Comment: Baidu Caught Collecting Sensitive Details From Android Users

It’s been reported that two Android applications belonging to Chinese tech giant Baidu have been removed from the official Google Play Store at the end of October. The two apps —Baidu Maps and Baidu Search Box— were removed after Google received a report from US cyber-security firm Palo Alto Networks claiming that the two apps contained code that collected information about users. According to Palo Alto Networks, the data collection code was found in the Baidu Push SDK, used to show real-time notifications inside both apps.

Experts Comments

November 25, 2020
Kristina Balaam
Senior Security Intelligence Engineer
Lookout
SDKs that attempt to collect sensitive information about the device are not terribly uncommon; many advertising SDKs do this in order to serve more relevant ads to users. However, it’s important to be mindful of the permissions an application requests so that a user may know exactly what kind of data they might be sharing with a corporation, advertising SDK or developer. In the case of Baidu Maps and Baidu Search Box, the applications are asking for the “READ_PHONE_STATE” permission. In.....Read More
SDKs that attempt to collect sensitive information about the device are not terribly uncommon; many advertising SDKs do this in order to serve more relevant ads to users. However, it’s important to be mindful of the permissions an application requests so that a user may know exactly what kind of data they might be sharing with a corporation, advertising SDK or developer. In the case of Baidu Maps and Baidu Search Box, the applications are asking for the “READ_PHONE_STATE” permission. In versions of the operating system prior to Android 10, “ READ_PHONE_STATE" protected the user from sharing certain unique, identifying data like the IMSI and IMEI without explicit permission. As Palo Alto Networks points out, details unique to the user like the IMSI and IMEI, and which are typically associated with the user’s SIM card, could be used to track the individual across devices. With Android 10, Google has limited device identifiers to system applications and those signed with a platform key.  Read Less

Submit Your Expert Comments

What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Write Your Expert Comments *
Your Registered Email *
Notification Email (If different from your registered email)
* By using this form you agree with the storage and handling of your data by this web site.