On December 11th, the Central Cyberspace Administration released a test report on the collection of personal information on the "Food and Beverage Delivery" app. The report shows that recently, the China Cyberspace Security Association conducted a test on the collection of personal information on some apps that are widely used by the public in the "food delivery" category. The test selected 19 "food delivery" apps with a cumulative download volume of 100 million times from app stores, totaling 7 apps, named Meituan, Ele.me, Hema, Dingdong Maicai, Koubei, JD.com Daojia, and Duodian.
The report shows that in this test, the same brand and model of mobile terminals were selected, the same version of Android operating system was installed, and 7 apps were deployed separately to perform synchronization operations in the same network environment. To complete a takeout product selection activity as a testing unit, including four user scenarios: launching the app, browsing the homepage, searching for products, and selecting products, as well as a background silent application scenario. The test includes three aspects: system permission invocation, personal information upload, and network upload traffic.
In terms of system permission invocation, testing found that 7 apps invoked 5 types of system permissions in 5 scenarios, including location, device information, application list, clipboard, and storage. No other permissions such as camera, microphone, and contact list were found to be invoked. In the scenario of launching an app, after completing a startup process, Dingdong Maicai has the most types of system permissions called (4 types), and Hema has the most system permissions called (20 times). In the scenario of browsing the homepage, after completing the process of browsing the homepage once, Dingdong Maicai (type 2, 4 times) has the most types and times of system permissions called. In the scenario of searching for products, when completing a search for products, except for multiple points, Class 1 system permissions are called. The most frequently called system permissions are word-of-mouth (3 times). In the product selection scenario, completing a product selection process, the most common types of system permissions called are Meituan, Ele.me, Dingdong Maicai, word-of-mouth, and JD Daojia (all of which are Class 1), and the most frequently called system permissions are Meituan, Dingdong Maicai, word-of-mouth, and JD Daojia (all of which are Class 2). In the background silent scenario, during the background silent period, the most common types of system permissions called are Ele.me, word-of-mouth, and Duodian (all of which are Class 2), and word-of-mouth (16 times).