Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
WeChat’s security guide for mini program developers says it may remove or suspend a service that is found to have potential issues with personal data leakage. Photo: AFP

WeChat mini programs for banking pose ‘significant’ risks of personal data leakage, says report

  • Personal banking mini programs on WeChat found to have major data leak risks, report says
  • Sensitive information is found unprotected and unencrypted in dozens of personal banking mini programs

Mini programs that operate within Tencent’s all-purpose WeChat super app pose “significant” risks for personal data leakage, according to an annual cybersecurity report published by a group reporting to China’s powerful internet watchdog.

The National Computer Network Emergency Response Technical Team/Coordination Centre of China (CNCERT/CC) tested 50 personal banking mini programs and found that over 60 per cent did not encrypt any user information either on the device or when it was transmitted.

In addition, more than 90 per cent of those apps were found to have no protections in place for users’ sensitive data, said the report, which was released on Thursday.

“In recent years WeChat mini programs have developed rapidly, but they also exposed prominent security risks, [in particular] the risk of users’ personal information leakage is rather severe,” the authors of the report noted.

Mini programs are lightweight apps that can be launched within the WeChat super app without needing to be downloaded and installed. After testing the 50 banking mini apps, the report found that on average each one contained eight security risks.


China seeks recognition of its WeChat-based digital health certificates for overseas travel

China seeks recognition of its WeChat-based digital health certificates for overseas travel

The report did not disclose the names of the apps, and it is not clear if they have been asked to fix the security issues or if they have been removed.

The CNCERT/CC is a Beijing-based public institution that reports to the Cyberspace Administration of China (CAC), Beijing’s increasingly powerful internet watchdog that launched a cybersecurity investigation into the recently listed ride-hailing giant Didi Chuxing, citing national security concerns related to Didi’s data security risks.

Tencent did not immediately respond to a request for comment regarding its vetting process for mini programs.

According to WeChat’s security guide for mini program developers, sensitive information that, once leaked, could harm developers’ businesses, partners and users, should not appear in mini program files in plaintext. And some sensitive information such as users’ bank account numbers and phone numbers should be obscured or truncated when displayed

The guide also says that WeChat may remove a mini program and suspend its services if it is found to have problems related to potential leakage of sensitive information.

China’s new Data Security Law pushes back on US jurisdictional encroachment

However, software developers based in China told the South China Morning Post that WeChat was usually more lenient than Apple, known for its strict App Store rules and sometimes confusing enforcement.


This year’s report comes as Beijing puts data security high on its agenda, with a focus on preventing what it deems as important data from going abroad, and on preventing businesses from abusing personal information.

New laws and regulations have been recently released or are in the works to address both issues, including a Data Security Law to take effect on September 1, and the Personal Information Protection Law expected to be released later this year.

The latest CNCERT/CC report touched on a wide range of cybersecurity issues, including cross-border data transfer, personal data leaks and cyberattacks.

Among its other findings, the report says that in 2020, medical imaging data that was not desensitised and contained a large amount of patients’ personal information was transferred abroad nearly 400,000 times.

In 2020, there were 203 cases where personal information was sold illegally, with 40 per cent involving users in the banking, securities and insurance industries, 20 per cent related to users of e-commerce and social media platforms, and 12 per cent involving users in the education industry.


The US was the primary source of foreign malware attacks detected in China last year, accounting for 53.1 per cent of all foreign attacks, while 7.2 per cent came from India, according to the report.


This article appeared in the South China Morning Post print edition as: WeChat mini apps ‘risk data leaks’