On Apr. 19, the National Information Security Standardization Technical Committee  (TC 260) issued the Personal Information Security Evaluation Specification for Information Security Technology Mobile Internet Application (APP) (Draft for Comment) ("Personal Information Security Evaluation Specification for APP") and Information Security Technology Mobile Internet Application (APP) SDK Security Guides (Draft for Comment) ("APP SDK Security Guide") for Comments.

Personal Information Security Evaluation Specification for APP

Starting with the special governance action of collecting and using personal information in violation of laws and regulations by App, from the beginning of 2019 to now, the national regulatory authorities such as the Cyberspace Administration of China, Ministry of Industry and Information Technology and Public Security have successively carried out a number of App personal information security supervision activities and issued a number of regulatory documents or guidance documents. Due to the lack of unified evaluation standard guidance, different organizations have different criteria for judging the same problem, which affects the accuracy, unity and authority of evaluation results, and further affects the implementation of personal information security standards. For enterprises and other organizations, it also leads to repeated investment in personal information security protection and compliance to varying degrees.  

As the support of the GB / T 35273-2020 Information Security Technology Personal Information Security Specification in Mobile Internet Application (APP), the Personal Information Security Evaluation Specification for App combines the personal information collection, transmission, storage, processing, exchange, destruction and other links involved in the process of realizing its own business functions, stipulated the process for implementing APP personal information security assessment according to the GB/T 35273-2020 Information Security Technology - Personal Information Security Specification and methods for evaluating specific safety requirements.

For example, after the Personal Information Security Evaluation Specification for APP comes into effect, it will help to unify and standardize the evaluation process, judgment criteria and evaluation results, improve the accuracy, standardization and fairness of evaluation, and reduce the evaluation cost of third-party evaluation institutions and the compliance investment of enterprises.

APP SDK Security Guides

According to the compilation instructions of the APP SDK Security Guides, previously, the Network Security Standards Practice Guide-Security Guidelines for the Use of Software Development Toolkit (SDK) in Mobile Internet Applications (APP) compiled by the National Information Security Standardization Technical Committee gave some practical guidelines for malicious programs, security vulnerabilities, illegal collection of personal information and other issues in the use of SDK. However, there is currently a lack of systematic standards for the overall security development of SDK and personal information security. The SDK and App providers are not clear about the separation of responsibilities and coordination of work between the two parties, and lack a unified communication channel.

The APP SDK Security Guides aims to curb malicious acts, security vulnerabilities and collecting users' personal information in violation of laws and regulations, to protect the interests of APP providers, SDK providers and end users to the greatest extent, and to promote the healthy and green development of the mobile Internet application SDK industry. The APP SDK Security Guides aims to solve the following major problems:

1. SDK's security issues in code development.

2. SDK's security issues in operational management.

3. SDK's security issues in personal information processing.

If the APP SDK Security Guides comes into effect, it may serve as a safety practice guide for SDK providers, and may also serve as a basis for supervision, management and evaluation by the competent regulatory authorities and third-party evaluation agencies. 

If you want to get more information, please contact assistant@bestao-consulting.com