Visible to the public GUILeak: Tracing Privacy Policy Claims on User Input Data for Android Applications

TitleGUILeak: Tracing Privacy Policy Claims on User Input Data for Android Applications
Publication TypeConference Paper
Year of Publication2018
AuthorsWang, Xiaoyin, Qin, Xue, Bokaei Hosseini, Mitra, Slavin, Rocky, Breaux, Travis D., Niu, Jianwei
Conference Name2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE)
Date Publishedmay
KeywordsAndroid application, Android applications, Android apps, Android ecosystem, Android mobile platform, Androids, app code, app producers, data privacy, graphical user interfaces, Human Behavior, Humanoid robots, Layout, mobile computing, Mobile privacy policy, Ontologies, privacy, privacy leaks detection, Privacy Policies, privacy policy alignment, privacy policy claims, privacy protection, privacy-relevant app categories, private information, pubcrawl, Scalability, user data collection, User input
AbstractThe Android mobile platform supports billions of devices across more than 190 countries around the world. This popularity coupled with user data collection by Android apps has made privacy protection a well-known challenge in the Android ecosystem. In practice, app producers provide privacy policies disclosing what information is collected and processed by the app. However, it is difficult to trace such claims to the corresponding app code to verify whether the implementation is consistent with the policy. Existing approaches for privacy policy alignment focus on information directly accessed through the Android platform (e.g., location and device ID), but are unable to handle user input, a major source of private information. In this paper, we propose a novel approach that automatically detects privacy leaks of user-entered data for a given Android app and determines whether such leakage may violate the app's privacy policy claims. For evaluation, we applied our approach to 120 popular apps from three privacy-relevant app categories: finance, health, and dating. The results show that our approach was able to detect 21 strong violations and 18 weak violations from the studied apps.
DOI10.1145/3180155.3180196
Citation Keywang_guileak:_2018