It’s been reported that two Android applications belonging to Chinese tech giant Baidu have been removed from the official Google Play Store at the end of October. The two apps —Baidu Maps and Baidu Search Box— were removed after Google received a report from US cyber-security firm Palo Alto Networks claiming that the two apps contained code that collected information about users. According to Palo Alto Networks, the data collection code was found in the Baidu Push SDK, used to show real-time notifications inside both apps.
SDKs that attempt to collect sensitive information about the device are not terribly uncommon; many advertising SDKs do this in order to serve more relevant ads to users. However, it’s important to be mindful of the permissions an application requests so that a user may know exactly what kind of data they might be sharing with a corporation, advertising SDK or developer. In the case of Baidu Maps and Baidu Search Box, the applications are asking for the “READ_PHONE_STATE” permission. In versions of the operating system prior to Android 10, “ READ_PHONE_STATE\” protected the user from sharing certain unique, identifying data like the IMSI and IMEI without explicit permission. As Palo Alto Networks points out, details unique to the user like the IMSI and IMEI, and which are typically associated with the user’s SIM card, could be used to track the individual across devices. With Android 10, Google has limited device identifiers to system applications and those signed with a platform key.