Toward a framework for detecting privacy policy violations in android application code

Authors:
Rocky Slavin

University of Texas at San Antonio, San Antonio, TX

University of Texas at San Antonio, San Antonio, TX
View Profile

,
Xiaoyin Wang

University of Texas at San Antonio, San Antonio, TX

University of Texas at San Antonio, San Antonio, TX
View Profile

,
Mitra Bokaei Hosseini

University of Texas at San Antonio, San Antonio, TX

University of Texas at San Antonio, San Antonio, TX
View Profile

,
James Hester

University of Texas at Dallas, Dallas, TX

University of Texas at Dallas, Dallas, TX
View Profile

,
Ram Krishnan

University of Texas at San Antonio, San Antonio, TX

University of Texas at San Antonio, San Antonio, TX
View Profile

,
Jaspreet Bhatia

Carnegie Mellon University, Pittsburgh, PA

Carnegie Mellon University, Pittsburgh, PA
View Profile

,
Travis D. Breaux

Carnegie Mellon University, Pittsburgh, PA

Carnegie Mellon University, Pittsburgh, PA
View Profile

,
Jianwei Niu

University of Texas at San Antonio, San Antonio, TX

University of Texas at San Antonio, San Antonio, TX
View Profile

ICSE '16: Proceedings of the 38th International Conference on Software EngineeringMay 2016Pages 25–36https://doi.org/10.1145/2884781.2884855

Published:14 May 2016Publication History

ICSE '16: Proceedings of the 38th International Conference on Software Engineering

Pages 25–36

ABSTRACT

Mobile applications frequently access sensitive personal information to meet user or business requirements. Because such information is sensitive in general, regulators increasingly require mobile-app developers to publish privacy policies that describe what information is collected. Furthermore, regulators have fined companies when these policies are inconsistent with the actual data practices of mobile apps. To help mobile-app developers check their privacy policies against their apps' code for consistency, we propose a semi-automated framework that consists of a policy terminology-API method map that links policy phrases to API methods that produce sensitive information, and information flow analysis to detect misalignments. We present an implementation of our framework based on a privacy-policy-phrase ontology and a collection of mappings from API methods to policy phrases. Our empirical evaluation on 477 top Android apps discovered 341 potential privacy policy violations.

References

FTC report on Credit Karma and Fandango. https://www.ftc.gov/news-events/press-releases/2014/03/fandango-credit-karma-settle-ftc-charges-they-deceived-consumers, 2014.Google Scholar
FTC report on Snapchat. https://www.ftc.gov/news-events/press-releases/2014/06/ftc-testifies-geolocation-privacy, 2014.Google Scholar
Developer economics q1 2015: State of the developer nation. https://www.developereconomics.com/reports/developer-economics-q1-2015/, 2015.Google Scholar
Permissions. https://developer.android.com/preview/features/runtime-permissions.html, 2015.Google Scholar
Smartphone os market share, q1 2015. http://www.idc.com/prodserv/smartphone-os-market-share.jsp, 2015.Google Scholar
S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 259--269, 2014. Google ScholarDigital Library
K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. Pscout: analyzing the android permission specification. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 217--228. ACM, 2012. Google ScholarDigital Library
E. Bello-Ogunu and M. Shehab. Permitme: integrating android permissioning support in the ide. In Proceedings of the 2014 Workshop on Eclipse Technology eXchange, pages 15--20. ACM, 2014. Google ScholarDigital Library
J. Bhatia and T. Breaux. Towards an information type lexicon for privacy policies. In 8th IEEE International Workshop on Requirements Engineering and Law (RELAW), pages 19--24, 2015.Google ScholarCross Ref
J. Bradshaw, A. Uszok, R. Jeffers, N. Suri, P. Hayes, M. Burstein, A. Acquisti, B. Benyo, M. Breedy, M. Carvalho, et al. Representation and reasoning for daml-based policy and domain services in kaos and nomads. In Proceedings of the second international joint conference on Autonomous agents and multiagent systems, pages 835--842. ACM, 2003. Google ScholarDigital Library
T. Breaux and F. Schaub. Scaling requirements extraction to the crowd: Experiments on privacy policies. In 22nd IEEE International Requirements Engineering Conference (RE'14), pages 163--172, 2014.Google ScholarCross Ref
T. D. Breaux, H. Hibshi, and A. Rao. Eddy, a formal language for specifying and analyzing data flow specifications for conflicting privacy requirements. Requirements Engineering, 19(3):281--307, 2014. Google ScholarDigital Library
H. Chen, F. Perich, T. Finin, and A. Joshi. Soupa: Standard ontology for ubiquitous and pervasive applications. In Mobile and Ubiquitous Systems: Networking and Services, 2004. MOBIQUITOUS 2004. The First Annual International Conference on, pages 258--267. IEEE, 2004.Google ScholarCross Ref
J. Cohen. A coefficient of agreement for nominal scales. Educational and Psychological Measurement, 20:37--46, 1960.Google ScholarCross Ref
W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI'10, pages 1--6, 2010. Google ScholarDigital Library
A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In Proceedings of the 18th ACM conference on Computer and communications security, pages 627--638. ACM, 2011. Google ScholarDigital Library
A. P. Fuchs, A. Chaudhuri, and J. S. Foster. Scandroid: Automated security certification of android applications. Manuscript, Univ. of Maryland, http://www.cs.umd.edu/avik/projects/scandroidascaa, 2(3), 2009.Google Scholar
F. L. Gandon and N. M. Sadeh. Semantic web technologies to reconcile privacy and context awareness. Web Semantics: Science, Services and Agents on the World Wide Web, 1(3):241--260, 2004.Google ScholarCross Ref
J. Godfrey and C. Bernard. State of the app economy 2014. 2014.Google Scholar
M. Grüninger and M. S. Fox. Methodology for the design and evaluation of ontologies. 1995.Google Scholar
K. D. Harris. Privacy on the Go: Recommendations for the Mobile Ecosystem. 2013.Google Scholar
L. Kagal, T. Finin, M. Paolucci, N. Srinivasan, K. Sycara, and G. Denker. Authorization and privacy for semantic web services. Intelligent Systems, IEEE, 19(4):50--56, 2004. Google ScholarDigital Library
P. G. Kelley, L. F. Cranor, and N. Sadeh. Privacy as part of the app decision-making process. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pages 3393--3402. ACM, 2013. Google ScholarDigital Library
L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. Chex: Statically vetting android apps for component hijacking vulnerabilities. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, pages 229--240, 2012. Google ScholarDigital Library
C. D. Manning, P. Raghavan, H. Schütze, et al. Introduction to information retrieval, volume 1. Cambridge university press Cambridge, 2008. Google ScholarCross Ref
S. Matsumoto and K. Sakurai. A proposal for the privacy leakage verification tool for android application developers. In Proceedings of the 7th International Conference on Ubiquitous Information Management and Communication, page 54. ACM, 2013. Google ScholarDigital Library
S. Papadopoulos and A. Popescu. Privacy awareness and user empowerment in online social networking settings. http://www.computer.org/web/computingnow/archive/january2015, 2015.Google Scholar
G. Petronella. Analyzing Privacy of Android Apps. PhD thesis, Politecnico di Milano, 2014.Google Scholar
S. Rasthofer, S. Arzt, and E. Bodden. A machine-learning approach for classifying and categorizing android sources and sinks. In 2014 Network and Distributed System Security Symposium (NDSS), 2014.Google ScholarCross Ref
J. R. Reidenberg, J. Bhatia, T. D. Breaux, and T. B. Norton. Automated comparisons of ambiguity in privacy policies and the impact of regulation. Journal of Legal Studies, 2016.Google ScholarCross Ref
J. R. Reidenberg, T. Breaux, L. F. Cranor, B. French, A. Grannis, J. T. Graves, F. Liu, A. M. McDonald, T. B. Norton, R. Ramanath, et al. Disagreeable privacy policies: Mismatches between meaning and usersŠ understanding. 2014.Google Scholar
M. Rowan and J. Dehlinger. Encouraging privacy by design concepts with privacy policy auto-generation in eclipse (page). In Proceedings of the 2014 Workshop on Eclipse Technology eXchange, pages 9--14. ACM, 2014. Google ScholarDigital Library
J. Saldana. The Coding Manual for Qualitative Researchers. SAGE Publications, 2012.Google Scholar
K. Tam, S. J. Khan, A. Fattori, and L. Cavallaro. Copperdroid: Automatic reconstruction of android malware behaviors. In 22nd Annual Network and Distributed System Security Symposium, 2015.Google ScholarCross Ref
A. Uszok, J. M. Bradshaw, J. Lott, M. Breedy, L. Bunch, P. Feltovich, M. Johnson, and H. Jung. New developments in ontology-based policy management: Increasing the practicality and comprehensiveness of kaos. In Policies for Distributed Systems and Networks, 2008. POLICY 2008. IEEE Workshop on, pages 145--152. IEEE, 2008. Google ScholarDigital Library
T. Vidas, N. Christin, and L. Cranor. Curbing android permission creep. In Proceedings of the Web, volume 2, 2011.Google Scholar
S. Wadkar and T. Breaux. Towards an information ontology for personal privacy. Technical report.Google Scholar
T. Warren. Google touts 1 billion active android users per month. http://www.theverge.com/2014/6/25/5841924/google-android-users-1-billion-stats/, 2014.Google Scholar
Z. Yang and M. Yang. Leakminer: Detect information leakage on android with static taint analysis. In Proceedings of the 2012 Third World Congress on Software Engineering, pages 101--104, 2012. Google ScholarDigital Library
R. Yin. Case Study Research: Design and Methods. SAGE Publications, 2013.Google Scholar
Y. Zhang, M. Yang, B. Xu, Z. Yang, G. Gu, P. Ning, X. S. Wang, and B. Zang. Vetting undesirable behaviors in android apps with permission use analysis. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 611--622. ACM, 2013. Google ScholarDigital Library
L. X. Zhao. Privacy sensitive resource access monitoring for android systems. Master's thesis, Rochester Institute of Technology, 2014.Google Scholar

Index Terms

Toward a framework for detecting privacy policy violations in android application code
1. Social and professional topics
  1. Professional topics
    1. Management of computing and information systems
      1. Software management
        Software maintenance
2. Software and its engineering
  1. Software creation and management
    1. Software post-development issues

Recommendations

PTPDroid: Detecting Violated User Privacy Disclosures to Third-Parties of Android Apps
ICSE '23: Proceedings of the 45th International Conference on Software Engineering

Android apps frequently access personal information to provide customized services. Since such information is sensitive in general, regulators require Android app vendors to publish privacy policies that describe what information is collected and why ...
Read More
Taming web views in the detection of Android privacy leaks
HotSoS '19: Proceedings of the 6th Annual Symposium on Hot Topics in the Science of Security

Billions of smartphone users force both technical and non-technical facilities to publish their applications in market. One of the easiest ways to create an application for non-techies is by transferring their existing website using WebView. Current ...
Read More
Evaluating the Privacy Policy of Android Apps: A Privacy Policy Compliance Study for Popular Apps in China and Europe
Recently, with the increase in the market share of the Android system and the sharp increase in the number of Android mobile apps, many countries and regions have successively launched laws and regulations related to data security. The EU’s GDPR and China’...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ICSE '16: Proceedings of the 38th International Conference on Software Engineering
May 2016
1235 pages
ISBN:9781450339001
DOI:10.1145/2884781
General Chair:
Laura Dillon
Michigan State University
,
Program Chairs:
Willem Visser
Stellenbosch University, South Africa
,
Laurie Williams
North Carolina State University
Copyright © 2016 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 14 May 2016
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
android applications
privacy policies
violation detection
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate276of1,856submissions,15%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 109
  Total Citations
  View Citations
- 3,562
  Total Downloads
- Downloads (Last 12 months)591
- Downloads (Last 6 weeks)87
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Toward a framework for detecting privacy policy violations in android application code

ICSE '16: Proceedings of the 38th International Conference on Software Engineering

ABSTRACT

References

Cited By

Index Terms

Recommendations

PTPDroid: Detecting Violated User Privacy Disclosures to Third-Parties of Android Apps

Taming web views in the detection of Android privacy leaks

Evaluating the Privacy Policy of Android Apps: A Privacy Policy Compliance Study for Popular Apps in China and Europe