Privacy Compliance Governance Practices in JD Finance Mobile App

With increasingly strict national regulations on user privacy, JD Finance has established a rigorous compliance governance framework throughout the entire lifecycle of its mobile app, combining multiple measures to protect user privacy and ensure regulatory adherence.

Compliance Background – The rapid growth of mobile internet and the surge of apps have made personal data a primary entry point, prompting intense regulatory scrutiny and the introduction of laws such as the Personal Information Protection Law and Data Security Law.

Scope Definition – Privacy is defined as sensitive personal or organizational information, with seven major violation categories (e.g., lack of disclosed collection rules, collection without consent, over‑collection, unauthorized sharing, missing deletion mechanisms, and violations involving minors).

Key Issues – Common non‑compliant behaviors include illegal personal data collection, forced or excessive permission requests, and misuse of personal information, leading to app removals by regulators.

Privacy Policy – Must adopt a clear “notice‑and‑consent” approach, explicitly stating data collection scope, purposes, third‑party SDKs, and detailed permission usage.

App Permissions – Follow principles of minimal necessity, user awareness, no forced bundling, and dynamic request only when needed; pay special attention to high‑sensitivity permissions such as clipboard, notification, location, and device identifiers.

Data Encryption – Encrypt both local storage (including databases and files) and network transmission, ensuring sensitive data such as IMEI, IP address, and location are protected.

Sensitive System APIs – Reduce or eliminate calls to APIs that expose device identifiers or other sensitive information, especially when not required by business logic.

Third‑Party SDK Governance – Establish a management mechanism, perform technical assessments, and enforce compliance SDKs to prevent excessive permission requests, high‑frequency API calls, and unencrypted data transmission.

Compliance Assurance System – JD Finance formed a dedicated compliance group, defined SOPs for each development stage (requirements, design, development, testing, release, operation), and integrated a self‑developed Utrust platform for static/dynamic scanning, privacy‑policy checks, and reporting.

Tooling

1. Pandora Kit – An internal suite offering SDK/permission queries, database/SP helpers, and FindUsages to accelerate compliance checks.

2. Lancet Compliance Tool – Provides a compliance SDK that replaces sensitive API calls with safe wrappers and a compile‑time plugin that automatically injects these wrappers, eliminating manual code changes.

package com.jd.jrapp.application;

import android.util.Log;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationHandler;
import java.lang.reflect.Method;
import java.lang.reflect.Proxy;

public class HookFramework {
    public static final String TAG = "HookFramework";
    public void fixSystemFramework() {
        try {
            Class
activityThreadClass = Class.forName("android.app.ActivityThread");
            Method currentActivityThreadMethod = activityThreadClass.getDeclaredMethod("currentActivityThread");
            Object currentActivityThread = currentActivityThreadMethod.invoke(null);
            Field sPackageManagerField = activityThreadClass.getDeclaredField("sPackageManager");
            sPackageManagerField.setAccessible(true);
            Object sPackageManager = sPackageManagerField.get(currentActivityThread);
            Class
iPackageManagerInterface = Class.forName("android.content.pm.IPackageManager");
            Object proxy = Proxy.newProxyInstance(
                    iPackageManagerInterface.getClassLoader(),
                    new Class
[]{iPackageManagerInterface},
                    new IActivityManagerProxy(sPackageManager));
            sPackageManagerField.set(currentActivityThread, proxy);
        } catch (Exception var10) {
            Log.d(TAG, "" + var10);
        }
    }
    private class IActivityManagerProxy implements InvocationHandler {
        private Object iActivityManager;
        public IActivityManagerProxy(Object iActivityManager) { this.iActivityManager = iActivityManager; }
        public Object invoke(Object proxy, Method method, Object[] args) throws Throwable {
            String name = method.getName();
            if ("getInstalledApplications".equals(name) || "getInstalledPackages".equals(name) ||
                "getInstalledPackagesAsUser".equals(name) || "getInstallerPackageName".equals(name)) {
                Log.d("jd_proxy", method.getName() + " method stack = " + getStackTrace());
            }
            return method.invoke(this.iActivityManager, args);
        }
        private String getStackTrace() {
            try {
                StackTraceElement[] stack = Thread.currentThread().getStackTrace();
                StringBuilder sb = new StringBuilder("stacktrace:\n");
                for (StackTraceElement e : stack) { sb.append(e.toString()).append("\n"); }
                return sb.toString();
            } catch (Throwable t) { return ""; }
        }
    }
}

Platformization – The Utrust platform offers static APK scanning, dynamic behavior monitoring, privacy‑policy analysis, self‑checklists, and detailed reporting, enabling multi‑team collaboration and automated risk detection.

Case Studies & Experience – Includes methods for using Jadx for reverse engineering, call‑stack analysis, handling WebView privacy leaks, clipboard restrictions, and strategies for apps that refuse privacy policies while still providing essential services.

In summary, JD Finance’s privacy compliance practice combines strict policy enforcement, systematic lifecycle controls, automated tooling, and a dedicated compliance platform to safeguard user data and meet evolving regulatory requirements.