After the US cybersecurity company, Palo Alto Networks report was released, Google randomly investigated two Android apps from Baidu. The report said that the Baidu search box and the map application contained code to collect user information, and Google removed it from the Play Store in October 2020. But last week, the Baidu search box once again appeared in front of users.
Specifically, Palo Alto Networks claims that the data collection code exists in Baidu Push SDK, which is used to display real-time notifications in the two apps. However, data collection behavior researchers Stefan Achleitner and Xuchengcheng pointed out:
The code will collect detailed information including phone model, MAC address, operator information, International Mobile Subscriber Identity (IMSI), etc.
Achleitner and Xu added that even though this behavior may seem harmless, data such as IMSI codes can still be used to accurately identify and track users, even if the user switches to another device.
On the one hand, despite reporting the matter to Google, it is embarrassing that the company’s Android application policy does not specifically prohibit the collection of detailed information about individual users.
But on the other hand, the Play Store security research team found other unspecified violations of Baidu App in two investigations, which eventually led to the removal of the two apps from the official app store on October 28, 2020.
A Baidu spokesperson said in an email today that the data collection mentioned in the initial report triggered an investigation by the Google team, but this is not the reason why the two apps were removed from the Play Store, because the company has removed from users. Obtained permission to collect such information.
At the same time, the Baidu team said it is working hard to solve other problems discovered by Google. As of press time, the Baidu search box application has returned to the Play Store, and the map application will return as soon as possible after fixing related issues.
Before being removed from the shelves in October, the total number of downloads of the two Baidu apps exceeded 6 million. In addition, Palo Alto Networks researchers found similar data collection codes in the ShareSDK developed by the Chinese advertising technology giant MobTech.
Achleitner and Xu stated that the SDK has been used by more than 37,500 applications, and allows developers to collect personal information including phone model, screen resolution, MAC address, Android ID, advertising ID, operator/IMSI/IMEI, etc. Obviously, this kind of incident did not happen in isolation, but a persistent problem surrounding the Android ecosystem.