Automated analysis of privacy requirements for mobile apps

Sebastian Zimmeck; Ziqi Wang; Lieyong Zou; Roger Iyengar; Bin Liu; Florian Schaub; Shomir Wilson; Norman Sadeh; Steven M. Bellovin; Joel Reidenberg

Automated analysis of privacy requirements for mobile apps

Sebastian Zimmeck, Ziqi Wang, Lieyong Zou, Roger Iyengar, Bin Liu, Florian Schaub, Shomir Wilson, Norman Sadeh, Steven M. Bellovin, Joel Reidenberg

College of Information Sciences and Technology

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

60 Scopus citations

Abstract

Mobile apps have to satisfy various privacy requirements. App publishers are often obligated to provide a privacy policy and notify users of their apps' privacy practices. But how can we tell whether an app behaves as its policy promises? In this study we introduce a scalable system to help analyze and predict Android apps' compliance with privacy requirements. Our system is not only intended for regulators and privacy activists, but also meant to assist app publishers and app store owners in their internal assessments of privacy requirement compliance.Our analysis of 17,991 free apps shows the viability of combining machine learning-based privacy policy analysis with static code analysis of apps. Results suggest that 71 % of apps that lack a privacy policy should have one. Also, for 9,050 apps that have a policy, we find many instances of potential inconsistencies between what the app policy seems to state and what the code of the app appears to do. Our results suggest that as many as 41 % of these apps could be collecting location information and 17% could be sharing such with third parties without disclosing so in their policies. Overall, it appears that each app exhibits a mean of 1.83 inconsistencies.

Original language	English (US)
Title of host publication	FS-16-01
Subtitle of host publication	Artificial Intelligence for Human-Robot Interaction; FS-16-02: Cognitive Assistance in Government and Public Sector Applications; FS-16-03: Cross-Disciplinary Challenges for Autonomous Systems; FS-16-04: Privacy and Language Technologies; FS-16-05: Shared Autonomy in Research and Practice
Publisher	AI Access Foundation
Pages	286-296
Number of pages	11
ISBN (Electronic)	9781577357759
State	Published - 2016
Event	2016 AAAI Fall Symposium - Arlington, United States Duration: Nov 17 2016 → Nov 19 2016

Publication series

Name	AAAI Fall Symposium - Technical Report
Volume	FS-16-01 - FS-16-05

Conference

Conference	2016 AAAI Fall Symposium
Country/Territory	United States
City	Arlington
Period	11/17/16 → 11/19/16

All Science Journal Classification (ASJC) codes

General Engineering

Cite this

Zimmeck, S., Wang, Z., Zou, L., Iyengar, R., Liu, B., Schaub, F., Wilson, S., Sadeh, N., Bellovin, S. M., & Reidenberg, J. (2016). Automated analysis of privacy requirements for mobile apps. In FS-16-01: Artificial Intelligence for Human-Robot Interaction; FS-16-02: Cognitive Assistance in Government and Public Sector Applications; FS-16-03: Cross-Disciplinary Challenges for Autonomous Systems; FS-16-04: Privacy and Language Technologies; FS-16-05: Shared Autonomy in Research and Practice (pp. 286-296). (AAAI Fall Symposium - Technical Report; Vol. FS-16-01 - FS-16-05). AI Access Foundation.

Zimmeck, Sebastian ; Wang, Ziqi ; Zou, Lieyong et al. / Automated analysis of privacy requirements for mobile apps. FS-16-01: Artificial Intelligence for Human-Robot Interaction; FS-16-02: Cognitive Assistance in Government and Public Sector Applications; FS-16-03: Cross-Disciplinary Challenges for Autonomous Systems; FS-16-04: Privacy and Language Technologies; FS-16-05: Shared Autonomy in Research and Practice. AI Access Foundation, 2016. pp. 286-296 (AAAI Fall Symposium - Technical Report).

@inproceedings{4ed28aec243246d58816f927860adf99,

title = "Automated analysis of privacy requirements for mobile apps",

abstract = "Mobile apps have to satisfy various privacy requirements. App publishers are often obligated to provide a privacy policy and notify users of their apps' privacy practices. But how can we tell whether an app behaves as its policy promises? In this study we introduce a scalable system to help analyze and predict Android apps' compliance with privacy requirements. Our system is not only intended for regulators and privacy activists, but also meant to assist app publishers and app store owners in their internal assessments of privacy requirement compliance.Our analysis of 17,991 free apps shows the viability of combining machine learning-based privacy policy analysis with static code analysis of apps. Results suggest that 71 % of apps that lack a privacy policy should have one. Also, for 9,050 apps that have a policy, we find many instances of potential inconsistencies between what the app policy seems to state and what the code of the app appears to do. Our results suggest that as many as 41 % of these apps could be collecting location information and 17% could be sharing such with third parties without disclosing so in their policies. Overall, it appears that each app exhibits a mean of 1.83 inconsistencies.",

author = "Sebastian Zimmeck and Ziqi Wang and Lieyong Zou and Roger Iyengar and Bin Liu and Florian Schaub and Shomir Wilson and Norman Sadeh and Bellovin, {Steven M.} and Joel Reidenberg",

note = "Publisher Copyright: Copyright {\textcopyright} 2016, Association for the Advancement of Artificial Intelligence (www.aaai.org). All rights reserved.; 2016 AAAI Fall Symposium ; Conference date: 17-11-2016 Through 19-11-2016",

year = "2016",

language = "English (US)",

series = "AAAI Fall Symposium - Technical Report",

publisher = "AI Access Foundation",

pages = "286--296",

booktitle = "FS-16-01",

address = "United States",

}

Zimmeck, S, Wang, Z, Zou, L, Iyengar, R, Liu, B, Schaub, F, Wilson, S, Sadeh, N, Bellovin, SM & Reidenberg, J 2016, Automated analysis of privacy requirements for mobile apps. in FS-16-01: Artificial Intelligence for Human-Robot Interaction; FS-16-02: Cognitive Assistance in Government and Public Sector Applications; FS-16-03: Cross-Disciplinary Challenges for Autonomous Systems; FS-16-04: Privacy and Language Technologies; FS-16-05: Shared Autonomy in Research and Practice. AAAI Fall Symposium - Technical Report, vol. FS-16-01 - FS-16-05, AI Access Foundation, pp. 286-296, 2016 AAAI Fall Symposium, Arlington, United States, 11/17/16.

Automated analysis of privacy requirements for mobile apps. / Zimmeck, Sebastian; Wang, Ziqi; Zou, Lieyong et al.
FS-16-01: Artificial Intelligence for Human-Robot Interaction; FS-16-02: Cognitive Assistance in Government and Public Sector Applications; FS-16-03: Cross-Disciplinary Challenges for Autonomous Systems; FS-16-04: Privacy and Language Technologies; FS-16-05: Shared Autonomy in Research and Practice. AI Access Foundation, 2016. p. 286-296 (AAAI Fall Symposium - Technical Report; Vol. FS-16-01 - FS-16-05).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Automated analysis of privacy requirements for mobile apps

AU - Zimmeck, Sebastian

AU - Wang, Ziqi

AU - Zou, Lieyong

AU - Iyengar, Roger

AU - Liu, Bin

AU - Schaub, Florian

AU - Wilson, Shomir

AU - Sadeh, Norman

AU - Bellovin, Steven M.

AU - Reidenberg, Joel

PY - 2016

Y1 - 2016

N2 - Mobile apps have to satisfy various privacy requirements. App publishers are often obligated to provide a privacy policy and notify users of their apps' privacy practices. But how can we tell whether an app behaves as its policy promises? In this study we introduce a scalable system to help analyze and predict Android apps' compliance with privacy requirements. Our system is not only intended for regulators and privacy activists, but also meant to assist app publishers and app store owners in their internal assessments of privacy requirement compliance.Our analysis of 17,991 free apps shows the viability of combining machine learning-based privacy policy analysis with static code analysis of apps. Results suggest that 71 % of apps that lack a privacy policy should have one. Also, for 9,050 apps that have a policy, we find many instances of potential inconsistencies between what the app policy seems to state and what the code of the app appears to do. Our results suggest that as many as 41 % of these apps could be collecting location information and 17% could be sharing such with third parties without disclosing so in their policies. Overall, it appears that each app exhibits a mean of 1.83 inconsistencies.

AB - Mobile apps have to satisfy various privacy requirements. App publishers are often obligated to provide a privacy policy and notify users of their apps' privacy practices. But how can we tell whether an app behaves as its policy promises? In this study we introduce a scalable system to help analyze and predict Android apps' compliance with privacy requirements. Our system is not only intended for regulators and privacy activists, but also meant to assist app publishers and app store owners in their internal assessments of privacy requirement compliance.Our analysis of 17,991 free apps shows the viability of combining machine learning-based privacy policy analysis with static code analysis of apps. Results suggest that 71 % of apps that lack a privacy policy should have one. Also, for 9,050 apps that have a policy, we find many instances of potential inconsistencies between what the app policy seems to state and what the code of the app appears to do. Our results suggest that as many as 41 % of these apps could be collecting location information and 17% could be sharing such with third parties without disclosing so in their policies. Overall, it appears that each app exhibits a mean of 1.83 inconsistencies.

UR - http://www.scopus.com/inward/record.url?scp=85025824519&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85025824519&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:85025824519

T3 - AAAI Fall Symposium - Technical Report

SP - 286

EP - 296

BT - FS-16-01

PB - AI Access Foundation

T2 - 2016 AAAI Fall Symposium

Y2 - 17 November 2016 through 19 November 2016

ER -

Zimmeck S, Wang Z, Zou L, Iyengar R, Liu B, Schaub F et al. Automated analysis of privacy requirements for mobile apps. In FS-16-01: Artificial Intelligence for Human-Robot Interaction; FS-16-02: Cognitive Assistance in Government and Public Sector Applications; FS-16-03: Cross-Disciplinary Challenges for Autonomous Systems; FS-16-04: Privacy and Language Technologies; FS-16-05: Shared Autonomy in Research and Practice. AI Access Foundation. 2016. p. 286-296. (AAAI Fall Symposium - Technical Report).

Automated analysis of privacy requirements for mobile apps

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Other files and links

Fingerprint

Cite this