Editor’s Note — DCC.
This is the next entry in DCC’s enforcement tracker: the Notification on Apps (SDKs) Infringing User Rights (2026 Batch 4, Total Batch 57) (关于侵害用户权益行为的APP(SDK)通报(2026年第4批,总第57批)), issued by the MIIT Information & Communications Administration Bureau on July 2, 2026 and published via 工信微报 (read here through the 数据何规 repost). The 32-entry list is attached to the bulletin as an image table; DCC has transcribed it below (app name, developer, distribution source, version, cited issues) and added unofficial English renderings of the app and company names for identification. The transcription may contain minor error and the translations are not official — the Chinese original is authoritative.
Read it against the series: the Batch 3 bulletin (31 apps, May 2026), the CAC 30-app notification, and the rung below on the enforcement ladder, the Shanghai 46-app takedown for missed rectification.
The bulletin
The legal architecture is unchanged from Batch 3. Acting under the CAC + MIIT + MPS Announcement on Carrying Out the 2026 Personal Information Protection Series of Special Campaigns, and citing the Personal Information Protection Law, the Cybersecurity Law, the Telecom Regulations (电信条例), and the Provisions on Protecting the Personal Information of Telecommunications and Internet Users, MIIT organized third-party testing institutions to run sample checks on apps and SDKs for unlawful collection and use of personal information. The sweep found 32 apps and SDKs infringing user rights, now publicly named.
The disposition pathway is the standard one: named apps and SDKs must rectify in accordance with the relevant requirements; where rectification is not implemented in place, MIIT will organize disposition measures in accordance with law and regulation — the pathway that, as DCC’s Shanghai takedown brief showed, ends in removal from distribution for those who miss the window.
The violation taxonomy in this batch
The attached table cites six problem categories across the 32 entries:
- 违规收集个人信息 — unlawful collection of personal information (the most common finding, appearing against most entries);
- 超范围收集个人信息 — collection of personal information beyond scope (the SDK entries);
- APP强制、频繁、过度索取权限 — forced, frequent, or excessive permission demands (the headline category, appearing against 13 entries);
- APP频繁自启动和关联启动 — frequent self-starting and chained starting of apps;
- 信息窗口无法关闭 / 信息窗口点击乱跳转 — information windows that cannot be closed, and window-click redirect abuse (the Batch 3 signature issue, down to two entries here);
- SDK信息公示不到位 — inadequate SDK information disclosure (new to the headline, cited against the 闪登 SDK).
Who got named — the 32
The dominant profile is a mobility-and-transport long tail: ride-hailing and carpooling driver apps (司机点点乘客/车主, 拼客出行司机端, 化工宝智运司机端, 多多拉车主), EV-charging and car-service tools (新充电圈, 登途有车, 52车, 哪吒汽车), bus and ticket lookups (月城公交, 实时公交路线查询, 汽车票查票助手, 隧e通), and shared two-wheelers (MAN 共享摩托, 小鱼出行, 骑铃智行, 科马智行).
Within the long tail, several recognizable names:
- 哪吒汽车 (Neta Auto) — the EV maker’s own app, named from the Apple App Store;
- 新充电圈 — developed by 中石油昆仑网联电能科技有限公司, a PetroChina Kunlun entity;
- 龙易运势 — a fortune-telling app from 福建网龙计算机网络信息技术有限公司 (NetDragon);
- iFlyPlus and 松果出行 (Beijing Apa Kelan Technology Group) — both App Store listings;
- 隧e通 — from 青岛国信城市信息科技有限公司, a state-linked city-services operator.
Structural patterns worth logging in the tracker:
- The mini-program perimeter is active. Two entries (科马智行, 梦马校园) are distributed as WeChat mini-programs — MIIT’s testing reaches in-platform apps, not just store binaries, consistent with the CAC notification’s perimeter.
- One developer, two apps. 安徽华格科技有限公司 appears twice (司机点点乘客 #17, 司机点点车主 #23) — the same one-operator-cluster pattern that produced multi-app takedowns in Shanghai.
- Apple’s App Store is fully in scope. Six entries were sampled from the App Store, alongside OPPO, vivo, Xiaomi, Samsung, Honor, 应用宝, 360, 百度, 豌豆荚, and 快手 — plus official-website distribution for the SDKs.
- SDKs drew the most granular findings. Of the three SDKs named, 闪登 SDK (北京微方程科技有限公司) collected four separate findings — unlawful collection, beyond-scope collection, forced/frequent/excessive permission demands, and inadequate SDK information disclosure. SDK disclosure — publishing what an embedded SDK collects and does — is the obligation the bulletin’s headline is signaling to the supply chain.
| # | App (SDK) | Developer | Source | Version | Cited issues |
|---|---|---|---|---|---|
| 1 | 每日短剧 Daily Short Drama | 厦门橙裂科技有限公司 Xiamen Chenglie Technology Co., Ltd. | Apple App Store | 1.8.1 | Unlawful PI collection |
| 2 | 月城公交 Yuecheng Bus | 西昌月城公共交通有限公司 Xichang Yuecheng Public Transport Co., Ltd. | OPPO App Store | 2.7.0 | Unlawful PI collection |
| 3 | MAN 共享摩托 MAN Shared Motorcycles | 郑州极致思路网络科技有限公司 Zhengzhou Jizhi Silu Network Technology Co., Ltd. | Tencent Yingyongbao | 4.8.4 | Forced/frequent/excessive permission demands |
| 4 | 小鱼出行 Xiaoyu Mobility | 云燊智能科技有限公司 Yunshen Intelligent Technology Co., Ltd. | Apple App Store | 6.7.4 | Unlawful PI collection |
| 5 | 汽车票查票助手 Bus Ticket Lookup Assistant | 天津米畅科技有限公司 Tianjin Michang Technology Co., Ltd. | OPPO App Store | 1.0.1 | Unlawful PI collection |
| 6 | 52车 52 Che (52 Car) | 福建汽致信息技术有限公司 Fujian Qizhi Information Technology Co., Ltd. | Honor App Market | 3.3.11 | Unlawful PI collection |
| 7 | 实时公交路线查询 Real-Time Bus Route Lookup | 成都行至远软件科技有限公司 Chengdu Xingzhiyuan Software Technology Co., Ltd. | Baidu Mobile Assistant | 1.0.1 | Unlawful PI collection; forced/frequent/excessive permission demands |
| 8 | 登途有车 Dengtu Youche (car rental) | 北京登途汽车租赁服务有限公司 Beijing Dengtu Car Rental Services Co., Ltd. | Tencent Yingyongbao | 1.0.18 | Unlawful PI collection; forced/frequent/excessive permission demands |
| 9 | 周公解梦欢喜版 Zhougong Dream Interpretation (Huanxi Edition) | 苏州市昆山真欢喜科技有限公司 Kunshan Zhenhuanxi Technology Co., Ltd. (Suzhou) | OPPO App Store | 1.5.0 | Information window cannot be closed |
| 10 | 光明易轩 Guangming Yixuan | 山东辛明轩网络科技有限公司 Shandong Xinmingxuan Network Technology Co., Ltd. | OPPO App Store | 1.1.65 | Unlawful PI collection; forced/frequent/excessive permission demands |
| 11 | 若初文学 Ruochu Literature | 北京黑岩信息技术有限公司 Beijing Heiyan Information Technology Co., Ltd. | Wandoujia | 4.3.4 | Unlawful PI collection |
| 12 | 松果出行 Songguo Mobility | Beijing Apa Kelan Technology Group Co., Ltd. (as listed in the bulletin) | Apple App Store | 7.9.2 | Unlawful PI collection; window-click redirect abuse |
| 13 | 哪吒汽车 Neta Auto | 上海哪吒聚行信息科技技术有限公司 Shanghai Nezha Juxing Information Technology Co., Ltd. | Apple App Store | 6.4.2 | Unlawful PI collection |
| 14 | 新充电圈 Xin Chongdianquan (New Charging Circle) | 中石油昆仑网联电能科技有限公司 PetroChina Kunlun Wanglian Electric Energy Technology Co., Ltd. | Tencent Yingyongbao | 4.2.32 | Unlawful PI collection |
| 15 | iFlyPlus | iFlyPlus Co.,Ltd (as listed in the bulletin) | Apple App Store | 3.7.9 | Unlawful PI collection; forced/frequent/excessive permission demands |
| 16 | 龙易运势 Longyi Fortune | 福建网龙计算机网络信息技术有限公司 Fujian NetDragon Computer Network Information Technology Co., Ltd. | Tencent Yingyongbao | 3.8.5 | Unlawful PI collection; frequent self-start and chained start |
| 17 | 司机点点乘客 Siji Diandian — Passenger | 安徽华格科技有限公司 Anhui Huage Technology Co., Ltd. | Tencent Yingyongbao | 4.0.58 | Unlawful PI collection |
| 18 | 拼客出行司机端 Pinke Mobility — Driver | 河南省拼客顺风车科技有限公司 Henan Pinke Carpooling Technology Co., Ltd. | OPPO App Store | 4.3.5 | Unlawful PI collection |
| 19 | 我爱喝果汁 Wo Ai He Guozhi (I Love Juice) | 天津康成瑞谷网络科技有限公司 Tianjin Kangcheng Ruigu Network Technology Co., Ltd. | Kuaishou | 1.0.3.5 | Unlawful PI collection; frequent self-start and chained start |
| 20 | 科马智行 Kema Zhixing | 合肥大白鼠新能源科技有限公司 Hefei Dabaishu New Energy Technology Co., Ltd. | WeChat mini-program | — | Unlawful PI collection; forced/frequent/excessive permission demands |
| 21 | 早播 Zaobo | 上海碳蓝网络科技有限公司 Shanghai Tanlan Network Technology Co., Ltd. | Samsung Galaxy Store | 1.3.19 | Unlawful PI collection; forced/frequent/excessive permission demands |
| 22 | 化工宝智运司机端 Huagongbao Zhiyun — Driver | 上海化工宝数字科技有限公司 Shanghai Huagongbao Digital Technology Co., Ltd. | vivo App Store | 2.2.12 | Forced/frequent/excessive permission demands |
| 23 | 司机点点车主 Siji Diandian — Owner | 安徽华格科技有限公司 Anhui Huage Technology Co., Ltd. | Tencent Yingyongbao | 4.6.6 | Unlawful PI collection |
| 24 | 隧e通 Sui-e-Tong (tunnel e-pass) | 青岛国信城市信息科技有限公司 Qingdao Guoxin City Information Technology Co., Ltd. | 360 Mobile Assistant | 2.7.3 | Unlawful PI collection |
| 25 | 多多拉车主 Duoduola — Owner | 深圳汇森能源环保科技有限公司 Shenzhen Huisen Energy & Environmental Protection Technology Co., Ltd. | Xiaomi App Store | 2.8.2 | Unlawful PI collection; frequent self-start and chained start |
| 26 | 梦马校园 Mengma Campus | 杭州更创星科技有限公司 Hangzhou Gengchuangxing Technology Co., Ltd. | WeChat mini-program | — | Unlawful PI collection; forced/frequent/excessive permission demands |
| 27 | 车辆维保记录查询 Vehicle Maintenance Records Lookup | 昆山博派信息科技有限公司 Kunshan Bopai Information Technology Co., Ltd. | 360 Mobile Assistant | 2.2.0 | Unlawful PI collection |
| 28 | 骑铃智行 Qiling Zhixing | 四川玉骑铃科技有限公司 Sichuan Yuqiling Technology Co., Ltd. | Xiaomi App Store | 1.4.5 | Forced/frequent/excessive permission demands; frequent self-start and chained start |
| 29 | 客生客商家端 Keshengke — Merchant | 河南客生客电子商务有限公司 Henan Keshengke E-Commerce Co., Ltd. | Tencent Yingyongbao | 2.3.2 | Unlawful PI collection |
| 30 | 驷象 SDK Sixiang SDK | 杭州驷象信息技术有限公司 Hangzhou Sixiang Information Technology Co., Ltd. | Official website | 4.1.3 | Beyond-scope PI collection |
| 31 | 闪登 SDK Shandeng SDK (flash login) | 北京微方程科技有限公司 Beijing Weifangcheng Technology Co., Ltd. | Official website | 1.0.54 | Unlawful PI collection; beyond-scope PI collection; forced/frequent/excessive permission demands; inadequate SDK information disclosure |
| 32 | 数字人 SDK Digital Human SDK | 北京爱语吧科技有限公司 Beijing Aiyuba Technology Co., Ltd. | Official website | 1.0.0 | Unlawful PI collection |
Transcribed from the image table attached to the original bulletin; the original is authoritative. English renderings of app and company names are DCC’s unofficial translations or transliterations, provided for identification only — they are not official names, may be inaccurate, and where an operator has a registered English name it may differ. The Chinese names are the operative identifiers.
What overseas compliance teams should take from it
- SDK disclosure is now a headline enforcement category. If your app embeds third-party SDKs in China — or you ship an SDK — the disclosure of what each SDK collects, and keeping that disclosure current, is being tested. An SDK named in a bulletin contaminates every host app that embeds it; run the SDK inventory now.
- Permission hygiene is the recurring finding. Thirteen of 32 entries drew the forced/frequent/excessive-permission finding. The test is behavioral — how often and how insistently the binary asks — so paper policies don’t answer it; instrumented permission-flow review does.
- Distribution channel is no shelter. Apple’s App Store, every major Android store, Kuaishou’s in-app channel, WeChat mini-programs, and direct official-site SDK distribution all appear as sampling sources. If it runs in China, it is in the perimeter.
- The cadence is holding. Batch 4 of 2026 lands at the start of July — roughly monthly, 57 batches in. Under the 2026 joint campaign, the naming-rectification-disposition machine is running on schedule, and the Shanghai takedown notice already showed what the end of the pathway looks like for operators who miss the window.
— 工业和信息化部信息通信管理局 (MIIT Information & Communications Administration Bureau), 关于侵害用户权益行为的APP(SDK)通报(2026年第4批,总第57批) (Notification on Apps (SDKs) Infringing User Rights (2026 Batch 4, Total Batch 57)), July 2, 2026, published via 工信微报 and read here via the 数据何规 repost. Repost (Chinese).
Not legal advice. The 32-entry list was transcribed from the image table attached to the original bulletin and may contain minor transcription error; English names in the table are DCC’s unofficial translations and may be inaccurate; the original is authoritative.