Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Android China Privacy

Baidu's Android Apps Caught Collecting Sensitive User Details (zdnet.com) 19

Two Android applications belonging to Chinese tech giant Baidu were removed from the official Google Play Store at the end of October after they were caught collecting sensitive user details. From a report: The two apps -- Baidu Maps and Baidu Search Box -- were removed after Google received a report from US cyber-security firm Palo Alto Networks. Both apps had more than 6 million downloads combined before being removed. According to the US security firm, the two apps contained code that collected information about each user's phone model, MAC address, carrier information, and IMSI (International Mobile Subscriber Identity) number. The data collection code was found in the Baidu Push SDK, used to show real-time notifications inside both apps. Palo Alto Networks security researchers Stefan Achleitner and Chengcheng Xu, who identified the data collection code, said that while some of the collected information is "rather harmless," some data like the IMSI code "can be used to uniquely identify and track a user, even if that user switches to a different phone." The research team said that while the collection of personal user details is not specifically forbidden by Google's policy for Android apps after they reported the issue to Google, the Play Store security team confirmed their findings and "identified [additional] unspecified violations" in the two Baidu apps, which eventually led to the two apps being removed from the official store on October 28.
This discussion has been archived. No new comments can be posted.

Baidu's Android Apps Caught Collecting Sensitive User Details

Comments Filter:
  • Isn't is time to beef up the security/privacy model of Android OS?

    • by green1 ( 322787 )

      Exactly this. MANY apps collect all sorts of info they have no need to, and Android happily provides it, with no choice for the user to opt out.

      Android needs to enforce a permission model where apps get access to nothing without permission. As it is, only a few specific permissions can be controlled by the user, the rest are all automatically granted to everything.

      • I'd like to see finer grained schemes. Problem right now is, permissions are granted to multiple, unrelated code paths simultaneously.

        If you get X permission in Y role within context Z, you shouldn't be granted it silently also in context FU, which might be malicious.

        I'm reminded of how multi level master keyed systems inadvertently create potential master keys that are usually unused. There exists a balance between not enough different levels of masters and too many to the point where nearly any old key wi

        • by green1 ( 322787 )

          My biggest complaint is that Android has various permissions that it lists for apps in the play store, and that are often abused, but that the user has no control over at all. It's nice that we get to day no to some of them, but the rest of the ones they list in the play store should be controllable too.

    • by Tablizer ( 95088 )

      Isn't is time to beef up the security/privacy model of Android OS?

      The problem is that it's based on Linux

      -9 Flamebait

  • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Tuesday November 24, 2020 @09:52AM (#60761258) Homepage Journal

    for example [bangkokpost.com]

    If Google really wants to pretend to care about malware, they will ban Baidu from the Google Store completely, as well as anyone who includes their libraries. Doing anything else sends the message that you can get caught spying on users over and over again without any real penalty. After all, it takes no time to whip up a new version of an app with a different name, that you can sneak the spyware into later.

    • That's something seeing the link you provided was less than 5 years ago. How many chances can a company get? Based on my experiences I've found the Play Store to be akin to the Wild West. Not a very thorough vetting process (esp. for security) to get an app published on there.

      • In EULA - Little Red riding hood. Oh what big eyes you have, the better to track you with, helps us serve you better. All for your own good now gimme.
  • Over the past decade, vast majority of data theft is done by Chinese. This was done either by installed app, hacking, etc... Even well recognized companies like Lenovo were caught with their hands in the cookie jar. Baidu is similar to google and facebook in US. They have a great load of data on their hand, there's no reason for them not to steal.
  • If a company knowingly puts scammy software in the Play Store, Google should pull their whole account not just the app in question.

    Nuke them from space, it's the only way to be sure.

  • apps from China to the play store assume a thorough inspection will be needed first. Companies like Baidu that have multiple infractions should be banned permanently. Assume any app or company coming from a third-world communist or dick-tator led country should be treated as suspect.

Let's organize this thing and take all the fun out of it.

Working...