Third-partySDK leaves a back doorOrCan lead to enterprise AppBusinessShutdown
With the acceleration of the resumption of work, the demand for remote work is also increasing, and many Apps are also welcoming a massive number of customers. However, under the impact of traffic, some minor security issues have also been magnified. Recently, a well-known online meeting App has been exposed to have collected and transmitted personal information in large quantities without the knowledge of users, leading to the leakage of customer privacy. The issue has escalated, leading to many large institutions announcing that they will disable the App for safety reasons within their organizations, the online meeting company facing a large number of user losses, and facing the risk of massive compensation.
Combining other reports, it can be seen that the problems existing in this event include:
l There is no complete understanding of the SDK integration of the App, and there are omissions
l There is no complete understanding of the behavior of the SDK, including which sensitive system permissions involving personal information the SDK calls
l There is no specific behavior of the SDK mentioned in the privacy agreement
Know the reasons, integrateThe Road to SDK Compliance
In the end, effectively mastering the integration of SDKs in the App and understanding the specific permission calls of SDKs are the prerequisites for avoiding compliance issues.
Some common SDKs, such as payment SDKs and navigation SDKs, are closely related to personal information due to their inherent functions. The information commonly collected by SDKs includes mobile device information (such as IMEI, IMSI, and other unique identification codes), network information (such as IP address, MAC address, Wi-Fi hotspots, etc.), mobile status information (such as information about installed/running applications), user behavior information (such as lock screen, installation, upgrade, and uninstallation of application software), and user personal information (such as phone numbers, geographical locations, call records), etc. The scope of information collected is very extensive. As part of an App, the App is legally responsible for the behavior of the SDK. The 'Data Security Management Measures (Consultation Draft)', 'Personal Information Security Specification', and 'Self-assessment Guidelines for Personal Information Collection and Use by Mobile Internet Applications (Apps)' clearly state how Apps should handle their relationship with SDKs.
From recent security incidents and the cases reported in advance by regulatory authorities, it can be seen that in many cases, the SDKs integrated into the Apps collect personal information, but the actions of collecting information through SDKs are not mentioned in the privacy policy, which ultimately leads to criticism by regulatory authorities, causing negative public opinion, and even the direct removal of the App from the market, affecting the business.
Therefore, App developers should conduct compliance analysis of the SDKs they integrate, understand which SDKs are integrated into their apps, whether the SDK behaviors are all listed in the privacy agreement, and whether there are any hidden behaviors of the SDKs.
Application behavior security detection platformHelp developers maintain SDK security
In response to the above issues, Baimeng Security has launched the application behavior security detection platform to help developers gain insight into SDK behavior security and carry out application compliance protection.
1. Quickly discover SDK integration, listing all SDKs integrated into the application;
2. Detect SDK permission behaviors, helping enterprises and developers quickly confirm whether there is any abuse of permissions;
3. Audit SDK network connection actions;
4. Based on real behavior detection, it does not rely on features;
5. The usage method is simple, and it is not necessary for personnel to master professional penetration testing technology.
Do a good job of SDK security management, safeguardApplication complianceDefense line
In the current digital transformation, the business of enterprises is increasingly dependent on various applications. Ensuring the security and reliability of the SDKs integrated into these applications is the first line of defense in safeguarding business development.
In scenarios such as outsourcing, integration of SDKs, use of open-source frameworks, and multi-channel distribution, enterprises can use application behavior security detection platforms for dynamic security monitoring to discover unauthorized permissions and access behaviors of SDKs in advance. Baimeng Security provides security testing, security control during the release phase, and security monitoring capabilities during the operation phase through application behavior security detection platforms and other security products, helping enterprises establish a full lifecycle management system for SDKs, ensuring the security of the software supply chain, avoiding various violations, especially compliance issues related to personal information, and reducing the business security risks of enterprises.
With the implementation of personal information protection laws, regulations and standards, 'looking back' has become something that most developers need to do. From personal privacy policies to the collection of personal information, it is necessary to move from unbridled growth to orderly growth, continuously improve the relevant capabilities of enterprises in personal information protection, so that ultimate users can use the services provided by enterprises with peace of mind.
评论已关闭