Automated analysis of privacy requirements for mobile apps

Sebastian Zimmeck, Ziqi Wang, Lieyong Zou, Roger Iyengar, Bin Liu, Florian Schaub, Shomir Wilson, Norman Sadeh, Steven M. Bellovin, Joel Reidenberg

Research output: Chapter in Book/Report/Conference proceedingConference contribution

9 Scopus citations

Abstract

Mobile apps have to satisfy various privacy requirements. App publishers are often obligated to provide a privacy policy and notify users of their apps' privacy practices. But how can we tell whether an app behaves as its policy promises? In this study we introduce a scalable system to help analyze and predict Android apps' compliance with privacy requirements. Our system is not only intended for regulators and privacy activists, but also meant to assist app publishers and app store owners in their internal assessments of privacy requirement compliance.Our analysis of 17,991 free apps shows the viability of combining machine learning-based privacy policy analysis with static code analysis of apps. Results suggest that 71 % of apps that lack a privacy policy should have one. Also, for 9,050 apps that have a policy, we find many instances of potential inconsistencies between what the app policy seems to state and what the code of the app appears to do. Our results suggest that as many as 41 % of these apps could be collecting location information and 17% could be sharing such with third parties without disclosing so in their policies. Overall, it appears that each app exhibits a mean of 1.83 inconsistencies.

Original languageEnglish (US)
Title of host publicationFS-16-01
Subtitle of host publicationArtificial Intelligence for Human-Robot Interaction; FS-16-02: Cognitive Assistance in Government and Public Sector Applications; FS-16-03: Cross-Disciplinary Challenges for Autonomous Systems; FS-16-04: Privacy and Language Technologies; FS-16-05: Shared Autonomy in Research and Practice
PublisherAI Access Foundation
Pages286-296
Number of pages11
ISBN (Electronic)9781577357759
StatePublished - Jan 1 2016
Event2016 AAAI Fall Symposium - Arlington, United States
Duration: Nov 17 2016Nov 19 2016

Publication series

NameAAAI Fall Symposium - Technical Report
VolumeFS-16-01 - FS-16-05

Conference

Conference2016 AAAI Fall Symposium
CountryUnited States
CityArlington
Period11/17/1611/19/16

All Science Journal Classification (ASJC) codes

  • Engineering(all)

Fingerprint Dive into the research topics of 'Automated analysis of privacy requirements for mobile apps'. Together they form a unique fingerprint.

Cite this