research-article

Public Access

GUILeak: tracing privacy policy claims on user input data for Android applications

Authors:

Mitra Bokaei Hosseini,

Travis D. Breaux,

Jianwei NiuAuthors Info & Claims

ICSE '18: Proceedings of the 40th International Conference on Software Engineering

Pages 37 - 47

https://doi.org/10.1145/3180155.3180196

Published: 27 May 2018 Publication History

Abstract

The Android mobile platform supports billions of devices across more than 190 countries around the world. This popularity coupled with user data collection by Android apps has made privacy protection a well-known challenge in the Android ecosystem. In practice, app producers provide privacy policies disclosing what information is collected and processed by the app. However, it is difficult to trace such claims to the corresponding app code to verify whether the implementation is consistent with the policy. Existing approaches for privacy policy alignment focus on information directly accessed through the Android platform (e.g., location and device ID), but are unable to handle user input, a major source of private information. In this paper, we propose a novel approach that automatically detects privacy leaks of user-entered data for a given Android app and determines whether such leakage may violate the app's privacy policy claims. For evaluation, we applied our approach to 120 popular apps from three privacy-relevant app categories: finance, health, and dating. The results show that our approach was able to detect 21 strong violations and 18 weak violations from the studied apps.

References

[1]

Google Play Statistics, https://www.statista.com/statistics/266210/number-of-available-applications-in-the-google-play-store/. Accessed: 2017-08-23.

[2]

International Data Corporation (IDC) Smartphone OS Market Share 2017 Q1, http://www.idc.com/promo/smartphone-market-share/os. Accessed: 2017-08-23.

[3]

Mint by the Numbers: Which User Are You?, https://blog.mint.com/credit/mint-by-the-numbers-which-user-are-you-040616/. Accessed: 2017-08-23.

[4]

UI Privacy Project Web Site, https://sites.google.com/site/uiprivacy2017/. Accessed: 2017-02-22.

[5]

Xposed Framework, http://repo.xposed.com. Accessed: 2017-02-22.

[6]

Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. SIGPLAN Not. 49, 6 (Jun 2014), 259--269.

Digital Library

[7]

Harvey Russell Bernard. 2011. Research methods in anthropology: Qualitative and quantitative approaches. Rowman Altamira.

[8]

Jaspreet Bhatia and Travis D Breaux. 2015. Towards an information type lexicon for privacy policies. In Requirements Engineering and Law (RELAW), 2015 IEEE Eighth International Workshop on. IEEE, 19--24.

[9]

Travis D Breaux and Florian Schaub. 2014. Scaling requirements extraction to the crowd: Experiments with privacy policies. In Requirements Engineering Conference (RE), 2014 IEEE 22nd International. IEEE, 163--172.

[10]

Aske Simon Christensen, Anders Møller, and Michael I. Schwartzbach. 2003. Precise Analysis of String Expressions. In Proc. 10th International Static Analysis Symposium (SAS) (LNCS), Vol. 2694. Springer-Verlag, 1--18. Available from http://www.brics.dk/JSA/.

Digital Library

[11]

Senate Banking Committee. 1999. Gramm-Leach-Bliley Act. (1999). Public Law 106--102.

[12]

Mitra Bokaei Hosseini, Sudarshan Wadkar, Travis D Breaux, and Jianwei Niu. 2016. Lexical Similarity of Information Type Hypernyms, Meronyms and Synonyms in Privacy Policies. In 2016 AAAI Fall Symposium Series.

[13]

Jianjun Huang, Zhichun Li, Xusheng Xiao, Zhenyu Wu, Kangjie Lu, Xiangyu Zhang, and Guofei Jiang. 2015. SUPOR: Precise and Scalable Sensitive User Input Detection for Android Apps. In Proceedings of the 24th USENIX Conference on Security Symposium (SEC'15). USENIX Association, Berkeley, CA, USA, 977--992. http://dl.acm.org/citation.cfm?id=2831143.2831205

Digital Library

[14]

Jianjun Huang, Xiangyu Zhang, and Lin Tan. 2016. Detecting Sensitive Data Disclosure via Bi-directional Text Correlation Analysis. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE 2016). ACM, New York, NY, USA, 169--180.

Digital Library

[15]

Jianjun Huang, Xiangyu Zhang, Lin Tan, Peng Wang, and Bin Liang. 2014. AsDroid: Detecting Stealthy Behaviors in Android Applications by User Interface and Program Behavior Contradiction. In Proceedings of the 36th International Conference on Software Engineering (ICSE 2014). ACM, New York, NY, USA, 1036--1046.

Digital Library

[16]

Adam Kilgarriff and Christiane Fellbaum. 2000. WordNet: An Electronic Lexical Database. (2000).

[17]

Paul Krebs and T. Dustin Duncan. 2015. Health App Use Among US Mobile Phone Owners: A National Survey. JMIR mHealth uHealth 3, 4 (04 Nov 2015), e101.

[18]

Yuhong Nan, Min Yang, Zhemin Yang, Shunfan Zhou, Guofei Gu, and XiaoFeng Wang. 2015. UIPicker: User-input Privacy Identification in Mobile Applications. In Proceedings of the 24th USENIX Conference on Security Symposium (SEC'15). USENIX Association, Berkeley, CA, USA, 993--1008. http://dl.acm.org/citation.cfm?id=2831143.2831206

Digital Library

[19]

Martin F Porter. 1980. An algorithm for suffix stripping. Program 14, 3 (1980), 130--137.

[20]

Martin F Porter. 2001. Snowball: A language for stemming algorithms. (2001).

[21]

Leo Postman and Laura W Phillips. 1965. Short-term temporal changes in free recall. Quarterly journal of experimental psychology 17, 2 (1965), 132--138.

[22]

Siegfried Rasthofer, Steven Arzt, Ec Spride, Technische Universitt Darmstadt, and Eric Bodden. 2014. A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks. (Feb 2014).

[23]

Health Resources and Services Administration. 1996. Health Insurance Portability and Accountability Act. (1996). Public Law 104--191.

[24]

Atanas Rountev and Dacong Yan. 2014. Static Reference Analysis for GUI Objects in Android Software. In Proceedings of Annual IEEE/ACM International Symposium on Code Generation and Optimization (CGO '14). ACM, New York, NY, USA, Article 143, 11 pages.

Digital Library

[25]

Gerard Salton, Anita Wong, and Chung-Shu Yang. 1975. A vector space model for automatic indexing. Commun. ACM 18, 11 (1975), 613--620.

Digital Library

[26]

Rocky Slavin, Xiaoyin Wang, Mitra Bokaei Hosseini, James Hester, Ram Krishnan, Jaspreet Bhatia, Travis D. Breaux, and Jianwei Niu. 2016. Toward a Framework for Detecting Privacy Policy Violations in Android Application Code. In Proceedings of the 38th International Conference on Software Engineering (ICSE '16). ACM, New York, NY, USA, 25--36.

Digital Library

[27]

Xiaoyin Wang, Lu Zhang, Tao Xie, Hong Mei, and Jiasu Sun. 2009. Locating need-to-translate constant strings for software internationalization. In Proceedings of the 31st International Conference on Software Engineering. IEEE Computer Society, 353--363.

Digital Library

[28]

Xiaoyin Wang, Lu Zhang, Tao Xie, Hong Mei, and Jiasu Sun. 2009. Transtrl: An automatic need-to-translate string locator for software internationalization. In Proceedings of the 31st International Conference on Software Engineering. IEEE Computer Society, 555--558.

Digital Library

[29]

Xiaoyin Wang, Lu Zhang, Tao Xie, Yingfei Xiong, and Hong Mei. 2012. Automating presentation changes in dynamic web applications via collaborative hybrid analysis. In Proceedings of the ACM SIGSOFT 20th International Symposium on the Foundations of Software Engineering. ACM, 16.

Digital Library

[30]

Le Yu, Xiapu Luo, Chenxiong Qian, Shuai Wang, and Hareton KN Leung. 2017. Enhancing the description-to-behavior fidelity in android apps with privacy policy. IEEE Transactions on Software Engineering (2017).

[31]

Le Yu, Tao Zhang, Xiapu Luo, Lei Xue, and Henry Chang. 2017. Toward Automatically Generating Privacy Policy for Android Apps. IEEE Transactions on Information Forensics and Security 12, 4 (2017), 865--880.

Digital Library

[32]

Mu Zhang, Yue Duan, Qian Feng, and Heng Yin. 2015. Towards Automatic Generation of Security-Centric Descriptions for Android Apps. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security (CCS '15). ACM, New York, NY, USA, 518--529.

Digital Library

[33]

Sebastian Zimmeck, Ziqi Wang, Lieyong Zou, Roger Iyengar, Bin Liu, Florian Schaub, Shomir Wilson, Norman Sadeh, Steven M. Bellovin, and Joel Reidenberg. 2017. Automated Analysis of Privacy Requirements for Mobile Apps. In Network and Distributed System Security Symposium NDSS.

Cited By

Liu DXiao YZhang CXie KBai XZhang SXing LBalzarotti DXu W(2024)iHunterProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699217(5663-5680)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699217
Javed YSajid A(2024)A Systematic Review of Privacy Policy LiteratureACM Computing Surveys10.1145/369839357:2(1-43)Online publication date: 1-Oct-2024
https://dl.acm.org/doi/10.1145/3698393
Khedkar MSchlichtig MBodden EFilkov VRay BZhou M(2024)Advancing Android Privacy Assessments with AutomationProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops10.1145/3691621.3694953(218-222)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691621.3694953
Show More Cited By

Index Terms

GUILeak: tracing privacy policy claims on user input data for Android applications
1. Software and its engineering
  1. Software creation and management
    1. Software verification and validation

Recommendations

Poster: Android Whole-System Control Flow Analysis for Accurate Application Behavior Modeling
MobiSys '16 Companion: Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services Companion

Android, the modern operating system for smartphones, together with its millions of apps, has become an important part of human life. There are many challenges to analyzing them. It is important to model the mobile systems in order to analyze the ...
Adoption of third-party libraries in mobile apps: a case study on open-source Android applications
MOBILESoft '22: Proceedings of the 9th IEEE/ACM International Conference on Mobile Software Engineering and Systems

Third-party libraries are frequently adopted in open-source Android applications (apps). These libraries are essential to the Android app development ecosystem as they often provide vital functionality that would take significant development time to ...
RepDroid: an automated tool for Android application repackaging detection
ICPC '17: Proceedings of the 25th International Conference on Program Comprehension

In recent years, with the explosive growth of mobile smart phones, the number of Android applications (apps) increases rapidly. Attackers usually leverage the popularity of Android apps by inserting malwares, modifying the original apps, repackaging and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ICSE '18: Proceedings of the 40th International Conference on Software Engineering

May 2018

1307 pages

ISBN:9781450356381

DOI:10.1145/3180155

Conference Chair:
Michel Chaudron
Chalmers University of Technology, University of Gothenburg, Sweden
,
General Chair:
Ivica Crnkovic
Chalmers University of Technology, University of Gothenburg, Sweden
,
Program Chairs:
Marsha Chechik
University of Toronto, Canada
,
Mark Harman
Facebook and University College London, United Kingdom

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering
IEEE-CS: Computer Society

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 27 May 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

ICSE '18

Sponsor:

SIGSOFT
IEEE-CS

ICSE '18: 40th International Conference on Software Engineering

May 27 - June 3, 2018

Gothenburg, Sweden

Acceptance Rates

Overall Acceptance Rate 276 of 1,856 submissions, 15%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

68
Total Citations
View Citations
1,696
Total Downloads

Downloads (Last 12 months)328
Downloads (Last 6 weeks)54

Reflects downloads up to 19 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Liu DXiao YZhang CXie KBai XZhang SXing LBalzarotti DXu W(2024)iHunterProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699217(5663-5680)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699217
Javed YSajid A(2024)A Systematic Review of Privacy Policy LiteratureACM Computing Surveys10.1145/369839357:2(1-43)Online publication date: 1-Oct-2024
https://dl.acm.org/doi/10.1145/3698393
Khedkar MSchlichtig MBodden EFilkov VRay BZhou M(2024)Advancing Android Privacy Assessments with AutomationProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops10.1145/3691621.3694953(218-222)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691621.3694953
Khedkar MMondal ABodden EFilkov VRay BZhou M(2024)Do Android App Developers Accurately Report Collection of Privacy-Related Data?Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops10.1145/3691621.3694949(176-186)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691621.3694949
Xiao YNadkarni ALiao XTorres-Arias SDe Carli LZhang Y(2024)Enhancing Transparency and Accountability of TPLs with PBOM: A Privacy Bill of MaterialsProceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3689944.3696159(1-11)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689944.3696159
Cela SCiancone AGustafsson PHajdu ÁJia YKapus TKoshtenko MLewis WMao KMartac Dd'Amorim M(2024)Automated End-to-End Dynamic Taint Analysis for WhatsAppCompanion Proceedings of the 32nd ACM International Conference on the Foundations of Software Engineering10.1145/3663529.3663824(21-26)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1145/3663529.3663824
Gumusel EXiao YQin YQin JLiao XLuo BLiao XXu JKirda ELie D(2024)Understanding Legal Professionals' Practices and Expectations in Data Breach Incident ReportingProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3690357(2711-2725)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3690357
Xiao YZhang CQin YAlharbi FXing LLiao XLuo BLiao XXu JKirda ELie D(2024)Measuring Compliance Implications of Third-party Libraries' Privacy Label Disclosure GuidelinesProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670371(1641-1655)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670371
Xie FYan CMeng MTeng SZhang YBai GRoychoudhury APaiva AAbreu RStorey M(2024)Are Your Requests Your True Needs? Checking Excessive Data Collection in VPA AppProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639107(1-12)Online publication date: 20-May-2024
https://dl.acm.org/doi/10.1145/3597503.3639107
Wan LWang KMahadewa KWang HBai GChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Don't Bite Off More than You Can Chew: Investigating Excessive Permission Requests in Trigger-Action IntegrationsProceedings of the ACM Web Conference 202410.1145/3589334.3645721(3106-3116)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645721
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten