Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
167 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
42 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Toward an Android Static Analysis Approach for Data Protection (2402.07889v1)

Published 12 Feb 2024 in cs.SE and cs.CR

Abstract: Android applications collecting data from users must protect it according to the current legal frameworks. Such data protection has become even more important since the European Union rolled out the General Data Protection Regulation (GDPR). Since app developers are not legal experts, they find it difficult to write privacy-aware source code. Moreover, they have limited tool support to reason about data protection throughout their app development process. This paper motivates the need for a static analysis approach to diagnose and explain data protection in Android apps. The analysis will recognize personal data sources in the source code, and aims to further examine the data flow originating from these sources. App developers can then address key questions about data manipulation, derived data, and the presence of technical measures. Despite challenges, we explore to what extent one can realize this analysis through static taint analysis, a common method for identifying security vulnerabilities. This is a first step towards designing a tool-based approach that aids app developers and assessors in ensuring data protection in Android apps, based on automated static program analysis.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (26)
  1. 2018. Data Privacy Vocabulary. Retrieved September 8, 2023 from https://w3c.github.io/dpv/dpv/
  2. 2018. The European parliament and the council of the European union. General Data Protection Regulation (GDPR). Retrieved September 8, 2023 from https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679
  3. 2018. Information Commissioner’s Office. 2018. Data Protection Impact Assessments (DPIAs). Retrieved September 8, 2023 from https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/data-protection-impact-assessments-dpias/
  4. 2019. Anonymization in Data Privacy. Retrieved September 8, 2023 from https://www.theguardian.com/technology/2019/jul/23/anonymised-data-never-be-anonymous-enough-study-finds
  5. 2022. Google Play. Retrieved September 8, 2023 from https://blog.google/products/google-play/data-safety/
  6. 2023. See No Evil: Loopholes in Google’s Data Safety Labels Keep Companies in the Clear and Consumers in the Dark. Retrieved September 8, 2023 from https://foundation.mozilla.org/en/campaigns/googles-data-safety-labels/
  7. Handbook of Applied Cryptography (1st ed.). CRC Press.
  8. FlowDroid: Precise Context, Flow, Field, Object-Sensitive and Lifecycle-Aware Taint Analysis for Android Apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (Edinburgh, United Kingdom) (PLDI ’14). Association for Computing Machinery, New York, NY, USA, 259–269. https://doi.org/10.1145/2594291.2594299
  9. Mining Apps for Abnormal Usage of Sensitive Data. In Proceedings of the 37th International Conference on Software Engineering - Volume 1 (Florence, Italy) (ICSE ’15). IEEE Press, 426–436.
  10. Ann Cavoukian. 2009. Privacy by design: The 7 foundational principles. Retrieved May 2, 2023 from https://www.ipc.on.ca/wp-content/uploads/resources/7foundationalprinciples.pdf
  11. Interprocedural Slicing Using Dependence Graphs. In Proceedings of the ACM SIGPLAN 1988 Conference on Programming Language Design and Implementation (Atlanta, Georgia, USA) (PLDI ’88). Association for Computing Machinery, New York, NY, USA, 35–46. https://doi.org/10.1145/53990.53994
  12. SUPOR: Precise and Scalable Sensitive User Input Detection for Android Apps. In 24th USENIX Security Symposium (USENIX Security 15). USENIX Association, Washington, D.C., 977–992. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/huang
  13. Kadiray Karakaya and Eric Bodden. 2021. SootFX: A Static Code Feature Extraction Tool for Java and Android. In 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM). IEEE, 181–186. https://www.bodden.de/pubs/kb21static.pdf
  14. Sensitive and Personal Data: What Exactly Are You Talking About?. In 2023 10th International Conference on Mobile Software Engineering and Systems 2023 (MobileSoft).
  15. Konstantinos Limniotis, Marit Hansen. 2019. Recommendations on shaping technology according to GDPR provisions - An overview on data pseudonymisation. Technical Report. European Union Agency for Cybersecurity (ENISA). https://www.enisa.europa.eu/publications/recommendations-on-shaping-technology-according-to-gdpr-provisions
  16. IccTA: Detecting Inter-Component Privacy Leaks in Android Apps. In 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering, Vol. 1. 280–291. https://doi.org/10.1109/ICSE.2015.48
  17. Pseudonymisation techniques and best practices. Technical Report. European Union Agency for Cybersecurity (ENISA). https://www.enisa.europa.eu/publications/pseudonymisation-techniques-and-best-practices
  18. UIPicker: User-Input Privacy Identification in Mobile Applications. In 24th USENIX Security Symposium (USENIX Security 15). USENIX Association, Washington, D.C., 993–1008. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/nan
  19. Felix Pauck and Heike Wehrheim. 2021. Jicer: Simplifying Cooperative Android App Analysis Tasks. In 2021 IEEE 21st International Working Conference on Source Code Analysis and Manipulation (SCAM). 187–197. https://doi.org/10.1109/SCAM52516.2021.00031
  20. SWAN_ASSIST: Semi-Automated Detection of Code-Specific, Security-Relevant Methods. In IEEE/ACM International Conference on Automated Software Engineering (ASE 2019), Tool Demo Track. https://www.bodden.de/pubs/ase19swanAssist.pdf
  21. Codebase-Adaptive Detection of Security-Relevant Methods. In ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA).
  22. A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks. In 2014 Network and Distributed System Security Symposium (NDSS). https://www.bodden.de/pubs/rab14classifying.pdf
  23. Negative Results of Fusing Code and Documentation for Learning to Accurately Identify Sensitive Source and Sink Methods. In 2023 30th edition of the IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER).
  24. Zeya Tan and Wei Song. 2023. PTPDroid: Detecting Violated User Privacy Disclosures to Third-Parties of Android Apps. In 2023 IEEE/ACM 45th IEEE International Conference on Software Engineering (Melbourne, Australia). https://figshare.com/s/e6f5ff6b7478d571a9a9
  25. Feiyang Tang and Bjarte M. Østvold. 2022. Assessing Software Privacy Using the Privacy Flow-Graph. In Proceedings of the 1st International Workshop on Mining Software Repositories Applications for Privacy and Security (Singapore, Singapore) (MSR4P&S 2022). Association for Computing Machinery, New York, NY, USA, 7–15. https://doi.org/10.1145/3549035.3561185
  26. Demystifying Privacy Policy of Third-Party Libraries in Mobile Apps. https://doi.org/10.48550/ARXIV.2301.12348
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now