Welcome to use Sobot SDK! We fully understand the importance of personal information (PI) to you, and your trust is extremely significant to us. We will take corresponding security measures in strict accordance with the requirements of laws and regulations to ensure your PI secure and controllable.
The document aims to illustrate the PI collected and used by Sobot when mobile Internet applications (apps) access Sobot SDK and the security risk assessment of Sobot SDK.
I. Statement of Compliant Use of Sobot SDK
To ensure that your app is legally compliant, you must use Sobot SDK services in accordance with current laws,
regulations or regulatory requirements and take the following three steps:
(1) Make sure you have upgraded Sobot SDK to the latest version that meets the new regulatory requirements.
(2) Configure delayed initialization to ensure that Sobot SDK is initialized after the user authorizes the Privacy
Policy.
(3) Inform users of details of using Sobot SDK in the Privacy Policy.
Please be sure to follow the above steps to use Sobot SDK service in a compliant manner. Any risk caused by your
failure to do so shall be borne by yourself.
II. PI Collected by Sobot SDK and Permissions Required
1. PI collected and used
To identify network status and account abnormalities and determine the suitability of products and services, we
will collect the following information: Device and system information (including OS type, system edition/version,
app package name, app version, device type, device manufacturer, and device model), Internet identity information
(IP address), etc.
2. System permission obtained
To provide you with more convenient, better and personalized services and improve your experience, we may collect
and use your PI by enabling system permissions for certain additional services we provide. If you do not agree to
enable the relevant permissions, you can normally use the basic Sobot services, but you may not be able to obtain
the user experience brought to you by these additional services.
You can enable or disable these permissions at any time at your discretion.
The types of permissions requested and their uses are as follows:
(1) Camera permission
You can send photos and videos with this function after enabling camera permission.
(2) MIC permission
You can send voice messages with this function after enabling MIC permission.
(3) Call permission
When you use the Call Center, voice bot and other Sobot call product functions, you need to proactively provide a
specific phone number and enable call permission to make or answer calls. After you use the above functions, we
will store the caller and called numbers, talk time, talk records, etc.
(4) Storage permission
You can send/save photos, files and videos with this function after enabling the permission to allow apps to
read/write to the external memory.
III. Sobot SDK Security Assessment
To prevent SDK risks and protect users' PI security, we conducted a security assessment of the main risk items of
Sobot SDK with reference to the "Practice Guide for Network Security Standards - Security Guidelines for
Mobile Internet Applications (Apps) Using Software Development Kits (SDKs)" issued by the Secretariat of the
National Information Security Standardization Technical Committee, and the assessment results are shown in the
following table:
| Type | Name | Status | Self-assessment (secure or not) |
|---|---|---|---|
| Source file security | Java code unobfuscation risk | None | Yes |
| Private function call risk | None | Yes | |
| AES weak encryption vulnerability | None | Yes | |
| Insecure use vulnerability of RSA algorithm | None | Yes | |
| Insecure use of random numbers | None | Yes | |
| Sensitive function call risk | None | Yes | |
| Internal data interaction security | Low protection level custom permissions | None | Yes |
| Insecure use of PengdingIntent | Secure use | Yes | |
| Implicit Intent calls with sensitive info | None | Yes | |
| Dynamically registered broadcast receiver | None | Yes | |
| FFmpeg file reading | None | Yes | |
| Intent Scheme URLs attack | None | Yes | |
| Provider file directory traversal | None | Yes | |
| Fragment injection | None | Yes | |
| Webview does not remove the hidden API | None | Yes | |
| Webview saves passwords in plaintext | None | Yes | |
| Activity binds browserable with custom protocols | None | No | |
| Clipboard read/write operation vulnerability detection | Yes (message replication) | Yes | |
| Communication data transmission security | SSL communication server/client detection trusts in any certificates | None | No |
| HTTPS disables host name verification | Yes | Yes | |
| Webview has a native Java API | None | Yes | |
| Webview ignores SSL certificate error | None | Yes | |
| Open socket port | None | Yes | |
| Webview enables access to file data | None | Yes | |
| Local data storage security | getdir read/write permissions configuration error | Yes | Yes |
| Global file read/write permissions configuration error | Yes | Yes | |
| Profile read/write permissions configuration error | Yes | Yes | |
| AES/DES hard-coded keys | None | Yes | |
| Opened or created database files permission configuration error | None | Yes |
Behavior name | Note | Exist or not |
|---|---|---|
| Traffic hijacking | SDK information pulling, reporting and displaying targets are different from those set by the app provider, and maliciously hijacking app traffic may cause damage to the app. | None |
| Expense consumption | SDK can cause financial losses to users by consuming their network subscriptions, sending malicious chargeable SMS and subscribing to chargeable services. | None |
| Privacy theft | SDK stealthily steals users' contact list, SMS and other sensitive PI without their awareness or misinformation, and surreptitiously takes photos, recordings and other sensitive behaviors to send to malicious developers. | None |
| Silent download | SDK silently downloads and installs other malware, viruses or Trojans in the backend. | None |
| Fraud traffic via ads | SDK simulates human clicks on advertising links in the backend for profit without the user's knowledge. | None |
| Malicious ads | SDK pushes advertising links containing fraudulent content, viruses and Trojans to users, and pushes excessive ads, which occupy the system notification bar and screen for a long time and interfere with users' normal use of the app. | None |
| Blackmail | SDK maliciously encrypts files on the user's phone, interferes with the user's normal use of the phone, and blackmails the user for money on the pretext of restoring the normal use of their phones. | None |
| Mining | SDK utilizes the computing power of the user's phone to obtain cryptocurrency for the attacker without the user's knowledge, causing a performance penalty to the user's device hardware. | None |
| Remote control | SDK starts a local backend server on the cell phone to receive control commands from the remote console and perform other malicious behaviors covertly as described above. | None |
| Clipboard hijacking | SDK listens to the system clipboard to obtain sensitive information in the clipboard, or triggers a floating window based on content changes in the clipboard, thus interfering with system functions, deceiving users, or affecting the normal use of other apps. | None |