Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ 075 · ENFORCEMENT

MIIT Public-Naming Bulletin 2026 Batch 4 (Total Batch 57): 32 Apps and SDKs Cited for PI Violations, Excessive Permission Demands, and SDK Disclosure Failures

On July 2, 2026, MIIT's Information & Communications Administration Bureau issued its fourth public-naming bulletin of 2026 (total Batch 57), citing 32 apps and SDKs for infringing user rights — unlawful and beyond-scope collection of personal information, forced/frequent/excessive permission demands, frequent self-starting and chained starting, uncloseable and redirect-abusing information windows, and inadequate SDK information disclosure. The batch runs under the same 2026 CAC + MIIT + MPS special campaign as the earlier CAC notification and Shanghai takedown covered in DCC's enforcement tracker, on the same rectify-or-face-disposition pathway. DCC transcribes the full 32-entry list from the bulletin's attached image table. The profile: a mobility-and-transport long tail (ride-hailing driver apps, EV charging, bus-information tools) alongside recognizable names — Neta Auto's app, PetroChina Kunlun's charging app, NetDragon's fortune-telling app, iFlyPlus — plus two WeChat mini-programs, multiple Apple App Store listings, one developer named twice, and three SDKs, one of which (闪登 SDK) drew four separate findings including the headline SDK-disclosure failure.

Editor’s Note — DCC.

This is the next entry in DCC’s enforcement tracker: the Notification on Apps (SDKs) Infringing User Rights (2026 Batch 4, Total Batch 57) (关于侵害用户权益行为的APP(SDK)通报(2026年第4批,总第57批)), issued by the MIIT Information & Communications Administration Bureau on July 2, 2026 and published via 工信微报 (read here through the 数据何规 repost). The 32-entry list is attached to the bulletin as an image table; DCC has transcribed it below (app name, developer, distribution source, version, cited issues) and added unofficial English renderings of the app and company names for identification. The transcription may contain minor error and the translations are not official — the Chinese original is authoritative.

Read it against the series: the Batch 3 bulletin (31 apps, May 2026), the CAC 30-app notification, and the rung below on the enforcement ladder, the Shanghai 46-app takedown for missed rectification.

The bulletin

The legal architecture is unchanged from Batch 3. Acting under the CAC + MIIT + MPS Announcement on Carrying Out the 2026 Personal Information Protection Series of Special Campaigns, and citing the Personal Information Protection Law, the Cybersecurity Law, the Telecom Regulations (电信条例), and the Provisions on Protecting the Personal Information of Telecommunications and Internet Users, MIIT organized third-party testing institutions to run sample checks on apps and SDKs for unlawful collection and use of personal information. The sweep found 32 apps and SDKs infringing user rights, now publicly named.

The disposition pathway is the standard one: named apps and SDKs must rectify in accordance with the relevant requirements; where rectification is not implemented in place, MIIT will organize disposition measures in accordance with law and regulation — the pathway that, as DCC’s Shanghai takedown brief showed, ends in removal from distribution for those who miss the window.

The violation taxonomy in this batch

The attached table cites six problem categories across the 32 entries:

  • 违规收集个人信息 — unlawful collection of personal information (the most common finding, appearing against most entries);
  • 超范围收集个人信息 — collection of personal information beyond scope (the SDK entries);
  • APP强制、频繁、过度索取权限 — forced, frequent, or excessive permission demands (the headline category, appearing against 13 entries);
  • APP频繁自启动和关联启动 — frequent self-starting and chained starting of apps;
  • 信息窗口无法关闭 / 信息窗口点击乱跳转 — information windows that cannot be closed, and window-click redirect abuse (the Batch 3 signature issue, down to two entries here);
  • SDK信息公示不到位 — inadequate SDK information disclosure (new to the headline, cited against the 闪登 SDK).

Who got named — the 32

The dominant profile is a mobility-and-transport long tail: ride-hailing and carpooling driver apps (司机点点乘客/车主, 拼客出行司机端, 化工宝智运司机端, 多多拉车主), EV-charging and car-service tools (新充电圈, 登途有车, 52车, 哪吒汽车), bus and ticket lookups (月城公交, 实时公交路线查询, 汽车票查票助手, 隧e通), and shared two-wheelers (MAN 共享摩托, 小鱼出行, 骑铃智行, 科马智行).

Within the long tail, several recognizable names:

  • 哪吒汽车 (Neta Auto) — the EV maker’s own app, named from the Apple App Store;
  • 新充电圈 — developed by 中石油昆仑网联电能科技有限公司, a PetroChina Kunlun entity;
  • 龙易运势 — a fortune-telling app from 福建网龙计算机网络信息技术有限公司 (NetDragon);
  • iFlyPlus and 松果出行 (Beijing Apa Kelan Technology Group) — both App Store listings;
  • 隧e通 — from 青岛国信城市信息科技有限公司, a state-linked city-services operator.

Structural patterns worth logging in the tracker:

  • The mini-program perimeter is active. Two entries (科马智行, 梦马校园) are distributed as WeChat mini-programs — MIIT’s testing reaches in-platform apps, not just store binaries, consistent with the CAC notification’s perimeter.
  • One developer, two apps. 安徽华格科技有限公司 appears twice (司机点点乘客 #17, 司机点点车主 #23) — the same one-operator-cluster pattern that produced multi-app takedowns in Shanghai.
  • Apple’s App Store is fully in scope. Six entries were sampled from the App Store, alongside OPPO, vivo, Xiaomi, Samsung, Honor, 应用宝, 360, 百度, 豌豆荚, and 快手 — plus official-website distribution for the SDKs.
  • SDKs drew the most granular findings. Of the three SDKs named, 闪登 SDK (北京微方程科技有限公司) collected four separate findings — unlawful collection, beyond-scope collection, forced/frequent/excessive permission demands, and inadequate SDK information disclosure. SDK disclosure — publishing what an embedded SDK collects and does — is the obligation the bulletin’s headline is signaling to the supply chain.
#App (SDK)DeveloperSourceVersionCited issues
1每日短剧
Daily Short Drama
厦门橙裂科技有限公司
Xiamen Chenglie Technology Co., Ltd.
Apple App Store1.8.1Unlawful PI collection
2月城公交
Yuecheng Bus
西昌月城公共交通有限公司
Xichang Yuecheng Public Transport Co., Ltd.
OPPO App Store2.7.0Unlawful PI collection
3MAN 共享摩托
MAN Shared Motorcycles
郑州极致思路网络科技有限公司
Zhengzhou Jizhi Silu Network Technology Co., Ltd.
Tencent Yingyongbao4.8.4Forced/frequent/excessive permission demands
4小鱼出行
Xiaoyu Mobility
云燊智能科技有限公司
Yunshen Intelligent Technology Co., Ltd.
Apple App Store6.7.4Unlawful PI collection
5汽车票查票助手
Bus Ticket Lookup Assistant
天津米畅科技有限公司
Tianjin Michang Technology Co., Ltd.
OPPO App Store1.0.1Unlawful PI collection
652车
52 Che (52 Car)
福建汽致信息技术有限公司
Fujian Qizhi Information Technology Co., Ltd.
Honor App Market3.3.11Unlawful PI collection
7实时公交路线查询
Real-Time Bus Route Lookup
成都行至远软件科技有限公司
Chengdu Xingzhiyuan Software Technology Co., Ltd.
Baidu Mobile Assistant1.0.1Unlawful PI collection; forced/frequent/excessive permission demands
8登途有车
Dengtu Youche (car rental)
北京登途汽车租赁服务有限公司
Beijing Dengtu Car Rental Services Co., Ltd.
Tencent Yingyongbao1.0.18Unlawful PI collection; forced/frequent/excessive permission demands
9周公解梦欢喜版
Zhougong Dream Interpretation (Huanxi Edition)
苏州市昆山真欢喜科技有限公司
Kunshan Zhenhuanxi Technology Co., Ltd. (Suzhou)
OPPO App Store1.5.0Information window cannot be closed
10光明易轩
Guangming Yixuan
山东辛明轩网络科技有限公司
Shandong Xinmingxuan Network Technology Co., Ltd.
OPPO App Store1.1.65Unlawful PI collection; forced/frequent/excessive permission demands
11若初文学
Ruochu Literature
北京黑岩信息技术有限公司
Beijing Heiyan Information Technology Co., Ltd.
Wandoujia4.3.4Unlawful PI collection
12松果出行
Songguo Mobility
Beijing Apa Kelan Technology Group Co., Ltd.
(as listed in the bulletin)
Apple App Store7.9.2Unlawful PI collection; window-click redirect abuse
13哪吒汽车
Neta Auto
上海哪吒聚行信息科技技术有限公司
Shanghai Nezha Juxing Information Technology Co., Ltd.
Apple App Store6.4.2Unlawful PI collection
14新充电圈
Xin Chongdianquan (New Charging Circle)
中石油昆仑网联电能科技有限公司
PetroChina Kunlun Wanglian Electric Energy Technology Co., Ltd.
Tencent Yingyongbao4.2.32Unlawful PI collection
15iFlyPlusiFlyPlus Co.,Ltd
(as listed in the bulletin)
Apple App Store3.7.9Unlawful PI collection; forced/frequent/excessive permission demands
16龙易运势
Longyi Fortune
福建网龙计算机网络信息技术有限公司
Fujian NetDragon Computer Network Information Technology Co., Ltd.
Tencent Yingyongbao3.8.5Unlawful PI collection; frequent self-start and chained start
17司机点点乘客
Siji Diandian — Passenger
安徽华格科技有限公司
Anhui Huage Technology Co., Ltd.
Tencent Yingyongbao4.0.58Unlawful PI collection
18拼客出行司机端
Pinke Mobility — Driver
河南省拼客顺风车科技有限公司
Henan Pinke Carpooling Technology Co., Ltd.
OPPO App Store4.3.5Unlawful PI collection
19我爱喝果汁
Wo Ai He Guozhi (I Love Juice)
天津康成瑞谷网络科技有限公司
Tianjin Kangcheng Ruigu Network Technology Co., Ltd.
Kuaishou1.0.3.5Unlawful PI collection; frequent self-start and chained start
20科马智行
Kema Zhixing
合肥大白鼠新能源科技有限公司
Hefei Dabaishu New Energy Technology Co., Ltd.
WeChat mini-programUnlawful PI collection; forced/frequent/excessive permission demands
21早播
Zaobo
上海碳蓝网络科技有限公司
Shanghai Tanlan Network Technology Co., Ltd.
Samsung Galaxy Store1.3.19Unlawful PI collection; forced/frequent/excessive permission demands
22化工宝智运司机端
Huagongbao Zhiyun — Driver
上海化工宝数字科技有限公司
Shanghai Huagongbao Digital Technology Co., Ltd.
vivo App Store2.2.12Forced/frequent/excessive permission demands
23司机点点车主
Siji Diandian — Owner
安徽华格科技有限公司
Anhui Huage Technology Co., Ltd.
Tencent Yingyongbao4.6.6Unlawful PI collection
24隧e通
Sui-e-Tong (tunnel e-pass)
青岛国信城市信息科技有限公司
Qingdao Guoxin City Information Technology Co., Ltd.
360 Mobile Assistant2.7.3Unlawful PI collection
25多多拉车主
Duoduola — Owner
深圳汇森能源环保科技有限公司
Shenzhen Huisen Energy & Environmental Protection Technology Co., Ltd.
Xiaomi App Store2.8.2Unlawful PI collection; frequent self-start and chained start
26梦马校园
Mengma Campus
杭州更创星科技有限公司
Hangzhou Gengchuangxing Technology Co., Ltd.
WeChat mini-programUnlawful PI collection; forced/frequent/excessive permission demands
27车辆维保记录查询
Vehicle Maintenance Records Lookup
昆山博派信息科技有限公司
Kunshan Bopai Information Technology Co., Ltd.
360 Mobile Assistant2.2.0Unlawful PI collection
28骑铃智行
Qiling Zhixing
四川玉骑铃科技有限公司
Sichuan Yuqiling Technology Co., Ltd.
Xiaomi App Store1.4.5Forced/frequent/excessive permission demands; frequent self-start and chained start
29客生客商家端
Keshengke — Merchant
河南客生客电子商务有限公司
Henan Keshengke E-Commerce Co., Ltd.
Tencent Yingyongbao2.3.2Unlawful PI collection
30驷象 SDK
Sixiang SDK
杭州驷象信息技术有限公司
Hangzhou Sixiang Information Technology Co., Ltd.
Official website4.1.3Beyond-scope PI collection
31闪登 SDK
Shandeng SDK (flash login)
北京微方程科技有限公司
Beijing Weifangcheng Technology Co., Ltd.
Official website1.0.54Unlawful PI collection; beyond-scope PI collection; forced/frequent/excessive permission demands; inadequate SDK information disclosure
32数字人 SDK
Digital Human SDK
北京爱语吧科技有限公司
Beijing Aiyuba Technology Co., Ltd.
Official website1.0.0Unlawful PI collection

Transcribed from the image table attached to the original bulletin; the original is authoritative. English renderings of app and company names are DCC’s unofficial translations or transliterations, provided for identification only — they are not official names, may be inaccurate, and where an operator has a registered English name it may differ. The Chinese names are the operative identifiers.

What overseas compliance teams should take from it

  • SDK disclosure is now a headline enforcement category. If your app embeds third-party SDKs in China — or you ship an SDK — the disclosure of what each SDK collects, and keeping that disclosure current, is being tested. An SDK named in a bulletin contaminates every host app that embeds it; run the SDK inventory now.
  • Permission hygiene is the recurring finding. Thirteen of 32 entries drew the forced/frequent/excessive-permission finding. The test is behavioral — how often and how insistently the binary asks — so paper policies don’t answer it; instrumented permission-flow review does.
  • Distribution channel is no shelter. Apple’s App Store, every major Android store, Kuaishou’s in-app channel, WeChat mini-programs, and direct official-site SDK distribution all appear as sampling sources. If it runs in China, it is in the perimeter.
  • The cadence is holding. Batch 4 of 2026 lands at the start of July — roughly monthly, 57 batches in. Under the 2026 joint campaign, the naming-rectification-disposition machine is running on schedule, and the Shanghai takedown notice already showed what the end of the pathway looks like for operators who miss the window.

工业和信息化部信息通信管理局 (MIIT Information & Communications Administration Bureau), 关于侵害用户权益行为的APP(SDK)通报(2026年第4批,总第57批) (Notification on Apps (SDKs) Infringing User Rights (2026 Batch 4, Total Batch 57)), July 2, 2026, published via 工信微报 and read here via the 数据何规 repost. Repost (Chinese).

Not legal advice. The 32-entry list was transcribed from the image table attached to the original bulletin and may contain minor transcription error; English names in the table are DCC’s unofficial translations and may be inaccurate; the original is authoritative.

— Not legal advice.


§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.