Toward a Framework for Detecting Privacy Policy Violations in Android Application Code

2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE) Pub Date : 2016-05-14 DOI:10.1145/2884781.2884855

Rocky Slavin, Xiaoyin Wang, M. Hosseini, James Hester, R. Krishnan, Jaspreet Bhatia, T. Breaux, Jianwei Niu

{"title":"Toward a Framework for Detecting Privacy Policy Violations in Android Application Code","authors":"Rocky Slavin, Xiaoyin Wang, M. Hosseini, James Hester, R. Krishnan, Jaspreet Bhatia, T. Breaux, Jianwei Niu","doi":"10.1145/2884781.2884855","DOIUrl":null,"url":null,"abstract":"Mobile applications frequently access sensitive personal informa- tion to meet user or business requirements. Because such informa- tion is sensitive in general, regulators increasingly require mobile- app developers to publish privacy policies that describe what infor- mation is collected. Furthermore, regulators have fined companies when these policies are inconsistent with the actual data practices of mobile apps. To help mobile-app developers check their pri- vacy policies against their apps’ code for consistency, we propose a semi-automated framework that consists of a policy terminology- API method map that links policy phrases to API methods that pro- duce sensitive information, and information flow analysis to detect misalignments. We present an implementation of our framework based on a privacy-policy-phrase ontology and a collection of map- pings from API methods to policy phrases. Our empirical eval- uation on 477 top Android apps discovered 341 potential privacy policy violations.","PeriodicalId":6485,"journal":{"name":"2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE)","volume":"20 1","pages":"25-36"},"PeriodicalIF":0.0000,"publicationDate":"2016-05-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"162","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2884781.2884855","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 162

Abstract

Mobile applications frequently access sensitive personal informa- tion to meet user or business requirements. Because such informa- tion is sensitive in general, regulators increasingly require mobile- app developers to publish privacy policies that describe what infor- mation is collected. Furthermore, regulators have fined companies when these policies are inconsistent with the actual data practices of mobile apps. To help mobile-app developers check their pri- vacy policies against their apps’ code for consistency, we propose a semi-automated framework that consists of a policy terminology- API method map that links policy phrases to API methods that pro- duce sensitive information, and information flow analysis to detect misalignments. We present an implementation of our framework based on a privacy-policy-phrase ontology and a collection of map- pings from API methods to policy phrases. Our empirical eval- uation on 477 top Android apps discovered 341 potential privacy policy violations.

查看原文本刊更多论文

在Android应用程序代码中检测违反隐私政策的框架

移动应用程序经常访问敏感的个人信息，以满足用户或业务需求。由于这些信息通常是敏感的，监管机构越来越多地要求移动应用程序开发商发布隐私政策，描述收集的信息。此外，当这些政策与移动应用程序的实际数据实践不一致时，监管机构会对公司进行罚款。为了帮助移动应用程序开发人员根据其应用程序代码检查其隐私策略的一致性，我们提出了一个半自动化框架，该框架由策略术语- API方法映射(将策略短语链接到产生敏感信息的API方法)和信息流分析(检测不一致)组成。我们提出了一个基于隐私策略短语本体和API方法到策略短语映射集合的框架实现。我们对477款最受欢迎的安卓应用进行了实证评估，发现了341款可能违反隐私政策的应用。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE)

自引率

0.00%

发文量