SDK is a plug-in that provides a certain function or service in mobile phone software. In November 2019, the Shanghai Consumer Protection Committee commissioned a third-party company to conduct a special test on SDK plug-ins in some mobile phone software, but found that some SDKs were hidden.
Tao Ailian, Deputy Director and Secretary-General of Shanghai Consumer Protection Committee: During the test, we found that SDK plug-ins stole some of consumers’ mobile phones, such as text messages, without the permission of users.
According to the Basic Specification for Collecting Personal Information by Mobile Internet Application (App) of Information Security Technology, and the Identification Method for Illegal Collection and Use of Personal Information by App, technicians have tested more than 50 mobile phone softwares, which respectively contain SDK plug-ins of Shanghai Kryxin Information Technology Co., Ltd. and Beijing Zhaocai Want Want Information Technology Co., Ltd., both of which are without the user’s knowledge. The suspicion of secretly stealing users’ privacy involves more than 50 kinds of mobile phone software, such as Gome Easy Card, remote control, the strongest flashlight, all-around remote control, 91 speed purchase, daily recycling, flashing, radish mall, Zijin Pratt & Whitney and so on.
Inspector: It will read the IMEI, IMSI, operator information, phone number, SMS record, address book, application installation list and sensor information of this device, which belong to the user’s privacy, and it will read it.
? The SDK in these apps is only the first step to read the user’s private information. After reading, the data will be quietly transferred to the designated server for storage. In addition to personal privacy such as phone numbers and address books, the SDK of Beijing Zhaocai Want Want Information Technology Co., Ltd. is even suspected of stealing more private information from users through various software such as recipes, parents’ help and dynamic wallpaper.
Testers: will collect the user’s contact, SMS, location, equipment information, etc. without the user’s consent. Especially short messages, the contents of which are all passed away, is very serious. This is the real SMS record that exists in my mobile phone. Who is its downlink number and what is its short message content can be clearly seen.
"Hello, I’m Chen Si", "The verification code is 903474, please don’t tell others" and so on. Such important and private information of the user is transmitted to the third-party server, and the tester introduces it. Because the SDK can collect the user’s short messages and application installation information, once the user has the verification code for online transactions, it is very likely to cause serious economic losses.
In addition, although SDK is just a seemingly ordinary plug-in, because it is universal to all mobile apps, many mobile phone softwares may be embedded in the same SDK, so once an SDK steals users’ personal privacy, it will involve many mobile phone softwares.
Inspector: These SDKs will be embedded in different apps, so the amount involved is relatively large.
In addition to the embedded SDK plug-in, the staff also found that some well-known mobile apps also collected user privacy. It involves a variety of software such as cool ringtones, mobile phone ringtones and ringtones.
关于作者