Photo: Courtesy of China's Ministry of State Security

China's Ministry of State Security on Friday released an article warning users to be cautious about "data espionage" associated with overseas Software Development Kits (SDK), as national security organs have discovered that certain foreign organizations and individuals with ulterior motives are collecting user data and personal information through SDK, posing certain risks and threats to the country's national security.

SDK has become one of the most important services in the mobile supply chain due to its diversity, usability, and flexibility, but it also brings data security issues, such as excessive collection of user data, the ministry said.

Some SDKs collect personal information that is not relevant to the provision of the service, or force the application of non-essential permissions, such as access to information like geographical location, call history, photo albums, as well as photographing and recording functions. Once the user coverage reaches a certain level, a large amount of data can be collected to profile different user groups, so as to analyze potentially useful information including individual relationships and habits, the ministry said in the release.

For instance, a developer of an app with 50,000 daily active users in the US can earn $1,500 each month by embedding an SDK into their app. The SDK provider can collect the users' location data from the app, according to the release.

Overseas intelligence agencies use SDKs as an important channel for collecting data. In August 2020, The Wall Street Journal reported that a small US company with ties to the US defense and intelligence communities had embedded its software in numerous mobile apps, allowing it to track mobile phones world-wide.

The security authorities said that based on official data, as of December 2022, more than 23,000 samples of 100,000 top applications in China have been found using overseas SDKs, and there are about 380 million domestic terminals using overseas SDKs.

In response to the potential risks, the ministry advised application development enterprises to use registered and certified SDK. Before introducing overseas SDK, the enterprises should do security testing and risk assessment, understanding the privacy policy of the SDK, and continuously monitor the SDK, in order to ensure safe operation.

For individuals, users should enhance their awareness of personal information protection and safe use skills, choose safe channels to download and use applications, and avoid blindly allowing the application for sensitive permissions. In particular, users need to be on high alert when the SDK applies for permissions unrelated to application functions, the ministry suggests.

Global Times