More than 20,000 times of access to data for more than 20,000 times, some APP groups "voyeur"

　　More than 20,000 times of data access in ten minutes
　　is not enough to steal data by himself

　　When trying to close the read permission of the software, some users will often find that some apps will force authorization, otherwise they cannot continue to use, and after opening the permission, you will find that the mobile phone can understand your heart more and more-take Take a selfie with the new package you get, and the relevant product push will appear when you open the shopping website; you are browsing the latest model in the APP, and the sales staff will call for consultation...

　　That's right, it's your mobile phone software that is "making things." Recently, the mobile phone APP "voyeur" chaos survey revealed by the media shows that some apps can access more than 20,000 photos and files in more than ten minutes, including mobile teaching software "You Academy" and office software "TIM". Products. Why do mobile apps steal user privacy repeatedly? As a user, how to protect personal privacy? Facing a series of questions, a reporter from Science and Technology Daily interviewed relevant experts.

　　APP illegally collects information repeatedly prohibited

　　In recent years, incidents of "secret access" of personal information on mobile phone software have been common occurrences. How often does mobile phone software steal user information?

　　Yan Huaizhi, director of the Institute of Computer Network and Countermeasure Technology at Beijing Institute of Technology, said in an interview with a reporter from Science and Technology Daily that APP steals user information, usually through "normal" operation of the mobile phone rather than attack. Broadly speaking, the user's data processing and APP operation needs to be supported by the mobile phone's own operating system. "And the operating system will set up various permissions and other security mechanisms at different levels to prevent user information from being maliciously read or abused. But if the APP obtains a certain permission, it can easily read all the information under the permission." He Say.

　　Yan Huaizhi interpreted that there are two main ways for mobile apps to collect personal information or steal user information in violation of laws and regulations: The first is to collect information without explicit notification. For example, some apps are not expressly collected before collecting information, and some simply play The word game induces the user to agree; the second is that the purpose, method and scope of the collection are not limited with clear permissions. For example, the user information is collected through normal channels, but it is used beyond the scope, which brings potential risks and harm to the privacy and interests of the user.

　　Generally speaking, user information should follow the basic criteria of "required for collection and necessary for use", that is, the collected information should be the information necessary to complete a user's business, and the information should be within the scope of the business Used properly.

　　"It should be noted that APP stealing information and hacker stealing user information lead to a large amount of information leakage. These are two events of different nature. A formally launched APP software, without the user's knowledge or beyond the user's authorization To obtain user information, the operation on the mobile phone does not need to be implemented by any attack means. Even if the system has no loopholes, the APP can still obtain user information." Yan Huaizhi said.

　　Buy French fries on the surface and secretly take the "family bucket"

　　At present, my country has clearly incorporated data into production factors, and many apps have excessively collected privacy for commercial purposes. So, what is the purpose of frequently accessing user information? Different software can wake up each other and jointly pry into user privacy, does it mean that developers have an exchange of interests between each other?

　　It is understood that in general, user information can be divided into two categories, one is quasi-static information, such as the user's name, age, address, etc., usually does not change frequently, the APP collection once and for all. The other type is dynamic information, such as the user's location, mobile payment status, personal health status, etc., which is constantly changing at any time. Dynamic information requires frequent APP access.

　　Yan Huaizhi explained that from a technical point of view, the frequent access to user information by APP is indeed due to business needs, such as navigation path planning, and naturally needs to understand the user's real-time location; health monitoring business may need to obtain user's sports data information at any time. After obtaining the user's personal information, the software operator will calibrate the user's activity range and consumption ability through data analysis, so as to carry out more accurate advertising or other marketing activities.

　　"It should be noted that user information has special and important value. In order to increase the number of registrations and share user useful data, some APP developers will exchange user information. The premise of this operation is naturally interests." Yan Huaizhi emphasized.

　　According to the survey, after downloading many mobile phone software, it will frequently evoke other software to start automatically, and then jointly peek at user photos, shopping records, etc. in the background, how to interpret this phenomenon at the technical level?

　　Yan Huaizhi explained that there are many technical implementation methods for APP to evoke other software. Common methods include Intent arousal, package name arousal, and URL arousal. In simple terms, it is started privately through a background communication protocol, and only data is run in the background after startup. , With strong concealment, it is difficult for users to perceive. Yan Huaizhi further emphasized that evoking other software to start in the background and jointly peep at the user information, the purpose is to maximize the user information to achieve a more accurate portrait, this kind of surface buying fries, secretly taking the "family bucket" behavior has a greater The hidden and harmful.

　　How to prevent software "voyeurism"

　　To ensure the security of personal information, the relevant departments have launched a series of actions to rectify market chaos. In January 2019, the four departments of the Central Cyber ​​Office, the Ministry of Industry and Information Technology, the Ministry of Public Security and the General Administration of Market Supervision jointly organized a special governance activity for the collection and use of personal information by APPs in violation of laws and regulations. Working group on special governance of personal information. According to the information received by more than 10,000 netizens, the working group counted the top five typical problems as follows: over-range collection of irrelevant personal information, mandatory or frequent requests for irrelevant permissions, unreasonable exemption clauses, inability to cancel accounts, and default binding Features and blanket agreement.

　　In fact, in response to the phenomenon of excessive collection of personal information by mobile apps, the country has previously issued "Information Security Technology Personal Information Security Specifications" and "Network Security Practice Guide-Essential Information Specifications for Basic Business Functions of Mobile Internet Applications", which is beyond the scope of APP The personal information security issues such as collection, compulsory authorization, and excessive claims have been clearly stipulated.

　　However, many mobile phone softwares still ignore national laws and regulations, and even take the risk of stealing citizens’ privacy for illegal profit-making. Why on earth are mobile phone apps stealing users’ privacy repeatedly? As a user, how to effectively protect personal privacy?

　　In this regard, Yan Huaizhi said that the essential reason why the mobile APP illegally collects or steals personal privacy is prohibitive and unstoppable, is nothing more than the word "profit". "In the information age and cyberspace, personal information is also an asset, which has certain value and will bring derivative value. In a sense, it belongs to the forefront of the interest chain. Who has the user information, who Once you have mastered user resources, you can achieve precise promotion, accurate marketing, and even precise fraud. Therefore, the phenomenon of APP'crossing boundaries' collecting user information is naturally not difficult to understand." He said.

　　Recently, the App Governance Working Group on the Collection and Use of Personal Information for APP Illegal and Illegal Issues released the “Special Governance Report on the Collection and Use of Personal Information for APP Illegal and Illegal (2019)”. The report shows that some apps use encrypted data packets when excessively collecting personal information. Of APPs identify the test environment to circumvent the abnormal transmission behavior found by the detection tools, and some APPs bypass the mobile device operating system permission control mechanism and use the external storage area to obtain information. When the APP uses the above methods, the existing detection methods will find that the difficulty of collecting personal information beyond the scope and the proof will be more difficult. Therefore, it is necessary for relevant departments to further strengthen the research on in-depth detection technology, occupy the initiative in the process of subsequent continuous supervision, and effectively deter illegal and illegal behaviors.

　　To this end, Yan Huaizhi suggested that, as users, the most important thing is to improve security awareness and privacy protection concept. For example, when installing the APP, you should carefully read its data collection request and choose whether to provide it according to your personal situation. And when providing information, it is necessary to follow the principle of "necessary for supply", and do not provide information beyond business needs. The second is to pay attention to the use of appropriate technical detection means, through the APP monitoring tool to discover which APP secretly runs frequently in the background. If the privacy data is maliciously collected or abused, the evidence shall be preserved in time and the rights shall be reported to the relevant authorities.