中国信通院发布APP风险分类分级指南（2025年）

Core Viewpoint - The release of the "Mobile Internet Application (APP) Risk Classification and Grading Guide (2025)" aims to provide a reference framework for APP risk assessment, promoting collaborative governance in the industry and fostering a healthy and orderly development of the mobile internet ecosystem [1] Group 1: Industry Context - The digital economy is thriving, and information technology innovations are rapidly evolving, with mobile internet applications playing a crucial role in facilitating daily life and driving digital transformation across various sectors [1] - The continuous growth of the mobile internet industry has led to an explosive increase in APPs, mini-programs, and AI applications, resulting in diverse APP forms and frequent technological updates [1] Group 2: Risk Classification - The guide categorizes APP risks into six major types: privacy security risks, malicious behavior risks, service anomaly risks, property security risks, content security risks, and minor safety risks [2] - Malicious behavior risks include rogue software actions, system destruction, and malicious confrontations, while property security risks encompass behaviors that threaten user financial safety, such as inducement to charge and telecom fraud [2] Group 3: Risk Grading - Risks are graded into four levels: extreme, high, medium, and low, based on their impact on social order, system security, and user rights [2] - For instance, telecom fraud is classified as extreme risk due to its severe threat to user financial safety and social stability, while an APP targeting children lacking personal information processing rules is considered medium risk [2] Group 4: Management Measures - Different stakeholders can implement various management measures at each stage of the APP lifecycle based on risk levels [3] - During the APP development phase, companies should establish internal control mechanisms and enhance self-inspection and supply chain risk audits [3] - In the app review and monitoring phase, measures may include refusal to list, notifying developers for rectification, delisting applications, and freezing developers based on violations [3] - During installation and operation, companies should provide users with risk alerts, interception, or guidance for uninstallation, and establish monitoring mechanisms for malicious behavior risks [3]