NEWS
Taiwan Flags AMap, Bilibili, iQiyi and Bimobimo as High-Risk Data Apps
Taiwan’s Ministry of Digital Affairs named four Chinese-made apps high-risk on Wednesday, after security testing confirmed all four transmitted user data to servers in China: AMap, Bilibili, iQiyi, and Bimobimo. Cyber Security Administration Director Lee Yu-wei (李昱緯) announced the findings at a news conference in Taipei and urged residents to stop downloading or using any of the four.
The warning extends beyond government buildings, yet its reach has a hard limit. Taiwan’s agencies are already barred from Chinese-made apps under the Cyber Security Management Act, which applies to government bodies and designated critical-infrastructure operators. That statute reaches no further. For ordinary civilians, Wednesday’s advisory carries no legal force.
Four Apps Flagged at a Taipei News Conference
Lee Yu-wei’s announcement covers four distinct corners of Chinese digital life: navigation, short-video and video streaming, and social communications. Security tests, conducted under Taiwan’s standard cybersecurity evaluation framework, found permission requests in each app that exceed what their stated core functions require.
Taiwan’s National Security Bureau had separately briefed legislators earlier in May, with NSB Director-General Tsai Ming-yen telling the legislature’s Foreign Affairs and National Defense Committee that investigators found security concerns in nine of the 15 reviewed categories for the navigation app alone. Data collected by that platform included contact lists, call histories, audio and video feeds, and location information – all transmitted back to servers in China. Wednesday’s announcement from the Ministry of Digital Affairs represents the full public assessment that the NSB’s May briefing had signaled was coming.
The announcement came roughly five weeks after the ministry banned the navigation app from government agency devices in April, when officials noticed the app was displaying traffic-light countdown timers at Taiwan road intersections without any integration with local traffic management systems. That observation pointed to an active data channel between the app and servers in China: the platform was processing Taiwan road conditions through an undisclosed path.
We remind the public to avoid downloading and using high-risk apps as much as possible to protect their property and privacy.
Lee Yu-wei, Cyber Security Administration Director at Taiwan’s Ministry of Digital Affairs, Taipei, May 27, 2026.
Permissions Beyond Each App’s Core Function
The Navigation App: Location, Contacts, and Background Transmission
The platform requested three categories of access that stand apart from its mapping function. Contacts permissions gave it the ability to read names, phone numbers, and the address-book social graph of any user who approved the request. Location permissions were configured to operate while the app was closed, meaning a device that had not opened the app in hours was still recording and transmitting GPS coordinates. Combined, those two permissions let the app construct a profile of who a user knows and where they have been, across periods when the user was not actively engaging with any map service.
The ministry’s testing further found that all four flagged apps requested Android audio and video access with no disclosed function requiring a microphone or camera. For the navigation platform specifically, that permission stacks on top of the location and contacts risks, opening three simultaneous access points to the physical environment of the device’s owner.
Bilibili, iQiyi, and Bimobimo: Storage and Media Access
Security tests found all three apps requested broad Android storage permissions extending beyond the sandboxed folders where apps conventionally keep their own data. At that level of access, a platform can read documents, photos, and files belonging to other applications – a capability with no evident function in video streaming or social messaging. Each of the three also requested audio and video access on Android devices, matching the same permission profile found in the navigation app.
The Baidu-owned streaming service carries a specific regulatory history in Taiwan. In 2020, Taiwan’s Ministry of Economic Affairs barred Taiwanese companies from acting as agents or distributors for Chinese OTT services – a restriction documented in Freedom House’s Taiwan internet freedom review and framed largely around that platform and Tencent’s streaming products. That earlier rule covered the distribution channel. It did not prevent individual users from downloading the app directly. Wednesday’s advisory addresses that gap.
All three apps send data to servers in China regardless of where their users are located. Whatever the apps collect, Chinese law determines who can demand access to it.
| App | Primary Function | Permissions Beyond Stated Function | Data Destination |
|---|---|---|---|
| AMap | Navigation | Contacts access; location while closed; background data transmission; audio/video on Android | Chinese servers |
| Bilibili | Video streaming | Storage access; audio/video on Android | Chinese servers |
| iQiyi | Video streaming | Storage access; audio/video on Android | Chinese servers |
| Bimobimo | Social platform | Storage access; audio/video on Android | Chinese servers |
China’s Surveillance Laws Reach Every Server
Testing found no trojans or embedded malware in any of the four apps. The security risk sits at a different layer, one written into law rather than code. Any company running servers under Chinese jurisdiction falls under a framework that gives Chinese authorities access to user data without independent judicial review.
China’s National Intelligence Law, passed by the Standing Committee of the National People’s Congress in June 2017, requires “all organizations and citizens” to “support, assist, and cooperate with national intelligence efforts.” The obligation attaches to Chinese-jurisdiction companies regardless of where their customers live. A Taiwanese resident using the navigation or streaming apps named Wednesday is a data source governed by the same rules as a user in Shanghai.
China’s Cybersecurity Law, first enacted in 2017 and revised in legislation that came into force in January 2026, reinforces that obligation. Article 28 of the law compels “network operators” – a category that explicitly covers social media platforms, application creators, and other technology companies – to provide technical support to public security and national security organs upon request. No warrant or judicial authorization step is specified. The Data Security Law of 2021 added further provisions requiring companies to align cross-border data flows with government directives and classifying certain data categories as subject to mandatory government access.
Taiwan’s National Security Bureau made the linkage explicit in its own assessment, stating that under China’s Cybersecurity Law and National Intelligence Law, “Chinese enterprises are obligated to turn over user data to competent authorities concerning national security, public security, and intelligence.” The FBI’s Internet Crime Complaint Center PSA 260331, published in March 2026, reached the same conclusion for American users, warning that apps maintaining digital infrastructure in China are subject to Chinese national security laws that enable government access to mobile app user data.
Nine Months of App Warnings in Taiwan
Wednesday’s announcement is the sixth distinct round of Chinese app warnings from Taiwanese authorities since mid-2025. The flagged category expands with each round; the civilian-use restrictions do not.
- July 2025 – Taiwan’s National Security Bureau tested Rednote, Weibo, Douyin, WeChat, and Baidu Netdisk against 15 security indicators. Rednote failed all 15. Weibo and Douyin each violated 13.
- November 2025 – Officials named DeepSeek and four other Chinese AI models as security threats after testing found data collection and permission overreach across all five.
- December 2025 – The ministry publicly named Douyin, Xiaohongshu, Weibo, WeChat, and Baidu Netdisk as high-risk services and urged the public to delete or avoid them.
- January 2026 – The restricted software list was updated to include TikTok, Weibo, WeChat, RedNote, and Baidu, with officials noting that under Chinese law those companies may be compelled to provide user data to Beijing.
- April 2026 – The navigation app was banned from government agency devices; Taiwan’s defense ministry extended the restriction to service members’ personal phones. A full civilian-risk assessment was promised for May.
- May 27, 2026 – The full assessment was released. The four apps were classified high-risk for public use.
The category arc runs from social media through AI tools to navigation and entertainment platforms. Every wave adds a different app type to the same list, pointing to the same legal destination for the data each collects.
Government Devices Are Barred, Civilian Phones Are Not
The structural gap Wednesday’s announcement did not close is the civilian one. The Cyber Security Management Act applies to government agencies and specific non-government entities including critical-infrastructure providers, state-owned businesses, and government-sponsored foundations. Other than sector-specific rules for financial institutions and telecoms, no equivalent cybersecurity requirement covers the general public. An advisory from the ministry is not a prohibition.
No mechanism under current Taiwanese law removes apps from private phones or compels Apple’s App Store or Google Play to delist the four flagged services in Taiwan. Both platforms continue to distribute the apps globally under content policies set outside Taipei. The Carnegie Endowment’s analysis of China’s data access obligations describes the same problem: these laws may compel companies to cooperate with Chinese defense and intelligence services even when doing so would violate the laws of the country where those companies operate, and the absence of independent judicial oversight within the Chinese system leaves affected parties with little recourse. The US Department of Homeland Security’s data security advisory framework puts the same point in blunter terms, noting that under China’s national intelligence law, firms are required to share data with the Chinese government upon request even when that request is illegal under the jurisdiction where they operate.
Aggregate data is the risk that individual permission notices obscure. A single contact list from one device is a minor data point. Contact lists, location histories, and audio metadata harvested passively across months from several hundred thousand engineers, journalists, defense contractors, and government workers become a human-intelligence map of Taiwan’s professional and social landscape. Taiwan noticed the navigation app was processing Taiwan road data in April, roughly three years after the app became freely downloadable on the island. The May 27 assessment names three more apps working on the same structural logic. Whether civilian devices will be required to remove any of them is a political question the ministry has left unanswered.
Smartphones Are Quietly Building Invisible Walls in Vietnamese Homes
iQOO 15R After the Price Hikes: Worth Rs 49,999 in 2026?
Samsung’s Galaxy A27 5G Lands at $349.99 With Six Years of Updates
The Phone Settings That Actually Reduce Screen Time
Spark Deploys US$150 Million to Uniswap v4 Stablecoin Pools
Nothing Cancels CMF Phone 3 Pro as RAM Costs Squeeze Budget Models
Rakuten Wallet Mints a SHIB Souvenir While the Token Slides
Quake’s 30th Anniversary Turned Into John Carmack’s Apology
GTA 6 Amazon Listing Leaks NPC Routines and In-Game Social Networks
Samsung and SK Hynix Prep $646 Billion Decade Investment Plan
Google Search Profiles Build a Follow Graph Inside Discover
Apple Strikes Preliminary Deal For Intel To Make iPhone And Mac Chips
VinRobotics’ VR-H3 Debuts at Vienna, VinFast Is Next
Andreessen Horowitz Bets $2.2B on Crypto’s Quiet Cycle
DGO App Brings Rs 549 Mobile Pass for FIFA World Cup 2026 in Nepal
Cathie Wood Calls SpaceX IPO Demand ‘Voracious’ Ahead Of $1.75T Debut
Google DeepMind and A24 Sign $75 Million AI Partnership Deal
OpenAI’s Codex Gets Six Business Plugins, Targets Knowledge Workers
Microsoft Xbox Layoffs Start in July as Sharma Slams 3% Margin
Trump’s AI Memo Strips Vendors of Veto Power Over Military
-
NEWS3 weeks agoGoogle Search Profiles Build a Follow Graph Inside Discover
-
NEWS2 months agoApple Strikes Preliminary Deal For Intel To Make iPhone And Mac Chips
-
AI3 weeks agoVinRobotics’ VR-H3 Debuts at Vienna, VinFast Is Next
-
CRYPTO2 months agoAndreessen Horowitz Bets $2.2B on Crypto’s Quiet Cycle
-
APPS2 weeks agoDGO App Brings Rs 549 Mobile Pass for FIFA World Cup 2026 in Nepal
-
CRYPTO2 months agoCathie Wood Calls SpaceX IPO Demand ‘Voracious’ Ahead Of $1.75T Debut
-
AI3 days agoGoogle DeepMind and A24 Sign $75 Million AI Partnership Deal
-
AI3 weeks agoOpenAI’s Codex Gets Six Business Plugins, Targets Knowledge Workers