SDKs, deceiving and misleading users to download apps, disguised or anonymous push messages, etc.

  "Apps access to third-party SDKs to provide services, which increases the complexity and security risks in terms of clarifying the responsibility boundary of personal information processing and implementing security measures. How companies can regulate the various third-party SDK services accessed by apps has become a data partner. It is one of the difficulties in the regulation." He Yanzhe, deputy director of the Evaluation Laboratory of the Cyber ​​Security Research Center of the China Electronics Standardization Institute, said.

Be wary of illegal collection of users' personal information

  At the end of last year, the National Computer Network Emergency Technology Handling Coordination Center and China Cyberspace Security Association released the "Monitoring and Analysis Report on the Illegal Collection and Use of Personal Information by Apps", showing that third-party SDK collection behaviors are widespread, and App violations caused by such irregular behaviors The problem is becoming more and more prominent.

  "We have also confirmed such problems in our testing. Specifically, the collection of personal information begins before the user agrees to the privacy policy, the privacy policy does not explicitly mention the data collection of the access SDK, and the scope of the SDK's collection of personal information is inconsistent with the description of the privacy policy. Match, etc." Chen Jialin said.

  From the perspective of personal information processing, He Yanzhe believes that ideally, third-party SDKs and apps have three modes: "entrusted processing", "separate processing" and "joint processing": if the third-party SDK needs to follow the rules with the app developers The agreed purpose and method of processing personal information, that is, the third-party SDK is "entrusted to process", and the app developer assumes the responsibility of informing and consenting; if the app developer cannot fully customize or restrict the third-party SDK's processing of personal information, the two parties are "independent". "Processor", the App developer needs to inform the third-party SDK of the rules for handling personal information; if the App and the third-party SDK agree to jointly decide to process personal information, both parties may become "co-processors", and both parties should treat the user in the name of the personal information processor. express notice.

  However, in actual development operations, the relationship between the two is often more complicated than the ideal model.

He Yanzhe suggested that apps that can intuitively interact with users and provide services should assume greater responsibility for notification; if third-party SDKs provide services that must process personal information, they need to actively inform the processing rules in detail.

Design principles of minimization and necessity should be followed

  When third-party SDKs are embedded in apps, risk elements are also embedded.

In this regard, Lu Yang, a client engineer engaged in the research and development of travel platforms, believes that front-line engineers should not only focus on the software development business, but should have a clear and necessary understanding of the basic information of the SDK used, and cooperate with the security team to select An SDK that meets business requirements and guarantees security.

  Chen Jialin believes that from the perspective of the industry chain, SDK providers need to abide by the Personal Information Protection Law, the Data Security Law and other relevant regulations, as well as the requirements of the App user rights policy, and adhere to the principles of minimization and necessity in the collection and use of personal information; When app developers choose and access SDKs, they need to focus on evaluating SDK providers and their SDK security.

  Regarding user rights and interests, He Yanzhe believes that if the user agrees to use the SDK service, the user has the right to withdraw the consent; if the SDK collects user information to fulfill legal obligations, it is not appropriate to provide the stop or reject function; if the SDK and the App are in a trust relationship, it should be The App Party responds to restriction or refusal to process personal information.

  In recent years, some standard documents of relevant national units have put forward the security technical requirements and normative guidelines for apps and SDKs, and some are in the draft stage.

The reporter also learned that, according to the requirements of the EU's General Data Protection Regulation (GDPR), the European Advertising Interactive Association began to try the "Consent Management Platform Model (CMP)".

He Yanzhe said that the model itself helps to make the processing of personal information more compliant and can be used for reference.

The personal information processing model that is truly suitable for my country's legal framework and the App and SDK development industry ecology still requires continuous research and attempts by all parties.

( reporter Kong Fanxin and Li Zhengwei)