Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
149 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Matcha: An IDE Plugin for Creating Accurate Privacy Nutrition Labels (2402.03582v1)

Published 5 Feb 2024 in cs.HC and cs.CR

Abstract: Apple and Google introduced their versions of privacy nutrition labels to the mobile app stores to better inform users of the apps' data practices. However, these labels are self-reported by developers and have been found to contain many inaccuracies due to misunderstandings of the label taxonomy. In this work, we present Matcha, an IDE plugin that uses automated code analysis to help developers create accurate Google Play data safety labels. Developers can benefit from Matcha's ability to detect user data accesses and transmissions while staying in control of the generated label by adding custom Java annotations and modifying an auto-generated XML specification. Our evaluation with 12 developers showed that Matcha helped our participants improved the accuracy of a label they created with Google's official tool for a real-world app they developed. We found that participants preferred Matcha for its accuracy benefits. Drawing on Matcha, we discuss general design recommendations for developer tools used to create accurate standardized privacy notices.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (48)
  1. Guidelines for human-ai interaction. In Proceedings of the 2019 chi conference on human factors in computing systems, pages 1–13, 2019.
  2. Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. ACM SIGPLAN Notices, 49(6):259–269, June 2014. ISSN 1558-1160. doi: 10.1145/2666356.2594299. URL http://dx.doi.org/10.1145/2666356.2594299.
  3. Longitudinal analysis of privacy labels in the apple app store. arXiv preprint arXiv:2206.02658, 2022.
  4. Improving app privacy: Nudging app developers to protect user privacy. IEEE Security & Privacy, 12(4):55–58, July 2014. ISSN 1558-4046. doi: 10.1109/msp.2014.70. URL http://dx.doi.org/10.1109/msp.2014.70.
  5. The privacy and security behaviors of smartphone app developers. In Proceedings 2014 Workshop on Usable Security, USEC 2014. Internet Society, 2014a. doi: 10.14722/usec.2014.23006. URL http://dx.doi.org/10.14722/usec.2014.23006.
  6. Is your inseam a biometric? a case study on the role of usability studies in developing public policy. In Proceedings 2014 Workshop on Usable Security, USEC 2014. Internet Society, 2014b. doi: 10.14722/usec.2014.23039. URL http://dx.doi.org/10.14722/usec.2014.23039.
  7. A tale from the trenches: cognitive biases and software development: cognitive biases and software development. In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering, ICSE ’20. ACM, June 2020. doi: 10.1145/3377811.3380330. URL http://dx.doi.org/10.1145/3377811.3380330.
  8. Evaluating large language models trained on code. arXiv preprint arXiv:2107.03374, 2021.
  9. Does this app really need my location?: Context-aware privacy management for smartphones: Context-aware privacy management for smartphones. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies, 1(3):1–22, September 2017. ISSN 2474-9567. doi: 10.1145/3132029. URL http://dx.doi.org/10.1145/3132029.
  10. Robin Cooper. Decoding coding via the coding manual for qualitative researchers by johnny saldaña. The Qualitative Report, October 2016. ISSN 1052-0147. doi: 10.46743/2160-3715/2009.2856. URL http://dx.doi.org/10.46743/2160-3715/2009.2856.
  11. Wrex: A unified programming-by-example interaction for synthesizing readable code for data scientists. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, CHI ’20. ACM, April 2020. doi: 10.1145/3313831.3376442. URL http://dx.doi.org/10.1145/3313831.3376442.
  12. Ask the experts: What should be on an iot privacy and security label? In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, May 2020. doi: 10.1109/sp40000.2020.00043. URL http://dx.doi.org/10.1109/sp40000.2020.00043.
  13. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones: An information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems, 32(2):1–29, June 2014. ISSN 1557-7333. doi: 10.1145/2619091. URL http://dx.doi.org/10.1145/2619091.
  14. Geoffrey A. Fowler. iphone app privacy labels are a great idea, except when apple lets them deceive - the washington post. https://web.archive.org/web/20220630055538/https://www.washingtonpost.com/technology/2021/01/29/apple-privacy-nutrition-label/, 1 2021. (Accessed on 08/27/2022).
  15. Helping mobile application developers create accurate privacy labels. In 2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, June 2022. doi: 10.1109/eurospw55150.2022.00028. URL http://dx.doi.org/10.1109/eurospw55150.2022.00028.
  16. Information-flow analysis of android applications in droidsafe. In Proceedings 2015 Network and Distributed System Security Symposium, NDSS 2015. Internet Society, 2015. doi: 10.14722/ndss.2015.23089. URL http://dx.doi.org/10.14722/ndss.2015.23089.
  17. Philip Guo. Ten million users and ten years later: Python tutor’s design guidelines for building scalable and sustainable research software in academia. In The 34th Annual ACM Symposium on User Interface Software and Technology, UIST ’21. ACM, October 2021. doi: 10.1145/3472749.3474819. URL http://dx.doi.org/10.1145/3472749.3474819.
  18. Code saturation versus meaning saturation: How many interviews are enough?: How many interviews are enough? Qualitative Health Research, 27(4):591–608, September 2016. ISSN 1552-7557. doi: 10.1177/1049732316665344. URL http://dx.doi.org/10.1177/1049732316665344.
  19. {{\{{SUPOR}}\}}: Precise and scalable sensitive user input detection for android apps. In 24th USENIX Security Symposium (USENIX Security 15), pages 977–992, 2015.
  20. Why are they collecting my data?: Inferring the purposes of network traffic in mobile apps: Inferring the purposes of network traffic in mobile apps. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies, 2(4):1–27, December 2018. ISSN 2474-9567. doi: 10.1145/3287051. URL http://dx.doi.org/10.1145/3287051.
  21. A “nutrition label” for privacy. In Proceedings of the 5th Symposium on Usable Privacy and Security, SOUPS ’09. ACM, July 2009. doi: 10.1145/1572532.1572538. URL http://dx.doi.org/10.1145/1572532.1572538.
  22. Standardizing privacy notices: an online study of the nutrition label approach: an online study of the nutrition label approach. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI ’10. ACM, April 2010. doi: 10.1145/1753326.1753561. URL http://dx.doi.org/10.1145/1753326.1753561.
  23. Privacy as part of the app decision-making process. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI ’13. ACM, April 2013. doi: 10.1145/2470654.2466466. URL http://dx.doi.org/10.1145/2470654.2466466.
  24. Goodbye tracking? impact of ios app tracking transparency and privacy labels. In 2022 ACM Conference on Fairness, Accountability, and Transparency, FAccT ’22. ACM, June 2022. doi: 10.1145/3531146.3533116. URL http://dx.doi.org/10.1145/3531146.3533116.
  25. I know what leaked in your pocket: uncovering privacy leaks on android apps with static taint analysis. arXiv preprint arXiv:1404.7431, 2014.
  26. Coconut: An ide plugin for developing privacy-friendly apps: An ide plugin for developing privacy-friendly apps. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies, 2(4):1–35, December 2018. ISSN 2474-9567. doi: 10.1145/3287056. URL http://dx.doi.org/10.1145/3287056.
  27. How developers talk about personal data and what it means for user privacy: A case study of a developer forum on reddit: A case study of a developer forum on reddit. Proceedings of the ACM on Human-Computer Interaction, 4(CSCW3):1–28, January 2021a. ISSN 2573-0142. doi: 10.1145/3432919. URL http://dx.doi.org/10.1145/3432919.
  28. Honeysuckle: Annotation-guided code generation of in-app privacy notices: Annotation-guided code generation of in-app privacy notices. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies, 5(3):1–27, September 2021b. ISSN 2474-9567. doi: 10.1145/3478097. URL http://dx.doi.org/10.1145/3478097.
  29. Understanding challenges for developers to create accurate privacy nutrition labels. In CHI Conference on Human Factors in Computing Systems, CHI ’22. ACM, April 2022a. doi: 10.1145/3491102.3502012. URL http://dx.doi.org/10.1145/3491102.3502012.
  30. Understanding ios privacy nutrition labels: An exploratory large-scale analysis of app store data. In CHI Conference on Human Factors in Computing Systems Extended Abstracts, CHI ’22. ACM, April 2022b. doi: 10.1145/3491101.3519739. URL http://dx.doi.org/10.1145/3491101.3519739.
  31. Wigglite: Low-cost information collection and triage. In Proceedings of the 35th Annual ACM Symposium on User Interface Software and Technology, UIST ’22. ACM, October 2022. doi: 10.1145/3526113.3545661. URL http://dx.doi.org/10.1145/3526113.3545661.
  32. How statically-typed functional programmers write code. Proceedings of the ACM on Programming Languages, 5(OOPSLA):1–30, October 2021. ISSN 2475-1421. doi: 10.1145/3485532. URL http://dx.doi.org/10.1145/3485532.
  33. The cost of reading privacy policies. I/S: A Journal of Law and Policy for the Information Society, 4:543, 2008.
  34. ”we can’t live without {{\{{Them!}}\}}” app developers’ adoption of ad networks and their considerations of consumer risks. In Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019), pages 225–244, 2019.
  35. {{\{{UIPicker}}\}}:{{\{{User-Input}}\}} privacy identification in mobile applications. In 24th USENIX Security Symposium (USENIX Security 15), pages 993–1008, 2015.
  36. Don Norman. The design of everyday things: Revised and expanded edition. Basic books, 2013.
  37. Effective inter-component communication mapping in android with epicc: An essential step towards holistic security analysis. In Proceedings of the 22nd USENIX security symposium, pages 543–558, 2013.
  38. A Design Space for Effective Privacy Notices*, page 365–393. Cambridge University Press. doi: 10.1017/9781316831960.021. URL http://dx.doi.org/10.1017/9781316831960.021.
  39. Charting app developers’ journey through privacy regulation features in ad networks. Proceedings on Privacy Enhancing Technologies, 2022(3):33–56, July 2022. ISSN 2299-0984. doi: 10.56553/popets-2022-0061. URL http://dx.doi.org/10.56553/popets-2022-0061.
  40. Diff in the loop: Supporting data comparison in exploratory data analysis. In CHI Conference on Human Factors in Computing Systems, CHI ’22. ACM, April 2022a. doi: 10.1145/3491102.3502123. URL http://dx.doi.org/10.1145/3491102.3502123.
  41. Documentation matters: Human-centered ai system to assist data science code documentation in computational notebooks. ACM Transactions on Computer-Human Interaction, 29(2):1–33, January 2022b. ISSN 1557-7325. doi: 10.1145/3489465. URL http://dx.doi.org/10.1145/3489465.
  42. Using text mining to infer the purpose of permission use in mobile apps. In Proceedings of the 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing, UbiComp ’15. ACM, September 2015. doi: 10.1145/2750858.2805833. URL http://dx.doi.org/10.1145/2750858.2805833.
  43. Edwin B. Wilson. Probable inference, the law of succession, and statistical inference. Journal of the American Statistical Association, 22(158):209–212, June 1927. ISSN 1537-274X. doi: 10.1080/01621459.1927.10502953. URL http://dx.doi.org/10.1080/01621459.1927.10502953.
  44. Lalaine: Measuring and characterizing non-compliance of apple privacy labels at scale. arXiv preprint arXiv:2206.06274, 2022.
  45. How usable are ios app privacy labels? Proceedings on Privacy Enhancing Technologies, 2022(4):204–228, October 2022. ISSN 2299-0984. doi: 10.56553/popets-2022-0106. URL http://dx.doi.org/10.56553/popets-2022-0106.
  46. Interactive program synthesis by augmented examples. In Proceedings of the 33rd Annual ACM Symposium on User Interface Software and Technology, UIST ’20. ACM, October 2020. doi: 10.1145/3379337.3415900. URL http://dx.doi.org/10.1145/3379337.3415900.
  47. Telling stories from computational notebooks: Ai-assisted presentation slides creation for presenting data science work. In CHI Conference on Human Factors in Computing Systems, CHI ’22. ACM, April 2022. doi: 10.1145/3491102.3517615. URL http://dx.doi.org/10.1145/3491102.3517615.
  48. Privacyflash pro: Automating privacy policy generation for mobile apps. In Proceedings 2021 Network and Distributed System Security Symposium, NDSS 2021. Internet Society, 2021. doi: 10.14722/ndss.2021.24100. URL http://dx.doi.org/10.14722/ndss.2021.24100.
Citations (2)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets