Toward a framework for detecting privacy policy violations in android application code

Proceedings - International Conference on Software Engineering

Volumn 14-22-May-2016, Issue , 2016, Pages 25-36

  Slavin, Rocky ^a   Wang, Xiaoyin ^a   Hosseini, Mitra Bokaei ^a   Hester, James ^b   Krishnan, Ram ^a   Bhatia, Jaspreet ^c   Breaux, Travis D ^c   Niu, Jianwei ^a  

^a UNIVERSITY OF TEXAS AT SAN ANTONIO   (United States)

^b UNIVERSITY OF TEXAS AT DALLAS   (United States)

^c CARNEGIE MELLON UNIVERSITY   (United States)

Author keywords

Android Applications; Privacy Policies; Violation Detection

Indexed keywords

SOFTWARE ENGINEERING;

ANDROID APPLICATIONS; BUSINESS REQUIREMENT; EMPIRICAL EVALUATIONS; INFORMATION FLOW ANALYSIS; PERSONAL INFORMATION; PRIVACY POLICIES; SENSITIVE INFORMATIONS; VIOLATION DETECTIONS;

ANDROID (OPERATING SYSTEM);

EID: 84971455382     PISSN: 02705257     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2884781.2884855     Document Type: Conference Paper

References (42)

1. FTC report on Credit Karma and Fandango. https://www.ftc.gov/news-events/pressreleases/2014/03/fandango-credit-karmasettle-ftc-charges-they-deceivedconsumers, 2014
2. FTC report on Snapchat. https://www.ftc.gov/news-events/pressreleases/2014/06/ftc-testifiesgeolocation-privacy, 2014
3. Developer economics q1 2015: State of the developer nation. https://www.developereconomics.com/reports/developer-economics-q1-2015/, 2015
4. Permissions. https://developer.android.com/preview/features/runtime-permissions.html, 2015
5. Smartphone os market share, q1 2015. http://www.idc.com/prodserv/smartphoneos-market-share.jsp, 2015
6. S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le Traon, D. Octeau, and P. McDaniel. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 259-269, 2014
7. K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. Pscout: Analyzing the android permission specification. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 217-228. ACM, 2012
8. E. Bello-Ogunu and M. Shehab. Permitme: integrating android permissioning support in the ide. In Proceedings of the 2014 Workshop on Eclipse Technology eXchange, pages 15-20. ACM, 2014
9. J. Bhatia and T. Breaux. Towards an information type lexicon for privacy policies. In 8th IEEE International Workshop on Requirements Engineering and Law (RELAW), pages 19-24, 2015
10. J. Bradshaw, A. Uszok, R. Jeffers, N. Suri, P. Hayes, M. Burstein, A. Acquisti, B. Benyo, M. Breedy, M. Carvalho, et al. Representation and reasoning for daml-based policy and domain services in kaos and nomads. In Proceedings of the second international joint conference on Autonomous agents and multiagent systems, pages 835-842. ACM, 2003
11. T. Breaux and F. Schaub. Scaling requirements extraction to the crowd: Experiments on privacy policies. In 22nd IEEE International Requirements Engineering Conference (RE'14), pages 163-172, 2014
12. T. D. Breaux, H. Hibshi, and A. Rao. Eddy, a formal language for specifying and analyzing data flow specifications for conflicting privacy requirements. Requirements Engineering, 19(3):281-307, 2014
13. H. Chen, F. Perich, T. Finin, and A. Joshi. Soupa: Standard ontology for ubiquitous and pervasive applications. In Mobile and Ubiquitous Systems: Networking and Services, 2004. MOBIQUITOUS 2004. The First Annual International Conference on, pages 258-267. IEEE, 2004
14. J. Cohen. A coefficient of agreement for nominal scales. Educational and Psychological Measurement, 20:37-46, 1960
15. W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI'10, pages 1-6, 2010
16. A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In Proceedings of the 18th ACM conference on Computer and communications security, pages 627-638. ACM, 2011
17. A. P. Fuchs, A. Chaudhuri, and J. S. Foster. Scandroid: Automated security certification of android applications. Manuscript, Univ. of Maryland, http://www.cs. umd.edu/avik/projects/scandroidascaa, 2(3), 2009
18. F. L. Gandon and N. M. Sadeh. Semantic web technologies to reconcile privacy and context awareness. Web Semantics: Science, Services and Agents on the World Wide Web, 1(3):241-260, 2004
19. J. Godfrey and C. Bernard. State of the app economy 2014. 2014
20. M. Grüninger and M. S. Fox. Methodology for the design and evaluation of ontologies. 1995
21. K. D. Harris. Privacy on the Go: Recommendations for the Mobile Ecosystem. 2013
22. L. Kagal, T. Finin, M. Paolucci, N. Srinivasan, K. Sycara, and G. Denker. Authorization and privacy for semantic web services. Intelligent Systems, IEEE, 19(4):50-56, 2004
23. P. G. Kelley, L. F. Cranor, and N. Sadeh. Privacy as part of the app decision-making process. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pages 3393-3402. ACM, 2013
24. L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. Chex: Statically vetting android apps for component hijacking vulnerabilities. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, pages 229-240, 2012
25. C. D. Manning, P. Raghavan, H. Schütze, et al. Introduction to information retrieval, volume 1. Cambridge university press Cambridge, 2008
26. S. Matsumoto and K. Sakurai. A proposal for the privacy leakage verification tool for android application developers. In Proceedings of the 7th International Conference on Ubiquitous Information Management and Communication, page 54. ACM, 2013
27. S. Papadopoulos and A. Popescu. Privacy awareness and user empowerment in online social networking settings. http://www.computer.org/web/computingnow/archive/january2015, 2015
28. G. Petronella. Analyzing Privacy of Android Apps. PhD thesis, Politecnico di Milano, 2014
29. S. Rasthofer, S. Arzt, and E. Bodden. A machine-learning approach for classifying and categorizing android sources and sinks. In 2014 Network and Distributed System Security Symposium (NDSS), 2014
30. J. R. Reidenberg, J. Bhatia, T. D. Breaux, and T. B. Norton. Automated comparisons of ambiguity in privacy policies and the impact of regulation. Journal of Legal Studies, 2016
31. J. R. Reidenberg, T. Breaux, L. F. Cranor, B. French, A. Grannis, J. T. Graves, F. Liu, A. M. McDonald, T. B. Norton, R. Ramanath, et al. Disagreeable privacy policies: Mismatches between meaning and usersŠ understanding. 2014
32. M. Rowan and J. Dehlinger. Encouraging privacy by design concepts with privacy policy auto-generation in eclipse (page). In Proceedings of the 2014 Workshop on Eclipse Technology eXchange, pages 9-14. ACM, 2014
33. J. Saldana. The Coding Manual for Qualitative Researchers. SAGE Publications, 2012
34. K. Tam, S. J. Khan, A. Fattori, and L. Cavallaro. Copperdroid: Automatic reconstruction of android malware behaviors. In 22nd Annual Network and Distributed System Security Symposium, 2015
35. A. Uszok, J. M. Bradshaw, J. Lott, M. Breedy, L. Bunch, P. Feltovich, M. Johnson, and H. Jung. New developments in ontology-based policy management: Increasing the practicality and comprehensiveness of kaos. In Policies for Distributed Systems and Networks, 2008. POLICY 2008. IEEE Workshop on, pages 145-152. IEEE, 2008
36. T. Vidas, N. Christin, and L. Cranor. Curbing android permission creep. In Proceedings of the Web, volume 2, 2011
37. S. Wadkar and T. Breaux. Towards an information ontology for personal privacy. Technical report
38. T. Warren. Google touts 1 billion active android users per month. http://www.theverge.com/2014/6/25/5841924/google-android-users-1-billionstats/, 2014
39. Z. Yang and M. Yang. Leakminer: Detect information leakage on android with static taint analysis. In Proceedings of the 2012 Third World Congress on Software Engineering, pages 101-104, 2012
40. R. Yin. Case Study Research: Design and Methods. SAGE Publications, 2013
41. Y. Zhang, M. Yang, B. Xu, Z. Yang, G. Gu, P. Ning, X. S. Wang, and B. Zang. Vetting undesirable behaviors in android apps with permission use analysis. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 611-622. ACM, 2013
42. L. X. Zhao. Privacy sensitive resource access monitoring for android systems. Master's thesis, Rochester Institute of Technology, 2014.