Giving without Notifying: Assessing Compliance of Data Transmission in Android Apps
Authors: 
Ming Fan, Jifei Shi, Yin Wang, Le Yu, Xicheng Zhang, Haijun Wang, Wuxia Jin, Ting LiuAuthors Info & Claims
Abstract
Mobile apps often access personal information to meet business needs, raising concerns about privacy breaches. Compliance detection methods are proposed to check for inconsistencies between program code and privacy policies. However, existing methods face challenges with the low efficiency of static data flow analysis tools and often neglect physical data transmission destinations.
To address these issues, we propose an automated compliance detection method called GNChecker. It uses an efficient static data flow analysis technique with a segmentation strategy, significantly reducing the search scope and improving efficiency. Additionally, a fine-grained consistency detection framework is proposed by integrating static data flow and dynamic traffic flow results into a unified tuple form, i.e., (information type, transmission address). Evaluation results on 50 popular apps show that GNChecker outperforms state-of-the-art data flow analysis tools. Among 1,134 real-world apps, GNChecker identified 1,410 true non-compliant transmission behaviors in 379 apps, significantly surpassing existing compliance detection tools.
References
[1]
2018. The EU General Data Protection Regulation. https://eugdpr.org
[2]
2020. California Consumer Privacy Act. https://oag.ca.gov/privacy/ccpa
[3]
2021. Personal Information Protection Law of the People's Republic of China. https://www.gov.cn/xinwen/2021-08/20/content_5632486.htm
[4]
2023. DroidBench. https://github.com/secure-software-engineering/DroidBench/tree/develop
[5]
2024. 500 million people find the application they want here. https://www.wandoujia.com/
[6]
2024. ChatGPT. https://chat.openai.com/
[7]
2024. Huawei Application Market. https://consumer.huawei.com/cn/mobileservices/appgallery/
[8]
2024. YeShen emulator. https://www.yeshen.com/
[9]
Nadia Alshahwan, Xinbo Gao, Mark Harman, Yue Jia, Ke Mao, Alexander Mols, Taijin Tei, and Ilya Zorin. 2018. Deploying search based software engineering with sapienz at facebook. In Search-Based Software Engineering: 10th International Symposium, SSBSE 2018, Montpellier, France, September 8--9, 2018, Proceedings 10. Springer, 3--45.
[10]
Benjamin Andow, Samin Yaseer Mahmud, Wenyu Wang, Justin Whitaker, William Enck, Bradley Reaves, Kapil Singh, and Tao Xie. 2019. {PolicyLint}: Investigating internal privacy policy contradictions on google play. In 28th USENIX security symposium (USENIX security 19). 585--602.
[11]
Benjamin Andow, Samin Yaseer Mahmud, Justin Whitaker, William Enck, Bradley Reaves, Kapil Singh, and Serge Egelman. 2020. Actions speak louder than words:{Entity-Sensitive} privacy policy and data flow analysis with {PoliCheck}. In 29th USENIX Security Symposium (USENIX Security 20). 985--1002.
[12]
Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. Acm Sigplan Notices 49, 6 (2014), 259--269.
[13]
Michael Backes, Sven Bugiel, and Erik Derr. 2016. Reliable third-party library detection in android and its security applications. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. 356--367.
[14]
Alexandre Bartel, Jacques Klein, Yves Le Traon, and Martin Monperrus. 2012. Dexpler: converting android dalvik bytecode to jimple for static analysis with soot. In Proceedings of the ACM SIGPLAN International Workshop on State of the Art in Java Program analysis. 27--38.
[15]
Duc Bui, Yuan Yao, Kang G Shin, Jong-Min Choi, and Junbum Shin. 2021. Consistency analysis of data-usage purposes in mobile apps. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. 2824--2843.
[16]
Tianqin Cai, Zhao Zhang, and Ping Yang. 2020. Fastbot: A Multi-Agent ModelBased Test Generation System. In Proceedings of the IEEE/ACM 1st International Conference on Automation of Software Test. 93--96.
[17]
Ming Fan, Le Yu, Sen Chen, Hao Zhou, Xiapu Luo, Shuyue Li, Yang Liu, Jun Liu, and Ting Liu. 2020. An empirical evaluation of GDPR compliance violations in Android mHealth apps. In 2020 IEEE 31st international symposium on software reliability engineering (ISSRE). IEEE, 253--264.
[18]
HHK Fawaz, RLF Schaub, and KGS Karl. 2017. Polisis: automated analysis and presentation of privacy policies using deep learning. Technical Report. Technical report, EPFL.
[19]
Michael I Gordon, Deokhwan Kim, Jeff H Perkins, Limei Gilham, Nguyen Nguyen, and Martin C Rinard. 2015. Information flow analysis of android applications in droidsafe. In NDSS, Vol. 15. 110.
[20]
Michael C Grace, Wu Zhou, Xuxian Jiang, and Ahmad-Reza Sadeghi. 2012. Unsafe exposure analysis of mobile in-app advertisements. In Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks. 101--112.
[21]
Jin Han, Qiang Yan, Debin Gao, Jianying Zhou, and Robert H Deng. 2013. Comparing mobile privacy protection through cross-platform applications. (2013).
[22]
Li Li, Alexandre Bartel, Tegawendé F Bissyandé, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick McDaniel. 2015. Iccta: Detecting inter-component privacy leaks in android apps. In 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, Vol. 1. IEEE, 280--291.
[23]
Li Li, Tegawendé F Bissyandé, Jacques Klein, and Yves Le Traon. 2016. An investigation into the use of common libraries in android apps. In 2016 IEEE 23Rd international conference on software analysis, evolution, and reengineering (SANER), Vol. 1. IEEE, 403--414.
[24]
Li Li, Tegawendé F Bissyandé, Damien Octeau, and Jacques Klein. 2016. Droidra: Taming reflection to support whole-program analysis of android apps. In Proceedings of the 25th International Symposium on Software Testing and Analysis. 318--329.
[25]
Zhengwei Lv, Chao Peng, Zhao Zhang, Ting Su, Kai Liu, and Ping Yang. 2022. Fastbot2: Reusable Automated Model-based GUI Testing for Android Enhanced by Reinforcement Learning. In Proceedings of the 37th IEEE/ACM International Conference on Automated Software Engineering (ASE 2022).
[26]
Ke Mao, Mark Harman, and Yue Jia. 2016. Sapienz: Multi-objective automated testing for android applications. In Proceedings of the 25th international symposium on software testing and analysis. 94--105.
[27]
Damien Octeau, Daniel Luchaup, Matthew Dering, Somesh Jha, and Patrick McDaniel. 2015. Composite constant propagation: Application to android inter-component communication analysis. In 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, Vol. 1. IEEE, 77--88.
[28]
Damien Octeau, Patrick McDaniel, Somesh Jha, Alexandre Bartel, Eric Bodden, Jacques Klein, and Yves Le Traon. 2013. Effective {Inter-Component} communication mapping in android: An essential step towards holistic security analysis. In 22nd USENIX Security Symposium (USENIX Security 13). 543--558.
[29]
Lina Qiu, Yingying Wang, and Julia Rubin. 2018. Analyzing the analyzers: Flowdroid/iccta, amandroid, and droidsafe. In Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis. 176--186.
[30]
Abbas Razaghpanah, Rishab Nithyanand, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Mark Allman, Christian Kreibich, Phillipa Gill, et al. 2018. Apps, trackers, privacy, and regulators: A global study of the mobile tracking ecosystem. In The 25th Annual Network and Distributed System Security Symposium (NDSS 2018).
[31]
Joel Reardon, Álvaro Feal, Primal Wijesekera, Amit Elazari Bar On, Narseo Vallina-Rodriguez, and Serge Egelman. 2019. 50 ways to leak your data: An exploration of apps' circumvention of the android permissions system. In 28th USENIX security symposium (USENIX security 19). 603--620.
[32]
Jingjing Ren, Ashwin Rao, Martina Lindorfer, Arnaud Legout, and David Choffnes. 2016. Recon: Revealing and controlling pii leaks in mobile network traffic. In Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services. 361--374.
[33]
Irwin Reyes, Primal Wijesekera, Joel Reardon, Amit Elazari Bar On, Abbas Razaghpanah, Narseo Vallina-Rodriguez, Serge Egelman, et al. 2018. "Won't somebody think of the children?" examining COPPA compliance at scale. In The 18th Privacy Enhancing Technologies Symposium (PETS 2018).
[34]
Rocky Slavin, Xiaoyin Wang, Mitra Bokaei Hosseini, James Hester, Ram Krishnan, Jaspreet Bhatia, Travis D Breaux, and Jianwei Niu. 2016. Toward a framework for detecting privacy policy violations in android application code. In Proceedings of the 38th International Conference on Software Engineering. 25--36.
[35]
John W Stamey and Ryan A Rossi. 2009. Automatically identifying relations in privacy policies. In Proceedings of the 27th ACM international conference on Design of communication. 233--238.
[36]
Raja Vallée-Rai, Phong Co, Etienne Gagnon, Laurie Hendren, Patrick Lam, and Vijay Sundaresan. 2010. Soot: A Java bytecode optimization framework. In CASCON First Decade High Impact Papers. 214--224.
[37]
Yin Wang, Ming Fan, and Junjie Tao. 2024. Compliance Detection Method for Mobile Application Privacy Policy Content. Journal of Software 35, 8 (2024).
[38]
Fengguo Wei, Sankardas Roy, Xinming Ou, and Robby. 2018. Amandroid: A precise and general inter-component data flow analysis framework for security vetting of android apps. ACM Transactions on Privacy and Security (TOPS) 21, 3 (2018), 1--32.
[39]
Le Yu, Xiapu Luo, Jiachi Chen, Hao Zhou, Tao Zhang, Henry Chang, and Hareton KN Leung. 2018. Ppchecker: Towards accessing the trustworthiness of android apps' privacy policies. IEEE Transactions on Software Engineering 47, 2 (2018), 221--242.
[40]
Razieh Nokhbeh Zaeem, Rachel L German, and K Suzanne Barber. 2018. Privacycheck: Automatic summarization of privacy policies using data mining. ACM Transactions on Internet Technology (TOIT) 18, 4 (2018), 1--18.
[41]
Xia Zeng, Dengfeng Li, Wujie Zheng, Fan Xia, Yuetang Deng, Wing Lam, Wei Yang, and Tao Xie. 2016. Automated test input generation for android: Are we really there yet in an industrial case?. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering. 987--992.
[42]
Jie Zhang, Cong Tian, and Zhenhua Duan. 2019. Fastdroid: efficient taint analysis for android applications. In 2019 IEEE/ACM 41st International Conference on Software Engineering: Companion Proceedings (ICSE-Companion). IEEE, 236--237.
[43]
Junbin Zhang, Yingying Wang, Lina Qiu, and Julia Rubin. 2021. Analyzing android taint analysis tools: FlowDroid, Amandroid, and DroidSafe. IEEE Transactions on Software Engineering 48, 10 (2021), 4014--4040.
[44]
Sebastian Zimmeck and Steven M Bellovin. 2014. Privee: An architecture for automatically analyzing web privacy policies. In 23rd USENIX Security Symposium (USENIX Security 14). 1--16.
[45]
Sebastian Zimmeck, Ziqi Wang, Lieyong Zou, Roger Iyengar, Bin Liu, Florian Schaub, Shomir Wilson, Norman Sadeh, Steven Bellovin, and Joel Reidenberg. 2016. Automated analysis of privacy requirements for mobile apps. In 2016 AAAI Fall Symposium Series.
Index Terms
- Giving without Notifying: Assessing Compliance of Data Transmission in Android Apps
Recommendations
VioDroid-Finder: automated evaluation of compliance and consistency for Android apps
AbstractRapid growth in the variety and quantity of apps makes it difficult for users to protect their privacy, although existing regulations have been introduced and the Android ecosystem is constantly being improved, there are still violations as ...
Release practices for iOS and Android apps
WAMA 2019: Proceedings of the 3rd ACM SIGSOFT International Workshop on App Market AnalyticsWe conduct a preliminary study on the practices of releasing apps for the two major mobile platforms: iOS and Android. We select the most popular applications on the official stores, and we retrieve all the releases of such apps to understand how often ...
How Dangerous Permissions are Described in Android Apps' Privacy Policies?
SIN '18: Proceedings of the 11th International Conference on Security of Information and NetworksGoogle requires Android apps which handle users' personal data such as photos and contacts information to post a privacy policy which describes comprehensively how the app collects, uses and shares users' information. Unfortunately, while knowing why ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
October 2024
2587 pages
ISBN:9798400712487
DOI:10.1145/3691620
- General Chair:
- Vladimir Filkov,
- Program Co-chairs:
- Baishakhi Ray,
- Minghui Zhou
Copyright © 2024 Copyright is held by the owner/author(s). Publication rights licensed to ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 27 October 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Funding Sources
- National Natural Science Foundation of China
- National Key R&D Program of China
- Young Talent Fund of Association for Science and Technology in Shaanxi, China
Conference
ASE '24: 39th IEEE/ACM International Conference on Automated Software Engineering
October 27 - November 1, 2024
CA, Sacramento, USA
Acceptance Rates
Overall Acceptance Rate 82 of 337 submissions, 24%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 39Total Downloads
- Downloads (Last 12 months)39
- Downloads (Last 6 weeks)39
Reflects downloads up to 12 Nov 2024
Other Metrics
Citations
View Options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in