无
1***@qq.com
- 发布:2024-06-24 16:06
- 更新:2024-06-26 05:43
- 阅读:600
产品分类: uniapp/App
PC开发环境操作系统: Windows
PC开发环境操作系统版本号: win11
HBuilderX类型: 正式
HBuilderX版本号: 4.21
手机系统: Android
手机系统版本号: Android 14
手机厂商: vivo
手机机型: vivo
页面类型: vue
vue版本: vue2
打包方式: 云端
项目创建方式: HBuilderX
App下载地址或H5⽹址: https://dl002.liqucn.com/37678a78925b7917481dd56cd5641461/667928db/upload/2022/290/l/com.yingming.mail_2.0.1_liqucn.com.apk
操作步骤:
预期结果:
合规
合规
实际结果:
不合规
不合规
bug描述:
接到vivo商店下架通知,app因为个推SDK 静默场景下获取 DHCP 被下架。VIVO提供的隐私合规检测报告内容如下
发现问题 问题类型:SDK静默后台超范围收集
APP在运行时,SDK存在以下违规行为:
1、未见向用户告知且未经用户同意,在静默、后台状态下,个推消息推送SDK存在收集“DHCP”等信息的行为,非服务所必需且无合理应用场景,超出与收
集个人信息时所声称的目的具有直接或合理关联范围
对应条款: SDK在静默状态下或在后台运行时,收集 IMEI、IMSI、设备 MAC 地址、Android ID、OAID、MEID、ICCID、SN、SUCI、SUPI、软件安装列
表、位置、联系人、通话记录、日历、短信、本机电话号码、图片、音视频等个人信息,超出其所明示的收集目的的合理关联范围
举证信息
2024-06-22
15:16:58 个推消息推送SDK读取DHCP信息
合规建议 1、确保第三方SDK在静默状态下或在后台运行时,收集个人信息不超出收集目的的直接关联范围
2、第三方SDK若需要在静默状态下或后台运行时收集用户个人信息,,需要确保必要性,同时在隐私政策中告知用户相关情况
下发为 vivo提供的 引擎一行为数据 xls文件内容
序号 场景 问题类型 隐私类型 当前页面 代码所属 额外信息 发生时间 堆栈
1 同意隐私声明后-前台 敏感行为 读取OAID 后台 app 参数1:content://com.vivo.vms.IdProvider/IdentifierId/OAID,参数2:null,参数3:null,参数4:null,返回值:[object Object] 2024-06-22 15:12:42.222 "java.lang.Exception
at android.content.ContentResolver.query(Native Method)
at android.content.ContentResolver.query(ContentResolver.java:1164)
at android.content.ContentResolver.query(ContentResolver.java:1120)
at com.bun.miitmdid.c.j.b.a.a(Unknown Source:19)
at com.bun.miitmdid.c.j.b.b$a.handleMessage(Unknown Source:30)
at android.os.Handler.dispatchMessage(Handler.java:106)
at android.os.Looper.loop(Looper.java:257)
at android.os.HandlerThread.run(HandlerThread.java:67)"
2 同意隐私声明后-前台 敏感行为 读取OAID 后台 个推消息推送SDK 参数1:content://com.vivo.vms.IdProvider/IdentifierId/OAID,参数2:null,参数3:null,参数4:null,返回值:[object Object] 2024-06-22 15:12:42.686 "java.lang.Exception
at android.content.ContentResolver.query(Native Method)
at android.content.ContentResolver.query(ContentResolver.java:1164)
at android.content.ContentResolver.query(ContentResolver.java:1120)
at com.getui.gtc.dim.c.d$c.b(Unknown Source:51)
at com.getui.gtc.dim.c.d.c(Unknown Source:15)
at com.getui.gtc.dim.c.a.a(Unknown Source:48)
at com.getui.gtc.dim.b.g.a(Unknown Source:635)
at com.getui.gtc.dim.b.g.a(Unknown Source:196)
at com.getui.gtc.dim.a.a(Unknown Source:936)
at com.getui.gtc.dim.DimManager.get(Unknown Source:13)
at com.getui.gtc.h.c.a(Unknown Source:72)
at com.getui.gtc.h.c$1.run(Unknown Source:2)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:462)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:301)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
at java.lang.Thread.run(Thread.java:923)"
3 同意隐私声明后-前台 敏感行为 读取OAID 后台 vivoId SDK 参数1:content://com.vivo.vms.IdProvider/IdentifierId/OAID,参数2:null,参数3:null,参数4:null,返回值:[object Object] 2024-06-22 15:12:42.903 "java.lang.Exception
at android.content.ContentResolver.query(Native Method)
at android.content.ContentResolver.query(ContentResolver.java:1164)
at android.content.ContentResolver.query(ContentResolver.java:1120)
at org.repackage.com.vivo.identifier.DataBaseOperation.a(DataBaseOperation.java:97)
at org.repackage.com.vivo.identifier.IdentifierIdClient$2.handleMessage(IdentifierIdClient.java:185)
at android.os.Handler.dispatchMessage(Handler.java:106)
at android.os.Looper.loop(Looper.java:257)
at android.os.HandlerThread.run(HandlerThread.java:67)"
4 同意隐私声明后-前台 敏感行为 读取AndriodID 后台 个推消息推送SDK 参数1:android.app.ContextImpl$ApplicationContentResolver@4777863,参数2:android_id,参数3:0,返回值:4ec67a988f0349c6 2024-06-22 15:12:43.657 "java.lang.Exception
at android.provider.Settings$Secure.getStringForUser(Native Method)
at android.provider.Settings$Secure.getString(Settings.java:5514)
at com.getui.gtc.dim.c.a.d(Unknown Source:6)
at com.getui.gtc.dim.b.g.a(Unknown Source:596)
at com.getui.gtc.dim.b.g.a(Unknown Source:196)
at com.getui.gtc.dim.a.a(Unknown Source:936)
at com.getui.gtc.dim.DimManager.get(Unknown Source:13)
at com.getui.gtc.dim.DimManager.receive(Unknown Source:203)
at com.getui.gtc.base.publish.Broker.publish(Unknown Source:51)
at com.getui.gtc.base.GtcProvider.publish(Unknown Source:4)
at com.getui.gtc.base.GtcProvider.call(Unknown Source:29)
at android.content.ContentProvider.call(ContentProvider.java:2512)
at android.content.ContentProvider$Transport.call(ContentProvider.java:568)
at android.content.ContentProviderNative.onTransact(ContentProviderNative.java:295)
at android.os.Binder.execTransactInternal(Binder.java:1154)
at android.os.Binder.execTransact(Binder.java:1123)"
5 同意隐私声明后-前台 敏感行为 读取WIFI-MAC 后台 个推消息推送SDK 返回值:null 2024-06-22 15:12:43.593 "java.lang.Exception
at java.net.NetworkInterface.getHardwareAddress(Native Method)
at com.getui.gtc.dim.c.a.g(Unknown Source:37)
at com.getui.gtc.dim.b.g.a(Unknown Source:650)
at com.getui.gtc.dim.b.g.a(Unknown Source:196)
at com.getui.gtc.dim.a.a(Unknown Source:936)
at com.getui.gtc.dim.DimManager.get(Unknown Source:13)
at com.getui.gtc.dim.DimManager.receive(Unknown Source:203)
at com.getui.gtc.base.publish.Broker.publish(Unknown Source:51)
at com.getui.gtc.base.GtcProvider.publish(Unknown Source:4)
at com.getui.gtc.base.GtcProvider.call(Unknown Source:29)
at android.content.ContentProvider.call(ContentProvider.java:2512)
at android.content.ContentProvider$Transport.call(ContentProvider.java:568)
at android.content.ContentProviderNative.onTransact(ContentProviderNative.java:295)
at android.os.Binder.execTransactInternal(Binder.java:1154)
at android.os.Binder.execTransact(Binder.java:1123)"
6 同意隐私声明后-前台 敏感行为 读取OAID 后台 app 参数1:content://com.vivo.vms.IdProvider/IdentifierId/OAID,参数2:null,参数3:null,参数4:null,返回值:[object Object] 2024-06-22 15:12:44.927 "java.lang.Exception
at android.content.ContentResolver.query(Native Method)
at android.content.ContentResolver.query(ContentResolver.java:1164)
at android.content.ContentResolver.query(ContentResolver.java:1120)
at com.zx.a.I8b7.p0$c.b(SourceFile:5)
at com.zx.a.I8b7.d3.a(Native Method)
at com.zx.a.I8b7.z0.d(Native Method)
at com.zx.a.I8b7.z0.h(SourceFile:9)
at com.zx.a.I8b7.a3.a(SourceFile:7)
at com.zx.a.I8b7.x2.run(SourceFile:20)
at com.zx.sdk.common.utils.ZXTask.run(SourceFile:2)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
at java.lang.Thread.run(Thread.java:923)"
7 同意隐私声明后-前台 敏感行为 读取AndriodID 后台 友盟智能反作弊组件asms SDK 参数1:android.app.ContextImpl$ApplicationContentResolver@4777863,参数2:android_id,参数3:0,返回值:4ec67a988f0349c6 2024-06-22 15:12:43.125 "java.lang.Exception
at android.provider.Settings$Secure.getStringForUser(Native Method)
at android.provider.Settings$Secure.getString(Settings.java:5514)
at com.umeng.commonsdk.statistics.common.DeviceConfig.getAndroidId(DeviceConfig.java:233)
at java.lang.reflect.Method.invoke(Native Method)
at com.umeng.umzid.d.a(Unknown Source:31)
at com.umeng.umzid.ZIDManager.a(Unknown Source:13)
at com.umeng.umzid.ZIDManager.a(:1)
at com.umeng.umzid.ZIDManager$a.run(Unknown Source:4)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:462)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:301)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
at java.lang.Thread.run(Thread.java:923)"
8 同意隐私声明后-后台 敏感行为 读取DHCP信息 后台 个推消息推送SDK 不提供 2024-06-22 15:16:58.143 "java.lang.Exception
at android.net.wifi.WifiManager.getDhcpInfo(Native Method)
at com.getui.gtc.dim.c.a.b(Unknown Source:28)
at com.getui.gtc.dim.c.b.a(Unknown Source:18)
at com.getui.gtc.dim.b.g.a(Unknown Source:758)
at com.getui.gtc.dim.b.g.a(Unknown Source:196)
at com.getui.gtc.dim.a.a(Unknown Source:936)
at com.getui.gtc.dim.DimManager.get(Unknown Source:13)
at com.getui.gtc.dim.DimManager.receive(Unknown Source:203)
at com.getui.gtc.base.publish.Broker.publish(Unknown Source:51)
at com.getui.gtc.base.GtcProvider.publish(Unknown Source:4)
at com.getui.gtc.base.GtcProvider.call(Unknown Source:29)
at android.content.ContentProvider.call(ContentProvider.java:2512)
at android.content.ContentProvider$Transport.call(ContentProvider.java:568)
at android.content.ContentProviderNative.onTransact(ContentProviderNative.java:295)
at android.os.Binder.execTransactInternal(Binder.java:1154)
at android.os.Binder.execTransact(Binder.java:1123)"
原文件见附件
你的apk下载地址无法访问。建议在push文档中找到个推的企业微信,直接和他们沟通。
-
1***@qq.com (作者)
个推给的官方回复是 ,在隐私协议里, 描述个推SDK 涉及涉及个人信息的地方改为 :网络信息(包含IP地址、WIFI信息、基站信息、运营商信息、DHCP)以及位置相关信息:为了最大程度保持网络连接的稳定性,建立长链接,我们需要了解设备的网络状态和变化,从而实现稳定连续的推送服务。我们提供应景推送功能,位置相关信息将有助于我们为您提供线下场景的精细化推送,可以为您推荐更符合您需要的推送内容,减少无用推送消息对您的打扰。 建议将《Android平台各功能模块隐私合规协议》文档更新 地址 https://ask.dcloud.net.cn/article/39484
2024-06-27 10:06
-
