Some time ago, Ergouzi’s circle of friends was screened by the “Notice on the List of App Lists That Infringe User Rights” issued by the Ministry of Industry and Information Technology. The announcement pointed out that 90 apps that failed to complete the rectification as required will be removed from the shelves. These 90 apps involve education, games, security, news and many other fields across the country. At the same time, it was mentioned in the notification that 5 companies had repeated similar problems in different versions of the App, including collecting personal information in violation of regulations, forcing users to use targeted push functions, frequent and excessive force claims, and deception to induce users to download. The Ministry of Industry and Information Technology stated that it will suspend its violations in accordance with the law and be directly removed from the shelves.
After seeing this announcement, Ergouzi searched for these 5 companies in the spirit of eating melons, and found that they had already issued responses, stating that the platform found that the problem was mainly related to the third-party SDK and other aspects after the platform investigation.
In fact, this type of third-party SDK plug-in illegally invoked mobile phone information was exposed by CCTV as early as the 315 party in 2020, and this type of news often appears on the Internet.
So why is the SDK so dangerous, and software vendors really want to use it frequently? But if you want to talk about SDK, it must be inseparable from API.
The emergence of API
If you want to understand the API in more detail, you can read "Vernacular Science Popularization, 10s Understanding API" , here is a brief introduction.
The full name of API is Application Programming Interface, and the Chinese name is "application programming interface", which generally refers to a set of methods that are pre-defined by some service vendors and open to the outside world. These methods directly correspond to the service provider's own service functions, so that applications or developers can quickly call the functions without understanding the details of the service provider's working mechanism. For example, if the user uses the cloud SMS service to develop the function of sending SMS, he only needs to select the function he wants to implement according to the document, and then call the SMS API interface to call the service he wants to use, without knowing how the SMS is delivered to the customer. Technical details.
The birth of the SDK
After a brief understanding of the API, let's go back to the SDK mentioned at the beginning of this article.
The so-called SDK is actually "software development kit", which is the abbreviation of Software Development Kit. It generally refers to a software toolkit that implements product functions through a third-party service provider. Usually, the SDK is provided by a professional company, which is a collection of development tools for establishing application software for specific software packages, software frameworks, hardware platforms, operating systems, etc. Mobile payment technology, voice recognition technology, or storage technology can be professionally integrated. It effectively reduces the time for developers to develop each feature of the product when adding new features.
Like the API, the SDK is provided by the service vendor. Developers only need to access the relevant SDK and then do the joint debugging of the relevant functional interfaces. As for the underlying logic, data storage, etc., they do not need to be considered.
The difference between API and SDK
So from the results, what is the difference between the API and SDK that allow developers to use the third-party service function? Why is the SDK inseparable from the API?
In fact, on more occasions, API is more like a subset of SDK, this is because:
- API is usually an interface method with specific functions; while SDK is a collection of many functions, more like a toolkit;
- API is usually the image of a single data interface, and SDK is equivalent to a tool environment, except that it usually contains all the API functions of the service;
- SDK has a higher encapsulation level than API.
Why does the SDK often roll over
At present, because various service providers provide more and more functions, and users' requirements for App functions are gradually increasing, if each function is developed by itself, the time and cost will be extended indefinitely. Therefore, companies will prefer to choose third-party SDK toolkits to implement these functions. This has led to the possibility that many companies are using the same SDK. Once this SDK has a privacy leak, it is no longer just a company's App that is involved.
So, how to avoid such privacy violations?
For developers, it is necessary to choose a third-party SDK with a certain market basis as much as possible, for example, try to use the SDK selected in Apple and Google stores for integration.
From a personal level, when downloading an App, it is best to choose an app store with a lower malicious density, such as Apple's App Store and the official app store of Android phones. Don't randomly download software from unknown sources and unreviewed on the website. At the same time, in the face of various permission applications that pop up when installing the App, you must carefully confirm before giving your own location information, mobile phone address book and other privacy permissions.
Finally, the state has been monitoring this at the policy level. Network operators are required to clarify data security requirements and responsibilities for third-party applications that access their platforms, and urge and supervise third-party application operators to strengthen data security management.
At present, domestic mobile phone manufacturers are paying more and more attention to user privacy, launching privacy protection functions such as "flares". Once the invocation of these App background behaviors becomes clearer and clearer, and the system is willing to give more restrictive measures, it will probably not become a problem to protect your private data.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。