South China Morning Post
Advertisement
Advertisement
Apps
Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
Baidu’s main search app has 544 million monthly active users, the company said in September. Photo: Shutterstock
AbacusTech

Google removes Baidu apps in wake of Palo Alto research report which said they collected sensitive data

  • Researchers found Baidu’s search and map apps collected sensitive data that includes numbers embedded in SIM cards, allowing for tracking across devices
  • Baidu says the search app is back in the app store after problems addressed
Apps
Xinmei Shen
Xinmei Shen
Why you can trust SCMP

Google removed two Android apps from Chinese search giant Baidu in the wake of a report published by researchers at Palo Alto Networks, which found the apps collected sensitive user data that could be used to track people even after they switch to a new smartphone. The apps had a combined 6 million downloads.

Baidu confirmed that its search app and Baidu Maps were both pulled from Google Play Store globally on October 28 but denied that the apps were removed over the research findings. A Baidu spokeswoman said on Thursday that the apps were removed because they were not compliant with some other Play Store guidelines.

Baidu said the apps have been updated according to Google’s recently adjusted app policies. The main Baidu app returned to Google Play on November 19 after an update, and the company said Baidu Maps will be back in early December.

Google also did not specify the reasons for the app removals. When asked, it pointed to a previous statement it gave to the researchers.

“We appreciate the work of the research community, and companies like Palo Alto Networks, who work to strengthen the security of the Play Store,” Google said. “We look forward to collaborating with them on more research in the future.”

In its report, Palo Alto Networks found the Baidu apps were collecting MAC addresses, carrier information and IMSI numbers from users’ phones. The latter is a unique identifier for a mobile carrier subscriber, which is stored on a SIM card. This means the number could be used to track users across devices as long as they keep the same subscription with the same telecoms company, possibly allowing that information to be exploited by cybercriminals or state actors. Baidu sent the information to an IP address in China, according to the research.

“The leaked data made users trackable, potentially over their lifetime,” the researchers said in the report.

The report said Baidu and Google’s Android team were notified about the findings and that Google confirmed them before removing the apps.

“The referenced information requested by Baidu App was used to enable push functionality, as disclosed in the privacy agreement,” Baidu told the Post in a statement. “Baidu takes the privacy and security of its users very seriously and data is only used with the permission of users. The reported issues had been addressed in the newest version of apps before [Palo Alto Networks’] Unit 42 reached out for its research.”

While Baidu said it is no longer collecting sensitive data, the Palo Alto Networks researchers noted that Baidu’s collection of identifiers, including IMSI numbers and MAC addresses, does not violate Google’s policies. Google simply discourages the practice in its guide for Android developers.

The researchers also singled out another Chinese app found to be collecting private user information. Homestyler comes from a Shanghai-based company and has 5 million downloads in the Google Play store, but Google never removed that app.

Post