A security incident has been exposed in 4 domestically made apps, including Gaode Maps and Bilibili! The Ministry of Digital Development: Personal data may be sent back to China.

The Cybersecurity Department announced the security testing results of four Chinese-made apps, including Gaode Maps and iQIYI, and found that all of them excessively collect sensitive personal data and transmit it back to servers in China.

Cybersecurity Department releases security testing results of four Chinese-made apps

Today (27th), the Digital Development Department officially announced the security testing results of Chinese-made mobile applications, including Gaode Maps, Bilibili, iQIYI, and the AI chat software BIMOBIMO. All four were found to have risks such as personal data collection, system information reading, background monitoring, and data transmission to China.

Among them, Gaode Maps was identified as the app with the highest risk. The department pointed out that the Android version detected 11 security concerns, while the iOS version had 8 risk items.

Image source: Digital Development Department Chinese-made App Security Testing Results (Android)

Image source: Digital Development Department Chinese-made App Security Testing Results (iOS)

This testing mainly focused on four aspects: real-time behavior monitoring, cross-app information access, system information retrieval, and data transmission and sharing, covering a total of 15 testing items. The tests included whether the app continuously reads location data, clipboard, microphone, media permissions, health records, contacts, calendar, device identifiers, and whether it transmits data externally even when closed.

The Cybersecurity Department's Security Office stated that almost all of the four tested apps involve extensive access to sensitive permissions unrelated to core functions, with some programs continuously transmitting data to servers within China without user awareness.

Gaode Maps as the highest-risk app, with navigation features potentially raising national security concerns

According to the announced results, the Gaode Maps Android version was found to have up to 11 security concerns.

These include continuous access to user location, reading clipboard, accessing storage, reading media and real-time video, microphone, contacts, calendar, health records, and device identifiers, as well as ongoing data transmission even when the app is closed.

Although the iOS version has fewer risk items, it still has 8 security concerns, including continuous location tracking, reading media and health records, and transmitting data to servers in China.

The Cybersecurity Department's Security Office pointed out that some permissions in Gaode Maps are not directly related to navigation core functions, indicating issues of excessive personal data collection.

Especially, Gaode Maps has recently attracted significant attention for supporting Taiwan’s 3D street view, real-time traffic light countdowns, and high-precision navigation features. The Security Office believes that if combined with long-term location data, travel records, and street view information for cross-analysis, it could infer activity patterns, movement trajectories, and daily routines of specific individuals.

Further, if such data is linked with government agencies, military facilities, or critical infrastructure locations, it could lead to intelligence gathering, monitoring of sensitive sites, and cybersecurity risks.

Additionally, since Gaode Maps supports long-term navigation, continuous access to media, real-time video, and microphone permissions could pose risks of prolonged covert recording of personal privacy, business secrets, and conversations.

Bilibili, iQIYI, and BIMOBIMO also have data transmission issues

Besides Gaode Maps, Bilibili, iQIYI, and BIMOBIMO were also found to have multiple security concerns.

The department pointed out that all four apps, on both iOS and Android versions, have issues such as reading media, real-time video, device identifiers, and transmitting related data to servers in China. Moreover, these apps generally also have problems with reading calendar, to-do lists, and microphone permissions.

Android users should pay special attention: even when the app is closed, some programs continue to transmit data externally, and there are risks related to reading the clipboard and storage.

The department noted that China's Cybersecurity Law and National Intelligence Law permit government agencies to request data from companies, meaning the information collected by these apps could be accessed by Chinese national security, police, and intelligence departments.

Security Office Director Li Yuwei pointed out that if such data leaks during circulation and management, it could even enter underground markets, where it might be used by scam groups for AI scams, account hijacking, targeted marketing, and social engineering attacks.

Clipboard data could involve OTP verification codes, credit card information, and login credentials; health records could be used to analyze personal habits and routines; voice and video data, if misused, could be employed in AI deepfake content.

The Cybersecurity Department reminds the public to recheck phone permissions and download sources

In response to these findings, the department also offers three cybersecurity protection suggestions.

1. Before installing apps, users should carefully read privacy policies and permission requests to ensure that the granted permissions match the actual functional needs.
2. Regularly review phone permission settings, and disable unnecessary location, microphone, clipboard, and background activity permissions.
3. If you no longer use the app, remove it directly, restart your device, and run security scans with protective tools.

The Security Office also reminds that even if users do not actively grant certain permissions, some apps may still continuously collect personal data through background processes or system mechanisms.

The department further recommends that the public prioritize downloading apps from legitimate and trusted sources, avoiding unknown or unverified installation sources. For cross-border communication, navigation, or media needs, it is advisable to choose domestic providers or platforms with clear cybersecurity standards to reduce long-term exposure of personal data and device information.

As AI tools, cross-border platforms, and smart app functions become more complex, smartphones are increasingly becoming the main gateway for personal data, payment information, and behavioral records. The security issues exposed by Gaode Maps and other Chinese-made apps have once again drawn attention, and in the future, data sovereignty and digital surveillance risks on mobile devices may become new national security concerns.