Browser apps scramble to fix permissions after Shanghai authority shows privacy concerns

Cheetah Mobile’s CM browser, CooTek’s TouchPal keyboard, and Mango TV were all singled out for weak protection of user privacy in recently released survey results by Shanghai’s Consumer Council.

On Wednesday afternoon, the council pointed out that all three phone apps require text-related permissions that are apparently unrelated to their functions. The CM browser also requests call-related permission and suffers from a low-level Android application program interface (API), which could compromise data privacy. The TouchPal keyboard additionally requests information related to user location.

The deputy-secretary general of the council told The Paper that with text-related permissions, an app might be able to send messages from users’ phones without their knowledge. The report also states that the CM Browser was able to listen in on outgoing calls. However, a company representative told Netease that the latter allegation was misleading.

According to the spokesperson, the call permission was intended to ensure users don’t miss calls while listening to, say, an audiobook. It only detected incoming calls and the “status” of outgoing calls.

“[We] definitely wouldn’t receive users’ phone numbers, call content or other personal private data because of this.”

The spokesperson said that CM Browser would address problems pointed out by the Shanghai council and release a new version of its app by Thursday. As of this morning, the app had not been updated since Monday. Its current description includes permissions to send texts, view phone numbers on outgoing calls, change the number being dialed, and hang up a call.

At writing time, Cheetah Mobile’s media contact had not responded for TechNode’s email request for further information.

Prior to the council’s announcement, the company was already in hot water over a report by Buzzfeed over allegations of ad fraud by analytics company Kochava. Kochava said that seven of Cheetah Mobile’s apps–not including the CM browser–take advantage of user permissions to profit off app downloads in a practice referred to as “click injection.” Cheetah Mobile has released a statement denying any such intentions and threatening legal action against Kochava. After a 30% drop in stock value on Tuesday, Cheetah Mobile’s shares saw a moderate rise the next day.

The Shanghai council’s announcement on Wednesday was in fact the result of a months-long investigation. It tackled privacy issues in map apps this past July, resulting in Amaps, Baidu Maps, and Tencent Maps all vowing to do better.

From August through October, the council undertook an investigation of 18 popular browsers (UC, QQ, 360, Sogou, CM, Baidu, two Huawei browsers), input method apps (Sogou, Baidu, iFlytek, QQ, TouchPal), and video aggregation services (Youku, Tencent Video, iQiyi, Mango TV, Bilibili). In October, it corresponded with individual companies to get problems fixed, then assessed them again this month with the aforementioned results.

The council told The Paper that current government regulation over app permissions isn’t perfect, and that guidelines on what is and isn’t allowed could be clearer.

This article has been updated to provide additional information about allegations of ad fraud against multiple Cheetah Mobile apps.