Automated Analysis of Privacy Requirements for Mobile Apps

Sebastian Zimmeck, Ziqi Wang, Lieyong Zou, Roger Iyengar, Bin Liu, Florian Schaub, Shomir Wilson, Norman Sadeh, Steven M. Bellovin, Joel Reidenberg

Research output: Chapter in Book/Report/Conference proceedingChapter

Abstract

Mobile apps have to satisfy various privacy requirements. App publishers are often obligated to provide a privacy pol-icy and notify users of their apps' privacy practices. But how can we tell whether an app behaves as its policy promises? In this study we introduce a scalable system to help analyze and predict Android apps' compliance with privacy requirements. Our system is not only intended for regulators and privacy ac-tivists, but also meant to assist app publishers and app store owners in their internal assessments of privacy requirement compliance. Our analysis of 17,991 free apps shows the viability of com-bining machine learning-based privacy policy analysis with static code analysis of apps. Results suggest that 71% of apps that lack a privacy policy should have one. Also, for 9,050 apps that have a policy, we find many instances of potential inconsistencies between what the app policy seems to state and what the code of the app appears to do. Our results sug-gest that as many as 41% of these apps could be collecting lo-cation information and 17% could be sharing such with third parties without disclosing so in their policies. Overall, it ap-pears that each app exhibits a mean of 1.83 inconsistencies.
Original languageEnglish (US)
Title of host publicationProceedings 2017 Network and Distributed System Security Symposium
Place of PublicationReston, VA
PublisherKorea Society of Internet Information
ISBN (Print)1-891562-46-0
DOIs
StatePublished - 2017

Publication series

NameProceedings 2017 Network and Distributed System Security Symposium

Fingerprint

Application programs
Learning systems
Positive ions

Cite this

Zimmeck, S., Wang, Z., Zou, L., Iyengar, R., Liu, B., Schaub, F., ... Reidenberg, J. (2017). Automated Analysis of Privacy Requirements for Mobile Apps. In Proceedings 2017 Network and Distributed System Security Symposium (Proceedings 2017 Network and Distributed System Security Symposium). Reston, VA: Korea Society of Internet Information. https://doi.org/10.14722/ndss.2017.23034
Zimmeck, Sebastian ; Wang, Ziqi ; Zou, Lieyong ; Iyengar, Roger ; Liu, Bin ; Schaub, Florian ; Wilson, Shomir ; Sadeh, Norman ; Bellovin, Steven M. ; Reidenberg, Joel. / Automated Analysis of Privacy Requirements for Mobile Apps. Proceedings 2017 Network and Distributed System Security Symposium. Reston, VA : Korea Society of Internet Information, 2017. (Proceedings 2017 Network and Distributed System Security Symposium).
@inbook{494d8c0c71f14527a84d71f0228abf7c,
title = "Automated Analysis of Privacy Requirements for Mobile Apps",
abstract = "Mobile apps have to satisfy various privacy requirements. App publishers are often obligated to provide a privacy pol-icy and notify users of their apps' privacy practices. But how can we tell whether an app behaves as its policy promises? In this study we introduce a scalable system to help analyze and predict Android apps' compliance with privacy requirements. Our system is not only intended for regulators and privacy ac-tivists, but also meant to assist app publishers and app store owners in their internal assessments of privacy requirement compliance. Our analysis of 17,991 free apps shows the viability of com-bining machine learning-based privacy policy analysis with static code analysis of apps. Results suggest that 71{\%} of apps that lack a privacy policy should have one. Also, for 9,050 apps that have a policy, we find many instances of potential inconsistencies between what the app policy seems to state and what the code of the app appears to do. Our results sug-gest that as many as 41{\%} of these apps could be collecting lo-cation information and 17{\%} could be sharing such with third parties without disclosing so in their policies. Overall, it ap-pears that each app exhibits a mean of 1.83 inconsistencies.",
author = "Sebastian Zimmeck and Ziqi Wang and Lieyong Zou and Roger Iyengar and Bin Liu and Florian Schaub and Shomir Wilson and Norman Sadeh and Bellovin, {Steven M.} and Joel Reidenberg",
year = "2017",
doi = "10.14722/ndss.2017.23034",
language = "English (US)",
isbn = "1-891562-46-0",
series = "Proceedings 2017 Network and Distributed System Security Symposium",
publisher = "Korea Society of Internet Information",
booktitle = "Proceedings 2017 Network and Distributed System Security Symposium",
address = "Korea, Republic of",

}

Zimmeck, S, Wang, Z, Zou, L, Iyengar, R, Liu, B, Schaub, F, Wilson, S, Sadeh, N, Bellovin, SM & Reidenberg, J 2017, Automated Analysis of Privacy Requirements for Mobile Apps. in Proceedings 2017 Network and Distributed System Security Symposium. Proceedings 2017 Network and Distributed System Security Symposium, Korea Society of Internet Information, Reston, VA. https://doi.org/10.14722/ndss.2017.23034

Automated Analysis of Privacy Requirements for Mobile Apps. / Zimmeck, Sebastian; Wang, Ziqi; Zou, Lieyong; Iyengar, Roger; Liu, Bin; Schaub, Florian; Wilson, Shomir; Sadeh, Norman; Bellovin, Steven M.; Reidenberg, Joel.

Proceedings 2017 Network and Distributed System Security Symposium. Reston, VA : Korea Society of Internet Information, 2017. (Proceedings 2017 Network and Distributed System Security Symposium).

Research output: Chapter in Book/Report/Conference proceedingChapter

TY - CHAP

T1 - Automated Analysis of Privacy Requirements for Mobile Apps

AU - Zimmeck, Sebastian

AU - Wang, Ziqi

AU - Zou, Lieyong

AU - Iyengar, Roger

AU - Liu, Bin

AU - Schaub, Florian

AU - Wilson, Shomir

AU - Sadeh, Norman

AU - Bellovin, Steven M.

AU - Reidenberg, Joel

PY - 2017

Y1 - 2017

N2 - Mobile apps have to satisfy various privacy requirements. App publishers are often obligated to provide a privacy pol-icy and notify users of their apps' privacy practices. But how can we tell whether an app behaves as its policy promises? In this study we introduce a scalable system to help analyze and predict Android apps' compliance with privacy requirements. Our system is not only intended for regulators and privacy ac-tivists, but also meant to assist app publishers and app store owners in their internal assessments of privacy requirement compliance. Our analysis of 17,991 free apps shows the viability of com-bining machine learning-based privacy policy analysis with static code analysis of apps. Results suggest that 71% of apps that lack a privacy policy should have one. Also, for 9,050 apps that have a policy, we find many instances of potential inconsistencies between what the app policy seems to state and what the code of the app appears to do. Our results sug-gest that as many as 41% of these apps could be collecting lo-cation information and 17% could be sharing such with third parties without disclosing so in their policies. Overall, it ap-pears that each app exhibits a mean of 1.83 inconsistencies.

AB - Mobile apps have to satisfy various privacy requirements. App publishers are often obligated to provide a privacy pol-icy and notify users of their apps' privacy practices. But how can we tell whether an app behaves as its policy promises? In this study we introduce a scalable system to help analyze and predict Android apps' compliance with privacy requirements. Our system is not only intended for regulators and privacy ac-tivists, but also meant to assist app publishers and app store owners in their internal assessments of privacy requirement compliance. Our analysis of 17,991 free apps shows the viability of com-bining machine learning-based privacy policy analysis with static code analysis of apps. Results suggest that 71% of apps that lack a privacy policy should have one. Also, for 9,050 apps that have a policy, we find many instances of potential inconsistencies between what the app policy seems to state and what the code of the app appears to do. Our results sug-gest that as many as 41% of these apps could be collecting lo-cation information and 17% could be sharing such with third parties without disclosing so in their policies. Overall, it ap-pears that each app exhibits a mean of 1.83 inconsistencies.

UR - https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/automated-analysis-privacy-requirements-mobile-apps/

UR - http://www.mendeley.com/research/automated-analysis-privacy-requirements-mobile-apps

U2 - 10.14722/ndss.2017.23034

DO - 10.14722/ndss.2017.23034

M3 - Chapter

SN - 1-891562-46-0

T3 - Proceedings 2017 Network and Distributed System Security Symposium

BT - Proceedings 2017 Network and Distributed System Security Symposium

PB - Korea Society of Internet Information

CY - Reston, VA

ER -

Zimmeck S, Wang Z, Zou L, Iyengar R, Liu B, Schaub F et al. Automated Analysis of Privacy Requirements for Mobile Apps. In Proceedings 2017 Network and Distributed System Security Symposium. Reston, VA: Korea Society of Internet Information. 2017. (Proceedings 2017 Network and Distributed System Security Symposium). https://doi.org/10.14722/ndss.2017.23034