The privacy dilemma of domestic apps: thoughts triggered by Baidu's "telephone monitoring" incident

The new year of 2018 may not be easy for the three giants of BAT. Alipay was exposed to have traps in its annual bill, WeChat was busy explaining that they would not read user chat records, and Baidu was sued for allegedly infringing on the security of consumers' personal information.

In January this year, Baidu's App was sued by the Jiangsu Provincial Consumer Protection Committee.

In July 2017, based on the situation of infringement of consumers’ personal information in the mobile application market, the Jiangsu Provincial Consumer Protection Committee conducted an investigation and interviews with 27 mobile APP companies that have a large number of users and are representative of certain industries in areas such as audio-visual applications, graphic reading, financial payment, and travel.

Most companies submitted substantive rectification plans on time. The vast majority of companies have optimized their apps, for example, by removing unnecessary sensitive permissions, adding consumer prompt boxes, providing consumers with permission selection interfaces, and improving non-registered user information protection, in order to respect consumers' right to know and right to choose, and provide more comprehensive privacy protection and security for consumers' personal information.

On July 4, 2017, the Jiangsu Provincial Consumer Protection Committee sent a letter of investigation regarding issues with two mobile apps, "Mobile Baidu" and "Baidu Browser," owned by Beijing Baidu Netcom Technology Co., Ltd., and requested Baidu to send a representative to be interviewed. However, Baidu only made a simple written explanation of the relevant issues, and shifted the responsibility of notification and selection of permissions to the mobile phone operating system, "passively responding to the investigation of the Provincial Consumer Protection Committee."

In the rectification plan that Baidu finally submitted, it refused to rectify the relevant permissions involving the security of consumers' personal information, such as "monitoring calls", "reading SMS and MMS", and "reading contacts" in "Baidu Mobile" and "Baidu Browser". There were also no clear measures to inform consumers of the purpose, method, and scope of the permissions applied for by the APP and for consumers to choose, which failed to effectively protect consumers' right to know and right to choose.

In fact, Baidu has no intention of monitoring netizens' phone calls.

Baidu called for the READ_PHONE_STATE permission. READ_PHONE_STATE can read sensitive data including the user's device and SIM hardware ID, as well as the caller's phone number. Baidu stated that the permission was called to read the incoming phone number and identify spam calls. Strictly speaking, Baidu's permission is to monitor the phone status, but Xiaomi's operating system calls it "monitoring calls." The inaccurate translation of the operating system led to the misunderstanding.

However, this does not mean that Baidu does not have any problems. In fact, the problem of permission abuse is a common problem in the domestic Android application market.

Reading device IDs such as IMEI is actually a common practice in the industry. These device IDs can help manufacturers count the number of users and understand user situations to fix bugs. However, unlike foreign manufacturers, many domestic mobile phone manufacturers often use coercive measures to obtain IMEI numbers. For example, WeChat will apply for IMEI and local storage permissions when the program starts. If the user refuses permissions, it will automatically exit. This practice of "no information, no service" is very common in domestic applications and has been criticized by netizens.

On the other hand, too many application permissions are indeed the current situation in the Chinese application market. An application often obtains nearly a hundred permissions, most of which are unnecessary.

In order to explore the current status of application permissions in more depth, we investigated the number of permissions of mainstream applications on the market. These applications come from major manufacturers. We tried our best to select applications that can be compared horizontally for analysis.

In order to present it more intuitively, we have colored the relevant cells. The darker the red, the more permissions it represents.

During our investigation, we even found that the large number of permissions and components attracted the attention of antivirus software:

From the statistical chart we can observe:

1. Although the comparison of apps from domestic and foreign manufacturers is not comprehensive enough (the reason is that many domestic applications do not have corresponding foreign applications, such as the security protection category; and the application scope of foreign giants is not wide, and they often only do applications in specific fields, so it is impossible to compare manufacturers), we can still see that domestic applications often obtain more permissions than foreign applications.
2. Even for apps of the same type, there can be huge differences in the number of permissions. The biggest disparity is in the payment tools category, where JD Wallet (18), which has the lowest number of permissions, differs 10 times from Alipay (229).
3. Payment tools may have certain "security attributes", but even for browsers that do not have "security attributes", the UC Browser (195) with the highest number of permissions is still far behind Chrome (33).

What are the permissions?

Let’s take the permissions of UC Browser as an example. In the permissions list, we see some permissions that are unclear and do not match the browser’s identity:

Continuing to look at the permission list, we also found multiple permissions related to push.

These permissions are for push components of different mobile phone manufacturers. Due to Google's withdrawal from China, Google's own Android push solution GCM (FCM) has become unstable, and various mobile phone manufacturers have often begun to build their own push systems. Because of this, domestic developers have an additional task - adapting to the push components of various manufacturers. This is also one of the reasons for the difference in permissions between domestic and foreign app manufacturers.

The good news is that the problem of inconsistent push services may be solved in the future.

According to a news release from the Telecommunication Technology Terminal Laboratory under the Ministry of Industry and Information Technology, the Telecommunication Technology Terminal Laboratory is currently working with major domestic and foreign related companies including Huawei, OPPO, vivo, Xiaomi, Samsung, Meizu, Gionee, Nubia, Google, Baidu, Alibaba, Tencent, Getui, and Jiguang to jointly formulate the Android Unified Push Service (UPS) technical standards, aiming to establish unified standards for domestic message push services, provide terminal users with a better mobile phone experience, and better solve the message push needs of application developers, and has achieved phased results.

Although it cannot be compared with Google's official push platform, the problem of inconsistent interfaces can be solved. And since the push needs to go through the official UPS channel, the problem of frequent background wake-up of the application will also be solved.

Do permissions really matter?

As mentioned earlier, most application permissions are not necessary, so why not use fewer permissions to serve users?

The device ID used to uniquely identify the user has become mandatory for some apps. When WeChat is started, a prompt window for phone permissions and local storage permissions will pop up. If the permission application is rejected, it will stop working. It seems that obtaining such information will determine the functionality of the app.

We can use AppOps to ignore the request and successfully enter the App without any functional restrictions during use. This makes people question the necessity and legitimacy of forcing the provision of device IDs.

Apple also has different solutions and ideas for handling user identification information.

In order to prevent user data from exposing user privacy, Apple proposed the Differential Privacy technology at the WWDC conference in June 2016. Simply put, it randomly adds information to personal information before it is sent from your terminal, so that the information you send cannot correspond to your real personal information, avoiding personal privacy exposure. The purpose of this technology is to study user behavior as a whole, rather than as individuals. The reason for proposing this technology is to avoid leaking identity information while collecting data.

On the other hand, the consequences of large-scale collection of user data once it is attacked by a cyber attack are disastrous. Even large companies are not immune to this. In the past year, we have seen the presence of many well-known large companies in data leaks of all sizes.

Internet giant Yahoo data leak: 1 billion accounts user names, birthdays, email addresses, passwords, phone numbers, security questions and answers were all leaked

Equifax, one of the three major credit institutions in the United States, has had its data leaked: more than 143 million American users' data have been leaked, including names, social security numbers, dates of birth, addresses, and driver's license information; credit card numbers of 209,000 users, and some information of British and Canadian users.

Mobile travel Uber data leak: 57 million passenger user information leaked, 50,000 driver information leaked.

How do we respond?

There is not much we can do about these privacy collectors. Here are two solutions for non-rooted phones:

The first is to use the aforementioned AppOps to ignore the corresponding permissions. AppOps can be used without root, but you need to connect to the computer and use adb to grant the corresponding permissions every time you start the phone. If your phone is already rooted, you don't need to connect to the computer for authorization.

The second application is called APK Permission Remover, which also does not require root. The principle is to delete the corresponding permissions in the apk package and repackage it. Since the digital signature is different from the official one, the packaged application cannot be updated and is only valid for some applications.

For rooted phones, there are more options, and various permission restriction tools are possible solutions.

Careful readers may find that whether it is Alibaba’s billing incident, Tencent’s chat record incident, or Baidu’s wiretap incident, the three incidents at the beginning of this year all revolve around the topic of privacy. As netizens’ awareness continues to improve, protecting privacy will gradually become the focus of everyone’s attention. For Internet companies, peaceful development is the right way.