Are gadgets more insecure than apps?

In recent years, the growth of mobile application software (APP) users has tended to slow down, while light applications, mainly small programs, are becoming an important entrance to Internet information services.

Compared with APP, applets do not require installation, instant use and less memory, which is a fast application with good experience for users. But people are also worried that applets are faster than APPs, so are they not safer than APPs?

In the process of continuous integration with consumers’ daily lives, it is inevitable that small programs will involve users’ personal sensitive information like apps, and users will face potential security risks while enjoying convenient services. It is imperative to sort out new risks and hazards, make countermeasures and suggestions, and improve the safety and security of applets.

Speeding up popularity

“In recent years, new application forms such as small programs and fast applications are booming.” Ning Hua, director of the Information Security Department of China’s Terra Terminal Laboratory, pointed out that as no-installation applications developed using front-end technology and rendered in a cloud-sounding environment, these instant apps include fast apps, WeChat applets, Alipay applets, and Google’s InstantAPPs, among other content. The features of these apps are first, they do not require installation and are point-and-click, but have the full application experience of traditional apps; second, it consumes less resources and can avoid the problem of lack of space caused by app installation; third, it can quickly and directly reach content details through the traditional app market, desktop icons, global search and PUSH push portal, which can provide consumers with a better experience. “The applet is firstly simple in function and more focused on the core business and main functions; secondly, it is easy to use, and users can access the applet to obtain services through search, click and authorization without going through the process of downloading, installation, registration and uninstallation, which reduces the threshold of use; thirdly, the development cost is low.” Zhang Yuanyuan, deputy director of the Information Security Research Department at the Institute of Security Studies, China Academy of Information and Communications Technology, said.

The diversified needs of users enable the rapid popularization and application of small programs, which have become the main carrier for people to access Internet services in their daily lives.QuestMobile’s “Mobile Internet Panorama Ecological Traffic Insight Report” shows that as of November 2019, the total number of small programs exceeded 4.5 million, with daily active users exceeding 330 million.

Small programs have become a common Internet service portal for people. The “2019 White Paper on the Internet Development of Small Programs” (hereinafter referred to as the “White Paper”) released by Aladdin Institute shows that the number of small programs used per capita in 2019 exceeded 60, more than the number of APPs installed per capita in the same period; the next-day retention rate of Alipay small program users exceeded 60%, and the next-day retention rate of WeChat small programs exceeded 50%.

Small programs have achieved full coverage of life scenes and age-appropriate population, and have been integrated into users’ daily lives. According to the Research Report on the Protection of Personal Information in Small Programs released by the China Academy of Information and Communications Technology, as of April 2020, small programs in various platforms cover 11 types, from entertainment applications such as small games and video and audio, to service applications such as education and culture, travel and transportation, daily tools, life services, sports and fitness, online shopping, news and information, medical and health care, and government affairs and public welfare. A common scene in daily life, the small program has initially established an ecosystem.In the first half of 2019, the small program platform has grown from two in 2018 to eight, and many head Internet companies such as Tencent, Ali, Baidu, Byte jump and others began to layout small programs.

Information security is at risk

“A shopping applet will ask users to get Bluetooth permission, but from the features and services it provides, this information collection is unreasonable.” Zhang Yuanyuan said, “Our tests found that each small program has an average of more than three security problems.”

The reporter’s investigation found that from time to time, small programs have exposed the risk of illegal collection and use of personal information, and because they involve the collection and use of a large amount of personal information, there is a risk of personal information leakage, misuse and theft.

According to Zhang Yuanyuan, the China Academy of Information and Communications Technology (CAIC) paid attention to four major small program platforms in the first half of this year and selected 52 small programs with high visibility, wide influence and involving a lot of personal information from 10 typical types of businesses, including news, life services and online shopping, for a personal information protection safety evaluation. According to the content of the test, the risk of personal information security involved in small programs is relatively common, with the most prominent problems in small programs for education and culture, travel and transportation, and news and information, mainly in data collection, transmission and deletion.

Failure to provide an effective privacy policy infringes the user’s right to know.23% to 76% of the platforms provide privacy policies, of which less than 40% of the applets provide an independent privacy policy. For example, a bike-sharing app applies for access to personal information such as a person’s name, mobile phone number, and ID number when it is first opened, but the app’s operator itself does not provide any privacy policy or explain the scenarios, uses, and purposes of collecting the aforementioned information.

No active opt-in consent is taken, which infringes the user’s right to choose.95% of sample applets blur privacy policies to users, which can easily lead to users ignoring privacy policies and failing to accurately understand important information related to the rights and interests of individual subjects.

Collecting personal information beyond the scope brings the risk of data collection violations. Fitness, shopping and epidemic prevention applets have the behavior of collecting personal information that is not related to the scene at that time.

The explicit transmission of personal information brings the risk of illegal data acquisition. About 25% of sample applets explicitly transmit personal information. For example, bike-sharing and express delivery applets explicitly transmit users’ precise geographic location information; medical and health applets explicitly transmit users’ health profile information, including users’ names, dates of birth and drug allergies, and other relevant sensitive personal information.

Failure to inform users of the path to turn off privileges poses the risk of keeping them open. At present, all major and minor app platforms provide users with the ability to disable permissions, but 94% of the sample did not inform users of the path to disable permissions, which may lead to users continuing to open some of their permissions to the app after using it.

Default sharing of users’ personal information brings the risk of data out of control. Without requesting permissions from users, some applets obtained and used user information from their associated applets by default, and users were unable to turn off the authorization function for personal information.

Regulation needs to be strengthened.

“The government attaches great importance to app data security and personal information security, but the current supervision and management rarely involves small programs,” Zhang Yuanyuan said.

It is understood that with the rapid development of the business form and number of users of small programs, the collection and use of personal information is becoming more frequent, and the need to carry out security management of small programs has risen sharply. Many platform operators, out of management needs, refer to the work related to APP personal information protection to carry out safety management of the small programs within the platform.

Experts believe that users are in a weaker position when using the applets compared to the operators. If the operator has a purpose other than pure collection and collects non-essential users’ personal information beyond the scope of the app, users will face the dilemma of abandoning the use or passively providing the information. If such personal information is misused by criminals, the user’s rights and interests are easily damaged.

With the rapid development of business forms and the number of users, applets are becoming applications whose development and usage scenarios are comparable to those of apps. The White Paper recommends that the new business format of applets should be included in the scope of personal information protection management, that the security governance model of apps should be taken into account, that personal information security protection standards should be formulated, that the division of responsibilities between applets and app platforms should be clarified, and that applet operators and platform operators should be encouraged to strengthen the protection of users’ personal information security.

At the enterprise level, effectively implement the main responsibility for personal information protection. At the user level, improve the awareness and ability of small program users to protect personal information.

Zhang Yuanyuan points out that most users of small programs still lack awareness and ability to protect their personal information, and it is not uncommon for them to passively provide sensitive personal information in order to use related services. Therefore, there is an urgent need to educate and inform users about their rights as controllers of their personal information through scientific lectures and community outreach, so that they are aware of their rights and can enhance their awareness and ability to protect their personal information. While protecting users’ personal information from infringement, users are encouraged to actively report violations and mobilize social forces to promote the healthy development of small program norms.


What’s the difference between a gadget and an app

“Compared with apps, the capabilities related to applets are simpler.” Zhang Yuanyuan, deputy director of the Information Security Research Department of the Institute of Security Studies at the China Academy of Information and Communications Technology, said that small programs are limited to the small program platform in terms of interface calls, access and management of permissions, and message pushing.

The API (application programming interface) that applets have the right to call is less than APP. applets can’t bypass the applet platform and directly call the mobile phone system API and interact with the system; APP, on the other hand, can call all the mobile phone system APIs and directly talk to the system to modify the mobile phone system volume, network connection and other functions.

The permissions that can be obtained by the app are less than those of APP. app can only obtain the permissions that the app platform has already obtained from the mobile phone system, which are usually limited to user information, geographic location, background positioning, photo album, mailing address, invoice, recording, camera, exercise steps; while APP can obtain more than 100 mobile phone system permissions, including calendar, address book, microphone, SMS and other sensitive permissions.

The app’s permission management is different from that of the app. Permission management of the applet platform is usually to select “allow” or “deny” a certain permission from the “settings” of the applet platform, and only one applet’s permission can be set at a time; Permission management of apps can be done in the mobile system settings and can be centrally managed, so that you can modify the permissions of multiple apps at once.

The app can only send template messages, or push them after being actively subscribed by users, while the app can push messages for users anytime and anywhere. The “2019 White Paper on the Development of the Internet of Small Apps” shows that small apps can obtain user information, device information and statistics from small app platforms. After getting authorization from the user, the applet can obtain personal information such as the user’s platform nickname, avatar, gender, location, language, mobile phone number and ID number, personal biometric information such as face and fingerprint, and information such as geographic location and mailing address obtained through permission application. In addition, the app can also obtain authentication results related to property information from platforms that have money management and real person authentication capabilities.

The device information that can be obtained by the applet includes network status, WiFi, accelerometer, compass, clipboard, system information, screen, etc. The system-related information includes operating system version, operating system type, phone brand, phone model, platform version number, platform name, screen width, screen height, device pixel ratio, etc. The screen-related device information includes whether the screen is always on, whether the user takes screenshots, etc. Some platforms also support the applet to add phone contacts, get device power, add and delete calendar events and other functions.

The behavior of a large number of users using the app can be aggregated to form statistical data, which can be used by app operators to understand the operation of the app, analyze the source of users, user composition, user growth trends, user retention and conversion, user behavior and habits, etc., to help iterative optimization and operation of the app. In addition to regular data analysis, such as the size, source, frequency, duration, depth, and retention of user visits to determine the age of the product, user portrait by age, gender, region, terminal and model distribution, and the popularity of the page by displaying the number of visits, dwell time, and exit rate of each page, the app can also customize the analysis of real-time user behavior within the app platform. In order to meet the needs of personalized analytics beyond standard statistics such as page visits, the company tracks its behavior in a fine-grained manner.

How to Identify Violations of Personal Information Collection

The State Administration of Market Supervision and Administration, the State Internet Information Office, the Ministry of Industry and Information Technology, and the Ministry of Public Security have jointly issued a notice on the issuance of the Method for Determining the Illegal Collection and Use of Personal Information by APPs (hereinafter referred to as the “Determination Method”). Experts pointed out that consumers can refer to the above-mentioned provisions to protect their personal information when using APPs. The Method of Determination is divided into six determination criteria, including 31 scenarios. The most important of them is that the service provider should provide clear privacy rules. In cases where there is no privacy policy or no rules on the collection and use of personal information in the app, or where users are not reminded of the collection and use of rules in a conspicuous manner when the app is first run, it is “failure to disclose the collection and use of rules”. The Method of Determination clearly states nine scenarios in which personal information is collected and used without the user’s consent: collecting personal information or opening the rights to collect personal information before obtaining the user’s consent; collecting personal information or opening the rights to collect personal information after the user has explicitly disagreed, or frequently seeking the user’s consent or interfering with the user’s normal use; collecting personal information or opening the rights to collect personal information without the user’s consent; and collecting personal information or opening the rights to collect personal information without the user’s consent. Personal information permissions beyond the scope of user authorization; seeking user consent in a non-explicit way such as agreeing to the privacy policy by default; changing the status of the permissions of personal information that can be collected without the user’s consent, such as automatically restoring the permissions set by the user to their default state when the app is updated; using user personal information and algorithms to push information in a targeted manner, without providing the option to push information in a non-directed manner; using fraud, deception and other improper (b) Misleading the user in the manner in which he or she consents to the collection of personal information or opens the rights to collect personal information, such as deliberately concealing or disguising the true purpose of collecting and using personal information; failing to provide the user with the means and method of withdrawing consent to the collection of personal information; and collecting and using personal information in violation of the stated rules of collection and use. The Determination Method also defines excessive information collection that violates the Necessity Principle by collecting personal information that is unrelated to the services it provides: the type of personal information collected or the authority to open collectible personal information that is unrelated to existing business functions; refusing to provide business functions because the user does not consent to the collection of non-essential personal information or the authority to open non-essential information; the app’s application for new business functions that collects more personal information than the user’s If the user does not agree to the original scope of consent, the company will refuse to provide the original business functions, except when new business functions are added to replace the original business functions; the frequency of collecting personal information exceeds the actual needs of the business functions; the company will force users to agree to collect personal information only for the reasons of improving service quality, enhancing user experience, pushing targeted information, developing new products, etc.; the company will require users to agree to open more than one collectable information at one time. permissions for personal information, which cannot be used without the user’s consent.

In addition, the Determination Method also mentions that if an APP connects to a third-party application, provides personal information to the third-party application without the user’s consent, or provides personal information collected by the APP to a third party without the user’s consent or anonymization, after the data is transmitted to the APP backend server, it will be deemed as “providing personal information to others without consent”.