For many people, mobile phone permissions are a thing that does not know whether to give, give may regret, and do not give some functions that cannot be used. In fact, app permissions are usually obtained to better provide services, but when should it be given, and how often is it reasonable?
On December 17, the "2021 Woodpecker Data Governance Forum" sponsored by the Personal Information Protection Research Center of Southern Metropolis Daily was held in Beijing. At the meeting, the Nandu Personal Information Protection Research Group released the "Annual Report on Personal Information Security (2021)" (hereinafter referred to as the "Report"), disclosing the compliance of 150 Apps.
The results found that 89 models applied for non-essential permissions when the user first used it, and 30 models still frequently popped up after the user explicitly refused, and the most exaggerated pop-up window was 11 times. In addition, 90% of the app under test call sensitive permissions exceed the minimum frequency necessary to achieve their business functions, and some apps call the location permission more than 2,000 times within five minutes.
1
If an app is available, you need to reject 11 permission requests to use it
The report analyzed this year's regulatory notice on the illegal collection and use of personal information by apps, and found that among the problems reported by the Cyberspace Administration of China, "violation of the necessary principle" accounted for 53.3%; the Ministry of Industry and Information Technology also reported 228 times of "app compulsory, frequent, and excessive permission requests", accounting for 21.6%. It can be seen that the situation of app collecting personal information and obtaining permissions beyond the scope is very serious.
The Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications (hereinafter referred to as the "Provisions"), issued in March this year, delineate the scope of personal information necessary for basic functional services for 39 types of apps. Based on the Provisions, the report conducted a compliance assessment of 150 apps in ten major industries for access to permissions.
The evaluation results show that only the three apps of "New Oxygen Medical Beauty", "360 IOUs" and "Xueersi Online School" scored more than 90 points, and the overall average score was only 57.9 points. Among them, nearly half of the app scores are concentrated in 60-70 points, and there are 60 failed apps, accounting for 40%.
150 app permissions to obtain compliance score distribution
From the specific problem point of view, 89 of the 150 app tested have applied for non-essential permissions when users use the app for the first time, involving telephone, positioning, storage, address book, camera, microphone, etc., including many head apps such as "DingTalk" and "Grapefruit".
For example, when "DingTalk" was used for the first time, it applied for storage and phone permissions from the user pop-up window. However, according to the Regulations, the necessary personal information for instant messaging apps only includes mobile phone numbers, account information and contact lists. The women's health app "Meiyu" does not require personal information to use basic functional services.
Screenshot of DingTalk App
In addition, the situation of forcing non-essential permissions still exists. According to the Regulations, educational and cultural apps only need a mobile phone number to achieve basic services, but an app called "Xueshe" is forced to obtain telephone, location, and storage permissions, and cannot be used if it is refused.
It is worth noting that when switching to other Android systems, after repeatedly denying permission pop-ups, you can use the "school house" normally - which means that the compliance of the same App under different mobile phone systems is different.
Like the "SchoolHouse", there are many apps that need to reject permission applications multiple times to use normally. The report pointed out that 30 apps such as "Excellent Health" and "Gaotu Classroom" still frequently pop-up applications after users explicitly denied a certain permission, of which the storage permission was repeatedly applied for the most times.
If "Pink Elephant Life" is opened for the first time, the user needs to deny the storage permission pop-up window 11 times in a row, two of which are selected "Reject and no longer ask" and still pop up again. "Idle Fish" applied for positioning permissions 4 times in a row in five minutes, and the last time it gave the option to "reject and don't ask again".
Screenshot of Pink Life App
Screenshot of idle fish app
The report believes that the app's practice of applying for the same permission multiple times in a row is a kind of "disguised coercion" - users usually think that if they do not authorize the permission, they cannot use the app after several consecutive pop-ups, so they are forced to choose to agree. In other words, "express consent" is not required by law.
2
More than half of the apps did not inform the purpose of permission acquisition
In addition to the mandatory acquisition and frequent pop-up windows of the app, the app collects personal information beyond the scope and obtains the permission, but also in the permission to apply for the acquisition and the permission notified in the privacy policy, and the actual function of the app cannot be corresponded to one by one. In this year's circular by the Ministry of Public Security, nearly half of Chengdu has the problem of "not explicitly applying to users for all privacy permissions".
The report found that 57 of the 150 apps did not inform the applied sensitive permissions in the privacy policy, such as "Wall Street News" and "Lijing Weather"; and 63 apps applied for sensitive permissions could not be found in the App, such as "Baidu News" applied for camera, phone, contact, calendar four permissions, but the App failed to find the corresponding functions.
The report also found that the number of apps with the above problems showed a gradual increase from the head to the tail. This means that the head app performs better than the mid-tail. The report believes that the mid-tail App should take the initiative to actively comply with the compliance, and the regulatory authorities can also appropriately increase the supervision of the mid-tail App.
In addition to what permissions need to be obtained, it is equally important to inform the purpose of obtaining those permissions.
The report found that only 68 of the 150 apps tested were informed in detail of the purpose in the pop-up window for applying for permission. There are two main ways to inform: first pop-up to inform the purpose, and then pop-up application, and pop-up application at the same time display the purpose of the application at the top of the screen. In contrast, the latter may have a better user experience.
For example, the "58 Same City" App also added a deny option in the first pop-up window - if the user selects "Cancel", it means that the authorization is directly denied, and if "De-authorization" is selected, the permission application pop-up window will appear. "Today's Headlines" App when applying for "phone" permissions, the top of the screen pops up the "mask" of "device permission instructions", and users only need one click to understand the purpose of permission acquisition and make a choice of whether to authorize.
After successfully obtaining permissions, the app has the right to read the user's information. In many cases, apps need to transfer user-generated information from the device to the server for processing. In this process, sensitive personal information such as ID numbers, bank accounts, and face information may be involved, so data encryption is crucial.
The results of the technical evaluation show that 29 apps such as "Xueersi Online School" and "Airbnb" have not encrypted the transmitted data content, accounting for nearly 20%, and the user's phone number, ID card number, nickname, account password, verification code, mobile phone model and geographical location are clearly visible, and there is a high risk of data leakage.
Xueersi online school app data transmission content
Airbnb App data transfer content
3
Lijing weather in five minutes to call the positioning more than 2,000 times
In recent years, Xiaomi, Huawei, and Apple mobile phones have successively launched the function of recording App activities - when the App has accessed what data, at a glance. With the help of this function, WeChat and Meituan were exposed to frequently visit photo albums and geographical locations in the background; according to the actual measurement of Nandu reporters, similar behaviors existed in Apps such as Alipay, Agricultural Bank of China, Glory of Kings, and Dianping.
With the technical support of GCC Feitian Xinan Technology Co., Ltd., the report evaluated the frequency of invoking sensitive permissions in 150 apps over a period of time, including both foreground and back-office scenarios.
The report refers to the "Information Security Technology Mobile Internet Application (App) Personal Information Security Evaluation Specification" (Draft for Comments), and sets the standard as: for positioning permissions, in real-time positioning scenarios such as map navigation and location tracking, the reasonable retrieval frequency is once per second; in scenarios such as displaying available services around the area, it is once every 30 seconds; and in scenarios such as identifying the current address, it should only be read at one time. As for other sensitive permissions, they can only be read when the user actively triggers or after explicit authorization by the user.
The evaluation results show that when the App is in the foreground, there are as many as 135 models of frequent access permissions, and it is concentrated in three categories: positioning, IMEI number (device identification code) and cutting board, corresponding to the number of Apps is 134, 128 and 58 respectively.
Distribution of the number of apps that frequently obtain sensitive permissions
Among them, the more serious situation is "Lijing Weather", which calls the positioning permission an average of about 153 times per minute; "NetEase News" calls the positioning permission nearly 17 times per minute on average. In addition, "Tencent Video" reads the IMEI number about 202 times per minute on average, and "NetEase News" reads about 48 times per minute on average.
In addition, 58 apps such as "AutoNavi Map", "WeChat" and "Douyin" read the clipboard when the user did not actively trigger the relevant functions, of which the "DJ Music Library" read about 8 times per minute. Apps such as "DingTalk" and "Grapefruit Card" have called up calendar permissions many times during the review.
The above measured situation is the case that the App is in the foreground. When in the background, the frequency of invoking permissions has decreased as a whole, and only "Lijing Weather" has read 2286 location information in five minutes, even more frequent than when it was in the foreground.
In addition to the 15 apps that still frequently call location permissions, Tencent Video in the background reads the IMEI number an average of 46 times a minute. Also in the background and without the need to read the clipboard, "Sina News" still accessed the clipboard 1 time.
In 2019, nandu personal information protection research center mentioned in the "2019 Personal Information Security Annual Report" that of the 100 mobile finance apps, 59 apps call the device identification code more than 100 times per minute. Among them, "CmLCC Finance" called 6109 times in one minute, "Rong360" called 2586 times, "51 Credit Card Butler", "51 People Character Loan", "Repayment", "Gome Easy Card" and "360 IOUs" were called more than 1000 times.
In contrast, although the criteria for identifying frequent access to authority have been more stringent this year, the situation has improved significantly. In terms of over-range access, in 2021, only one App of "Xuesha" was compulsorily authorized, far lower than the 22 in 2019, and the proportion of apps that obtained non-essential permissions by default was nearly 9 percentage points less than in 2019.
Producer: Nandu Personal Information Protection Research Group
Written by: Fan Wenyang, a trainee journalist in Nandu