Software testing a crucial defense

As smartphones have gained popularity in China, privacy concerns have shifted from calls to the mobile Internet. About 420 million people in China had surfed the Internet via a mobile phone by the end of 2012, according to the China Internet Network Center.

Li Gang, chief technical officer of the State Information Center Software Testing Center, said all areas of online security, such as risk assessment and security reinforcement, must be strictly controlled to create a safe and reliable network and prevent the illegal disclosure of personal information.

Li said consumers should be aware of the risks of installing new applications on computers or mobile phones: "Awareness of personal information protection should be heightened and timely complaints should be submitted to the provider," he said. "Before hardware or software is put into use, technical analysis should be conducted to strengthen real-time monitoring and reduce risks."

Individual users are legally required to submit private information to the service providers when they play games, pay bills online or visit social networking sites, said Liu Fawang, deputy director of the China Software Testing Center.

Professor Zhou Qingshan of Peking University said the Internet is fundamentally an open space and hackers can easily take advantage of that to steal private data for illicit gain. Liu said the leaks not only threaten individual privacy, but also national security. He has seen a number of cases of personal information leakage and even established Web companies, such as Google, have suffered from information theft.

To better regulate the mobile applications market, the CSTC in November 2012 promulgated China's first national guideline on information security and the protection of personal information, which stipulated that only users can authorize the collection of sensitive information.

Liu said individual users should develop the habit of carefully choosing a program or application to prevent their information from being illegally gathered and abused. An independent third-party testing agency should also be established to provide comprehensive security testing services to application providers, online stores, telecom operators and others, to aid end users in the choice of trustworthy software.

According to the China Academy of Telecommunication, under the Ministry of Industry and Information Technology, the Android mobile operating system was used on 86 percent of smartphones in China last year. However, the application-friendly system has long been criticized for its open environment, which leaves phones more vulnerable to private information outflow. Experts attending the 2012 China Personal Information Security Conference said that the open system could result in cases of malicious chargeback, a loss of privacy and allow unauthorized remote control for Android users.

Echoing the suggestion by Professor Zhou Qingshan, Liu said phone manufacturers should provide technical support to address security vulnerabilities as soon as possible, and software developers are advised to use cryptography technology to protect users' personal data and avoid apps asking for too much sensitive information from users. Before going on the market, the software should be subjected to a series of tests to reduce potential security risks, said Liu.

Learning from the United States, contract phones are among the top choices for younger consumers. Telecommunication companies usually preinstall some software on phones and so must ensure security and provide necessary suggestions and warnings, said Liu.

"The mobile Internet industry needs a mechanism to boost its healthy development by improving the quality of software and reducing malware," Liu said, adding that the CSTC is building a public service platform for mobile devices which will conduct security tests and assessments, publish details of potential security hot spots, and share technical resources online.

China can learn from industry pioneers such as the US and the European Union, which have established an evaluation and certification system for personal and enterprise information, Liu said.

"Currently, the best way to protect private information online is to thoroughly test all software before it's released on the market," said Liu.