Some time ago, ergouzi’s circle of friends was swiped by the “notice on the list of apps that are removed from shelves and infringe on users’ rights” issued by the Ministry of industry and information technology. The announcement pointed out that 90 apps failed to complete the rectification as required and would be taken off the shelves. These 90 apps involve education, games, security, news and many other fields all over the country. At the same time, it was mentioned in the circular that five enterprises repeatedly encountered similar problems in different versions of the app, including illegal collection of personal information, forcing users to use the directional push function, frequent and excessive forced claims, deception induced users to download, etc. The Ministry of industry and information technology said it would suspend its violations in accordance with the law and take them off the shelves directly.
After seeing this announcement, in line with the mentality of eating melons, ergouzi went to search the five enterprises and found that they had issued responses one after another, saying that the problems found after the platform investigation mainly lie in the third-party SDK and so on.
In fact, this kind of illegal use of mobile phone information by third-party SDK plug-ins was exposed by CCTV as early as the 315 evening party in 2020. At present, this kind of news often appears on the Internet.
So why is the SDK so dangerous that software manufacturers do use it frequently? However, if we want to talk about SDK, it must be inseparable from API.
The emergence of API
If you want to know more about API, you can read itPopular science in vernacular, understanding API in 10sHere is a brief introduction.
The full name of API is application programming interface, which is called “application programming interface” in Chinese. It generally refers to a set of open methods defined by some service manufacturers in advance. These methods directly correspond to the service functions of the service manufacturer, which is convenient for applications or developers to call functions quickly without understanding the details of the working mechanism of the service manufacturer. For example, if users use the cloud messaging service to develop the function of sending short messages, they only need to select the functions that they want to implement according to the document, then call the short message API interface to invoke the service, so they do not need to know how the message is delivered to the customer.
The birth of SDK
After a brief understanding of the API, let’s go back to the SDK mentioned at the beginning of this article.
The so-called SDK is actually the abbreviation of “software development kit”. It generally refers to a software toolkit that realizes product functions through a third-party service provider. Usually, SDK is provided by professional companies, which is a collection of development tools for specific software packages, software frameworks, hardware platforms, operating systems, etc. Mobile payment technology, speech recognition technology, or storage technology can be professional collection. It effectively reduces the time for developers to develop each function of the product when adding new functions.
Like the API, the SDK is provided by the service provider. Developers only need to access the relevant SDK and do a good job in the joint debugging of the relevant functional interfaces. As for the underlying logic, data storage and so on, they do not need to consider.
Differences between API and SDK
So what’s the difference between API and SDK that let developers use three-party services? Why is SDK inseparable from API?
In fact, on more occasions, APIs are more like a subset of the SDK because:
- API is usually an interface method with specific functions; The SDK is a collection of many functions, more like a toolkit;
- API is usually the image of a single data interface, while SDK is equivalent to a tool environment, which usually includes all API functions except services;
- SDK has a higher level of encapsulation than API.
Why do you often roll over
At present, because the service providers provide more and more functions, and the user’s demand for app functions is also gradually increasing. If each function is developed by itself, the time and cost will be infinitely extended. Therefore, the company will prefer to choose the third-party SDK toolkit to realize these functions. This leads to the possibility that many companies are using the same SDK. Once there is a privacy leak in the SDK, it will not only involve one company’s app.
So, how to avoid such privacy violations?
As far as developers are concerned, they should choose the third-party SDK with a certain market base as far as possible, for example, they should try to use the SDK selected in apple and Google stores for integration.
From the personal level, when downloading apps, it’s better to choose app stores with low malicious density, such as Apple’s app store and Android’s official app store. Don’t download unexamined and uncensored software on the website at will. At the same time, in the face of all kinds of permission applications pop-up when installing the app, you must carefully confirm before giving your own location information, mobile phone address book and other privacy permissions.
Finally, the state has been monitoring this at the policy level. Network operators are required to clarify data security requirements and responsibilities for third-party applications accessing their platforms, and supervise third-party application operators to strengthen data security management.
At present, domestic mobile phone manufacturers pay more and more attention to user privacy, and launch privacy protection functions such as “flare”. Once the calling of these app background behaviors becomes clearer and clearer, and the system is willing to give more restrictive means, it will probably not become a problem to keep its own private data.