Baidu's Android apps caught collecting sensitive user details
Two Android applications belonging to Chinese tech giant Baidu have been removed from the official Google Play Store at the end of October.
The two apps —Baidu Maps and Baidu Search Box— were removed after Google received a report from US cyber-security firm Palo Alto Networks claiming that the two apps contained code that collected information about users.
According to Palo Alto Networks, the data collection code was found in the Baidu Push SDK, used to show real-time notifications inside both apps.
The code collected details such as phone model, MAC address, carrier information, and IMSI (International Mobile Subscriber Identity) number, according to Stefan Achleitner and Chengcheng Xu, the two Palo Alto Networks researchers who identified the data collection behavior.
Achleitner and Xu said that while some of the collected information was "rather harmless," some data like the IMSI code "can be used to uniquely identify and track a user, even if that user switches to a different phone."
The research team said that while the collection of personal user details was not specifically forbidden by Google's policy for Android apps after they reported the issue to Google, the Play Store security team confirmed their findings and "identified [additional] unspecified violations" in the two Baidu apps, which eventually led to the two apps being removed from the official store on October 28.
In an email today, a Baidu spokesperson said that while the data collection behavior at the center of the initial Palo Alto Networks report triggered an investigation from Google's team, the data collection behavior was not the reason the two apps were taken off the Play Store in the first place, as the Chinese company had obtained permission from users to collect this info from users
Nevertheless, other issues were also discovered by the Google team, which the Baidu team said it's working to resolve. At the time of writing, the Baidu Search Box app has been restored to the Play Store, and Baidu says the Baidu Maps app will also make a comeback after Baidu devs fix the reported issues.
Both apps had more than 6 million downloads combined before being removed.
But in addition to the Baidu Push SDK, the Palo Alto Networks team said they also identified similar data collection code in the ShareSDK developed by Chinese ad tech giant MobTech.
Used by more than 37,500 apps, Achleitner and Xu say this SDK also allows app developers to collect data such as phone model information, screen resolution, MAC addresses, Android ID, Advertising ID, carrier info, and IMSI (International Mobile Subscriber Identity) and IMEI (International Mobile Equipment Identity) codes.
"Analysis of Android malware shows that SDKs, such as the Baidu Push SDK or ShareSDK, are frequently used by malicious applications to extract and transmit device data," Achleitner and Xu said, suggesting that while the SDKs may have been developed for legitimate purposes, such as pushing notifications and sharing content on social media, they are often abused by the developers of malicious apps.
All in all, this is a regular problem not only for the Android ecosystem, but for the entire online app world, with many apps collecting sensitive user details without restriction in the absence of legislation that specifically prohibits such practices.