A framework to detect "device related" data collection violations of android apps
Date
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
Android apps are one of the widespread applications in smart phones. Android apps provide privacy policies to illuminate users about the information processing during application usage. Android apps claim to collect both personal data such as name, email, credit card number etc. and non personal or device related data such as IP address, operating system, MAC address etc. in their privacy policies. Non personal or device related data provide sensitive user information about user's location, operating system configuration, device identifiers like MAC or IP address and poses a greater threat of privacy violations to users. However, the lack of mechanisms to detect consistencies of app's device related data collection with respect to the privacy policies makes difficult for app developers to ensure implementation without violation. In this research, a frame work has been developed to aid the developers to detect violations of privacy policies in app's implementation. The framework is designed as a plugin tool for Intellij IDEA which is the official Integrated Development Environment (IDE) for professional android app development. The plugin is named as "PrivacyPlugin" which bridges the gap between privacy policy and source code implementation from developers perspective. The plugin takes "device related" data collection of a privacy policy as an input and analyzes the data to generate a list of related apis. The plugin also examines source code of an app to generate the list of apis used for static method calls and compares two generated lists to detect unauthorized apis in violations. The plugin also suggests device related phrases or keywords to be included in the privacy policy based on violation results. The developed plugin's performance is evaluated through unit and function testing with proper test plans and test cases. To summarize, the "PrivacyPlugin" provides an analysis of "device related" data collection violations of android apps to the developers and suggestions to include required "device related" phrases or keywords in privacy policies to avoid violations.