TAIPEI, Taiwan—Four Chinese-made apps have been found to pose cybersecurity risks to users because they secretly harvest data from users’ devices, Taiwan’s Ministry of Digital Affairs has said following an investigation.
At a news conference on May 27, the ministry’s Administration for Cyber Security (ACS) disclosed its findings on navigation app AMap, video-streaming apps Bilibili and iQIYI, and messaging app BIMOBIMO. The four apps were subjected to tests using 15 indicators across four categories: real-time monitoring, accessing data from other apps, extracting information from the user’s device, and data transmission and sharing.
AMap, also known as Gaode Maps, was found to pose the greatest risk to users, failing 11 of the indicators in the Android version tested and eight in the iOS version.
In both mobile operating systems, AMap was found to access users’ location data, audio, photos, live video feeds, microphone permissions, contacts, calendars, to-do lists, health records, and device identifiers, while also transmitting data to servers located in China.
The findings are a warning beyond Taiwan. To avoid inaccuracies and glitches in Google and Apple Maps, tech-savvy foreign travelers in China often rely on local navigation apps instead, which may expose them to potential cybersecurity risks.
AMap is developed by Beijing-based company AutoNavi Software, which is part of China’s Alibaba Group Holding.
In May 2025, a group of lawmakers asked the U.S. Securities and Exchange Commission to delist 20 Chinese companies, including Alibaba, alleging that they were advancing the interests of the Chinese Communist Party.
Lee Yu-wei, a senior ACS official, explained during the news conference that AMap’s access to users’ location data could allow the app to build detailed profiles of their movements and daily routines. This could include users’ movement patterns, frequently visited locations, travel routes, departure and arrival times, and the duration of their stays at specific locations.
“This type of digital footprint could create personal security risks,” Lee said.
Lee added that AMap’s access to users’ videos and microphones could effectively turn the app into a tool capable of collecting sensitive personal information and confidential business data.
The three other apps tested—Bilibili, iQIYI, and BIMOBIMO—failed between five and eight of the indicators on the Android and iOS versions. All three also transmitted data to servers based in China.
Chinese technology giant Baidu is the majority owner of iQIYI, a streaming platform listed on the Nasdaq.
Bilibili is a Nasdaq-listed video-sharing platform with Chinese tech giant Tencent Holdings as one of its major investors.
The Pentagon has included Tencent Holdings on its blacklist of “Chinese military companies” operating in the United States.
Baidu is currently not on the Pentagon blacklist. However, in December 2025, Sen. Rick Scott (R-Fla.) sent a letter to Pentagon chief Pete Hegseth, saying that Baidu should be added to the list, calling its ties to Chinese leader Xi Jinping, the Party, and China’s military as “similarly alarming.”
ACS Director-General Tsai Fu-longe said the four apps raise concerns common to China-based apps: Under Beijing’s National Intelligence Law and Cybersecurity Law, their operators may be required to provide user data to Chinese authorities upon request.
“The [Chinese] government’s ability to access company and user data for intelligence and national security purposes creates a significant risk to [Taiwan’s] national security,” Tsai said.
According to Taiwan’s Ministry of Digital Affairs, government agencies are barred from downloading, installing, or using Chinese-made apps under the island nation’s Cyber Security Management Act. The restriction extends to electronic devices issued by government bodies.
The ministry urged the public to uninstall any of the four apps if they are currently installed, in a statement issued on May 27.
As a general rule of thumb, before using any app, the ministry recommends that people review its privacy policy—particularly how data are collected and shared—regularly evaluate permission requests, and use mobile security tools to block malicious apps and protect against harmful connections or backdoors.
Friends Read Free
Copy
Facebook
Tweet
