"Forced Jump Start", "Self Start", "Associated Start"...why can't I control my mobile app?
Xinhua News Agency, Shenzhen, June 11 - Title: "Forced jump start" "self-starting" "related start" ...... my phone App I gnaw not control?
Xinhua News Agency reporters Sun Fei and Hu Linguo
"Click on the webpage of the mobile phone but jump to the App" "Do not call the App but start the background running on its own" "A certain App is called and activated many other apps by itself"... Some mobile apps continue to be "willful and unruly", not only letting The user's frustration also damages the user's rights and interests, causing potential security risks.
Why is the mobile app so "willful"? What risks will increase? How to plug the loophole? The Xinhua News Agency reporter launched an investigation on this.
"Capricious" App various "uncontrollable"
"Now use QQ browser to open Tencent.com and click a link, it will automatically pop up the Tencent News App." Xiao Zhang, a Shenzhen resident who is used to reading web pages through a mobile browser, said that this situation led to more cumbersome operations and forced The sense of use.
The reporter tried many other browsers and found that such a situation also exists. If you try Baidu search through Chrome browser, sometimes Baidu App will automatically start; when you open Taobao through UC browser, sometimes you will jump to mobile Taobao App.
The CEO of a well-known Internet company has publicly stated that he chose to uninstall the Baidu App because of dissatisfaction with the mandatory jump start.
In addition to "mandatory jump start", the reporter found that many apps on Android mobile phones have frequent self-starting, associated startup, accessing, and reading mobile phone user information.
Common tool apps such as NetEase mailbox and QQ have almost 100 self-start times per day; Didi Chuxing App tries to start 9 other apps within one minute after launch; Tuniu Travel App within one minute after launch Try to start 15 other apps running in the background. Some office, social, and entertainment apps will frequently access mobile phone photos and files in a short period of time, and more than 10,000 times, and some frequently read user contacts and other information.
In addition, the reporter also found that some apps "hidden" into the formatted privacy policy or related rules to authorize "jump start" and "associated start" and other ways to induce or force users to agree.
"Careful" App "greedy" is the interest
An engineer of Chian Technology Group Co., Ltd. revealed to reporters that in Android, by adding specific codes to the App program, it is possible to force a jump from the web page to the local App. "Some click on a link to jump automatically, some click and use multiple times will evoke the App in the background, let it take over the user's original function of operating on the web page."
The engineer said that the principles of "self-starting" and "associated start-up" are similar. Developers add specific codes to the system to keep the app as active as possible. "If the user does not use the app, Just let the app use it for each other."
how so? The reporter learned from the heads of several Internet companies that the most important of the app's evaluation indicators is "daily active users." The more times the app is activated, the better the "day-to-day" data, the higher the business valuation, and the stronger the profitability. "In order to seize the market, no one will let go of any method that can improve the "day-to-day" amount of App." said a company official.
In addition, a software engineer revealed to reporters that the various permissions granted during user installation, first opening or using the app are mostly "one-time authorization, long-term use", which means that as long as the app is enabled, user-related information can be collected at any time. Information, such as location, address book, installed applications, etc. This information is currently widely used to create user portraits, behavior labels, etc., and has great commercial value. "It's not too early to be profitless, some developers make the app so hard-working, and what is greedy is the user information on the phone."
Zhou Hanhua, deputy director of the Institute of Law of the Chinese Academy of Social Sciences, believes that such actions lead to obvious technical risks in the collection and use of personal information beyond the expectations of users, and also greatly increase legal risks.
Experts stated that Article 41 of the "Cyber Security Law of the People's Republic of China" stipulates that network operators shall not collect personal information unrelated to the services they provide, and shall not violate the provisions of laws, administrative regulations and the agreement of both parties to collect and use personal information; the Ministry of Industry and Information Technology " Article 5 of the "Interim Provisions for the Management and Pre-distribution Management of Mobile Intelligent Terminal Application Software" requires that "the collection and use of user personal information and the opening of application software shall not be carried out without the express consent of the user"; 》And relevant national technical standards also require that the collection of personal information must meet the minimum necessary principle. The frequency of automatic collection of personal information should be the minimum frequency necessary to realize the business function of the product or service, and the scope of collection must not be expanded at will.
Control the "willful" App: plug technology loopholes, strong legal protection
In response to the problems of excessive collection of user information by mobile apps and hidden risks of user privacy disclosure, in mid-May this year, the Ministry of Industry and Information Technology notified a batch of apps that violated user behavior and ordered rectification.
Zeng Lei, a senior researcher at the International Center for the Rule of Law of the Beijing Normal University, introduced that the operating system allows apps to be awakened through self-starting and associated startup. Its original intention is to enhance the coverage of electronic devices such as mobile phones and ticket purchase machines and apply to various application environments. The ability to facilitate users to switch between various applications. However, if there is an act of collecting personal information through mechanisms such as authority, and the specific purpose is not clearly stated in the privacy policy and other rules, the frequency of collecting personal information is suspected to exceed the actual needs of the business function. "To solve such problems, it is necessary to block technical loopholes and strengthen legal protection."
Qi Anxin Group engineers believe that the Android system has too much authority, and different developers can modify the underlying code on the Android system. This is an important reason why users can’t control the “willful” App, and some application markets review the security of the App. Not strict, causing damage to users' interests.
Experts such as Weng Jian, Dean of the School of Cyberspace Security of Jinan University, suggested that “whether there is a risk of over-reaching access to user information” should be listed as one of the core standards of App security review, and those who cannot meet the security standards should not enter the market.
Meng Bo, a lawyer from Beijing Jingshi Law Firm, said that whether the formatted user agreement or privacy policy provided by the App has legal effect depends on whether the network operator has fulfilled the reasonable prompting obligation required by the law, if there is aggravation through the format clause The user's responsibility, the exclusion of the user's main rights, etc., this clause is invalid.
In addition, experts such as Zang Lei also reminded that many mobile phone operating systems can monitor the operation of the App. Users should increase their awareness of information security and regularly check the operation of the App.