 and their recommendations for safeguarding national security and personal information.){kind=link}
In a recent development, China’s Ministry of State Security issued a stark warning to the public, urging caution when it comes to the use of overseas Software Development Kits (SDKs). The ministry has reportedly discovered that certain foreign entities and individuals, driven by ulterior motives, are engaging in the covert collection of user data and personal information through SDKs, potentially posing significant risks to the nation’s security.
SDKs, or Software Development Kits, have emerged as essential components within the mobile supply chain, owing to their versatility, usability, and adaptability. While these tools have undoubtedly revolutionized mobile app development, they have also inadvertently given rise to data security concerns. Among the key issues highlighted by the ministry is the excessive collection of user data by certain SDKs.
According to the ministry’s statement, some SDKs not only gather personal information that is unrelated to the services they provide but also compel applications to request unnecessary permissions, such as access to users’ geographical location, call history, photo albums, as well as capabilities like photography and audio recording. Once a critical mass of users is reached, these SDKs can amass significant volumes of data, enabling the profiling of diverse user groups and potentially revealing individual habits and relationships.
An illustrative example presented by the ministry highlights the financial incentives for app developers to embed such SDKs into their products. For instance, an app developer with 50,000 daily active users in the United States could earn a monthly income of $1,500 simply by integrating an SDK into their application. The SDK provider, in turn, can collect location data from these users through the app.
The ministry’s concerns extend beyond the realm of economic incentives and data collection. It asserts that overseas intelligence agencies exploit SDKs as vital conduits for amassing data. In a striking case reported by The Wall Street Journal in August 2020, a small American company with links to the U.S. defense and intelligence communities had embedded its software within numerous mobile apps. This enabled the company to track mobile phones on a global scale, raising serious privacy and security concerns.
In an attempt to quantify the extent of the issue, security authorities cited official data as of December 2022, revealing that over 23,000 samples from the top 100,000 applications in China were found to be using overseas SDKs. Additionally, approximately 380 million domestic terminals were identified as using overseas SDKs, underscoring the pervasive nature of this challenge.
In light of these potential threats to national security and user privacy, the ministry has offered a set of recommendations for both application development enterprises and individual users.
For application development enterprises, the ministry advises the use of registered and certified SDKs. Prior to incorporating overseas SDKs into their applications, developers should conduct thorough security testing and risk assessments. It is also crucial that developers fully understand the privacy policies associated with the chosen SDKs and maintain continuous monitoring to ensure safe operation.
Individual users are urged to heighten their awareness of personal information protection and cultivate safe usage habits. When downloading and using applications, users are encouraged to select secure channels and exercise caution before granting sensitive permissions. Of particular concern are situations where an SDK seeks permissions unrelated to the core functions of the application, signaling a potential threat.
China’s Ministry of State Security has sounded the alarm over the risks associated with overseas SDKs, shedding light on the potential dangers of data espionage and its implications for national security. As technology continues to advance, vigilance in safeguarding user data and personal information has become paramount, necessitating the adoption of comprehensive measures by both developers and users to mitigate these emerging threats.
Read More: