Black Hat Aisa 2021 (Asian Black Hat Conference) is scheduled to be held online from May 4 to 7. Black Hat conference is recognized as the world’s information security industry’s highest event, known as the hacker world’s “Oscar”, is also the most technical information security conference. The security Information Technology Summit is held in the United States, Europe and Asia each year. Since its birth, it has attracted the attention and participation of many global enterprises, government agencies, top security manufacturers and research organizations. The conference will focus on advanced security research, development and trends, and lead the future of security thinking and technology with its strong technology, authority and objectivity.

At Black Hat Asia 2021, Do Apps Respect Your Privacy as They Claim? Issue, the issue focuses on analysis of the current APP user privacy protection in some of the problems, mainly put forward the whole life cycle of a management framework of privacy protection, and use some tools for the application under the framework of the market before 1500 APP where to protect user privacy do not done some automated analysis and statistics.

In recent years, governments around the world pay more and more attention to the issue of user privacy. The Governments of the United States, the European Union and China have formulated relevant laws, and many large international companies have been punished by the regulatory authorities for their problems in user privacy security. Meanwhile, ordinary users are increasingly concerned about the collection and use of users’ private data by apps. Compared with common APP security vulnerabilities, users are more sensitive to data privacy issues and are more likely to perceive the occurrence of leaks. As a result, data privacy issues are more likely to be disclosed by outside media and trigger large-scale social discussions. Is APP user privacy data security as well protected as the manufacturer claims? If there are still privacy issues that don’t meet regulatory requirements, is it because of inadequate security testing, or is it intentional?

In order to better protect user privacy, assist enterprises to carry out self-examination, as well as the supervision institutions to provide a more complete comprehensive supervision and verification of the theoretical basis and technical support, without constant laboratory in a large number of APP privacy security inspection, on the basis of the experience of the intricacies of the privacy security check method into a systemized APP compliance and privacy security framework. The main advantage of this framework is that it raises the issue of auditing privacy compliance to a global level. From the two dimensions of logic and technical testing, the scenarios of compliance privacy audit are divided into two categories. Logical categorization helps people better understand the context in which these problems occur. Classification of technical test means is convenient to guide security auditors to better and faster to do a comprehensive inspection, to avoid causing large and incomplete situation.

Starting from the aspects of APP users’ privacy data right to know, right to consent, right to forget, right to carry user data, data localization and cross-border transmission, the framework integrates and forms a comprehensive inspection framework, comprehensively covering all dimensions of current APP privacy security, so as to judge whether APP infringes user privacy. In order to facilitate the smooth implementation of this framework, Wuheng Laboratory made some automated testing tools according to different scenarios to assist the testing, and tested the Top 1000 apps in the application market, and found numerous security problems involving user privacy. In this regard, Wuheng Laboratory will do analysis and statistics based on the collected problems, submit to the manufacturer and give security suggestions, hoping to attract the attention of the manufacturer, we work together to improve the user privacy security protection ability.

Open source preview:

The privacy protection framework of full life cycle management mentioned by Zhang Qing has also entered the preparation of open source work. Students engaged in security and privacy compliance can also follow the developments of Wuheng Laboratory. We hope to share our mistakes with you through open source, learn from excellent peers and give back to the industry.

Get the speech PPT:

Follow the official wechat account of Bytedance Security Center and reply to “Wuheng Lab” to obtain the PPT of this speech

About Wuheng Laboratory:

Without constant laboratory is composed of bytes to beat senior security researchers professional defense research lab, lab members have strong defensive ability of actual combat, invasion of drills by osmosis, business blues drills, hole digging, black fighting, emergency loopholes, APT production emergency, improving infrastructure security, data security, business security level, Minimize the impact of a security incident on your business and company. At the same time for the company and major products to provide regular penetration testing services, production of penetration testing reports. To ensure the safety of Bytedance users when using its products and services.

No constant laboratory many positions to recruit, welcome to contact delivery: [email protected]