At this year’s Consumer Day Gala hosted by state broadcaster China Central Television (CCTV) on March 15, it was reported that some SDKs (Software Development Kits) collect user information that’s not required or authorized.
Similar concerns were discovered in the financial service app registration work carried out by NIFA recently, where third-party SDKs were found to be widely used. With thorough analysis, it’s been concluded that SDKs could improve efficiency of mobile apps deployment, but there are also problems that need to be addressed.
The purpose, method and scope of personal information collected by SDKs are not specified in the Privacy Policy. The use of SDKs is beyond the scope of authorization given by users. The abuse of SDKs among mobile apps is not in line with real business demand.
NIFA hereby calls on all financial institutions that provide mobile apps downloading and all external assessment institutions to attach great importance to the potential risks brought by SDKs, assess whether third-party codes or SDKs inserted collect non-required or unauthorized personal information, and take security measures in accordance with the “Cybersecurity Law of the People’s Republic of China”, “Mobile Finance Apps Security Management Specification” and “Personal Financial Information Protection Technical Specification” with the aim to secure personal information and property of users.
