Taiwan's Ministry of Digital Affairs Flags Amap, bilibili, and Others for Excessive Data Collection

Taiwan's Government Issues Warning on Cybersecurity Risks of Chinese Mobile Apps

MEDIUM
May 27, 2026
4m read
Policy and ComplianceMobile SecurityData Breach

Related Entities

Organizations

Taiwan Ministry of Digital Affairs (MODA)Taiwan Administration for Cyber Security (ACS)

Products & Tech

AmapbilibiliiQIYIBIMOBIMO

Other

ChinaTaiwan

MITRE ATT&CK Techniques

T1429Collection

Data from Information Repositories

T1430Collection

Data from Local System

T1041Exfiltration

Exfiltration Over C2 Channel

Full Report

Executive Summary

Taiwan's Ministry of Digital Affairs (MODA) has officially warned its citizens about the cybersecurity risks posed by four popular Chinese-made mobile applications: the navigation app Amap, video platforms bilibili and iQIYI, and messaging app BIMOBIMO. An analysis by MODA's Administration for Cyber Security (ACS) revealed that these applications request an excessive number of permissions, collect vast amounts of user data, and transmit that data to servers in China. The ministry highlighted that this activity poses a national security risk, as Chinese national security laws could compel the app developers to surrender data on Taiwanese users to the Chinese government.

Regulatory Details

The warning from MODA is not a ban, but a strong advisory based on technical findings and legal analysis. The core of the issue lies in the intersection of the apps' technical behavior and China's legal framework.

  • Technical Findings: The ACS tested the apps against 15 indicators across four categories: reading data from other apps, collecting/sharing user data, accessing device info, and monitoring user activity. Amap was found to be the most aggressive, exhibiting 11 risk behaviors on Android and 8 on iOS. These included continuous location tracking (even when the app was closed), and access to contacts, media, and the microphone.
  • Legal Framework: The ACS cited China's Cybersecurity Law and National Intelligence Law, which legally obligate Chinese companies and citizens to cooperate with state intelligence and security agencies. This means any data collected by these apps, regardless of the user's location, could be accessed by the Chinese government upon request.

Affected Systems

  • Applications:
    • Amap (Navigation)
    • bilibili (Video Streaming)
    • iQIYI (Video Streaming)
    • BIMOBIMO (Messaging)
  • Platforms: Android and iOS devices where these apps are installed.

Impact Assessment

The primary impact is on user privacy and national security. For individuals, the risk is the large-scale collection of personal data, including location history, contact lists, and private communications, which can be used for profiling or monitoring. For Taiwan as a nation, the aggregated data from millions of users could provide the Chinese government with valuable intelligence on population movements, social networks, and public sentiment, posing a significant national security threat.

Cyber Observables — Hunting Hints

The following patterns may help identify risky applications on mobile devices:

Type
API Endpoint
Value
Continuous location services access
Description
Mobile device management (MDM) or security software can monitor for apps that persistently access GPS data even when in the background.
Type
Network Traffic
Value
Data transmission when app is closed
Description
Monitor for apps that continue to send data to external servers even when they are not in the foreground.
Type
Certificate Subject
Value
App certificates signed by Chinese entities
Description
While not inherently malicious, this can be a data point for risk assessment.
Type
Permission Request
Value
Excessive or unnecessary permissions
Description
Audit apps that request access to contacts, microphone, or storage when it is not core to their function.

Detection Methods

  • Mobile Device Management (MDM): MDM solutions can be configured to detect and flag or block the installation of these specific applications on corporate devices.
  • Mobile App Vetting: Use mobile application security testing (MAST) tools to analyze app behavior, including data transmission and permission usage, before allowing them in an enterprise environment.
  • Network Analysis: On a test device, use a network proxy like Burp Suite or Wireshark to monitor the data being transmitted by the application, including the destination and content of the traffic.

Remediation Steps

  • User Education: The primary mitigation offered by MODA is public awareness. Users should understand the risks associated with these apps and the trade-offs they are making between functionality and privacy.
  • App Removal: Individuals concerned about their data privacy and security should uninstall these applications from their devices.
  • Permission Management: For users who choose to keep the apps, they should go into their device's settings and revoke all non-essential permissions. This includes limiting location access to "only while using the app" and denying access to contacts, microphone, and files.
  • Alternative Apps: Encourage the use of alternative applications that have a stronger privacy focus and are not subject to Chinese national security laws.
  • D3FEND: While D3FEND is primarily for enterprise networks, the principle of D3-EDL - Executable Denylisting can be applied through MDM policies to block these apps on managed devices.

Timeline of Events

1
May 27, 2026
This article was published

MITRE ATT&CK Mitigations

Limit Software Installation

M1033

In a corporate environment, use MDM to block the installation of these and other unvetted applications.

Mapped D3FEND Techniques:

D3-EALD3-EDL

User Training

M1017

Educate users about the risks of data-hungry applications and how to review and manage app permissions.

Software Configuration

M1054

Users should configure app permissions to be as restrictive as possible, only granting access necessary for core functionality.

Mapped D3FEND Techniques:

D3-ACHD3-CP

D3FEND Defensive Countermeasures

Executable Denylisting

D3-EDLMaps to MITREM1033
D3FEND

For organizations managing fleets of mobile devices, the most direct countermeasure to the threat identified by MODA is to use a Mobile Device Management (MDM) platform to enforce an application denylist. This involves creating a policy that explicitly blocks the installation of the identified applications (Amap, bilibili, iQIYI, BIMOBIMO) and any other apps deemed high-risk due to their country of origin or data collection practices. The MDM can be configured to alert administrators if a user attempts to install a blocked app, and in some cases, automatically remove the app if it is detected on a managed device. This approach provides a centralized, enforceable control to mitigate the risk of data exfiltration to foreign servers across the entire organization.

User Data Transfer Analysis

D3-UDTAMaps to MITREM1040
D3FEND

To gain visibility into the risks posed by these and other mobile apps, organizations can implement User Data Transfer Analysis, often through a Mobile Threat Defense (MTD) solution or a network proxy. By routing traffic from a test device through a monitoring point, security analysts can observe the volume, frequency, and destination of data being transferred by apps like Amap. This analysis can confirm the findings of the Taiwanese ACS, identifying data exfiltration to servers in China, traffic that occurs when the app is in the background, and the types of data being sent. This evidence-based analysis allows organizations to make informed decisions about which apps to block and provides concrete data to justify these policies to management and users.

Sources & References

MODA warns of cybersecurity risks in Chinese-made apps
Focus Taiwan (focustaiwan.tw) May 27, 2026
Cybersecurity gaps leave Israeli emergency agencies exposed, state comptroller warns
Jewish News Syndicate (jns.org) May 27, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

taiwanchinamobile securitydata privacyamapbilibilimodanational security

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.