GUILeak: tracing privacy policy claims on user input data for Android applications

Author email: xiaoyin.wang@utsa.edu
Tool name: GUILeak
Description: The Android mobile platform supports billions of devices across more than 190 countries around the world. This popularity coupled with user data collection by Android apps has made privacy protection a well-known challenge in the Android ecosystem. In practice, app producers provide privacy policies disclosing what information is collected and processed by the app. However, it is difficult to trace such claims to the corresponding app code to verify whether the implementation is consistent with the policy. Existing approaches for privacy policy alignment focus on information directly accessed through the Android platform (e.g., location and device ID), but are unable to handle user input, a major source of private information. In this paper, we propose a novel approach that automatically detects privacy leaks of user-entered data for a given Android app and determines whether such leakage may violate the app's privacy policy claims. For evaluation, we applied our approach to 120 popular apps from three privacy-relevant app categories: finance, health, and dating. The results show that our approach was able to detect 21 strong violations and 18 weak violations from the studied apps.
Bibtex: @inproceedings{10.1145/3180155.3180196, author = {Wang, Xiaoyin and Qin, Xue and Hosseini, Mitra Bokaei and Slavin, Rocky and Breaux, Travis D. and Niu, Jianwei}, title = {GUILeak: Tracing Privacy Policy Claims on User Input Data for Android Applications}, year = {2018}, isbn = {9781450356381}, publisher = {Association for Computing Machinery}, address = {New York, NY, USA}, url = {https://doi.org/10.1145/3180155.3180196}, doi = {10.1145/3180155.3180196}, booktitle = {Proceedings of the 40th International Conference on Software Engineering}, pages = {37–47}, numpages = {11}, keywords = {user input, mobile privacy policy, Android application}, location = {Gothenburg, Sweden}, series = {ICSE ’18} }
Link to public pdf: https://dl.acm.org/doi/10.1145/3180155.3180196
Link to tool webpage: https://sites.google.com/site/uiprivacy2017/tool-prototypes
Link to demo: Not provided by authors
Category: None
Year and Conference: 2018, ICSE
Terms of use