Demystifying Privacy Policy of Third-Party Libraries in Mobile Apps
The privacy of personal information has received significant attention in mobile software. Although previous researchers have designed some methods to identify the conflict between app behavior and privacy policies, little is known about investigating regulation requirements for third-party libraries (TPLs). The regulators enacted multiple regulations to regulate the usage of personal information for TPLs (e.g., the “California Consumer Privacy Act” requires businesses clearly notify consumers if they share consumers’ data with third parties or not). However, it remains challenging to analyze the legality of TPLs due to three reasons: 1) TPLs are mainly published on public repositories (e.g., Maven) instead of app market (e.g., Google play). The public repositories do not perform privacy compliance analysis for each TPL. 2) TPLs only provide independent functions or function sequences. They cannot run independently, which limits the application of performing dynamic analysis. 3) Since not all the functions of TPLs are related to users’ privacy, we must locate the functions of TPLs that access/process personal information before performing privacy compliance analysis. To overcome the above challenges, in this paper, we propose an automated system named ATPChecker to analyze whether the Android TPLs meet the privacy-related regulations or not. We construct a data set that contains 458 TPLs and 642 host apps. The privacy policies of 187 TPLs are collected and they are annotated with corpus labels. The privacy policies of all host apps are collected and 256 of them are manually annotated. Then, we analyze the bytecode of TPLs and host apps, design natural language processing systems to analyze privacy policies, and implement an expert system to identify the TPL usage-related regulation complaints. The experimental results show that 23% TPLs violate regulation requirements for providing privacy policies. Over 37% TPLs miss disclosing data usage in their privacy policies. Over 60% host apps share user data with TPLs while 65% of those host apps miss disclosing interactions with TPLs. Our findings remind developers to be mindful of TPL usage when developing apps or writing privacy policies to avoid violating regulations
Thu 18 MayDisplayed time zone: Hobart change
13:45 - 15:15 | Requirements engineeringDEMO - Demonstrations / Technical Track / NIER - New Ideas and Emerging Results / Showcase / Journal-First Papers / SEIP - Software Engineering in Practice at Meeting Room 105 Chair(s): Luciano Baresi Politecnico di Milano | ||
13:45 15mTalk | Demystifying Privacy Policy of Third-Party Libraries in Mobile Apps Technical Track Kaifa ZHAO The Hong Kong Polytechnic University, Xian Zhan The Hong Kong Polytechnic University, Le Yu The Hong Kong Polytechnic University, Shiyao Zhou The Hong Kong Polytechnic University, Hao Zhou Department of Computing, The Hong Kong Polytechnic University, Hong Kong, China, Xiapu Luo The Hong Kong Polytechnic University, Haoyu Wang Huazhong University of Science and Technology, Yepang Liu Southern University of Science and Technology Pre-print | ||
14:00 15mTalk | Cross-Domain Requirements Linking via Adversarial-based Domain Adaptation Technical Track Zhiyuan Chang Institute of Software at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Mingyang Li Institute of Software at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Qing Wang Institute of Software at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Shoubin Li Institute of Software at Chinese Academy of Sciences; University of Chinese Academy of Sciences, Junjie Wang Institute of Software at Chinese Academy of Sciences; University of Chinese Academy of Sciences | ||
14:15 15mTalk | DocToModel: Automated Authoring of Models from Diverse Requirements Specification Documents SEIP - Software Engineering in Practice Asha Rajbhoj TCS Research, Padmalata Nistala TCS Research, Vinay Kulkarni Tata Consultancy Services Research, Shivani Soni TCS Research, Ajim Pathan TCS Research | ||
14:30 15mTalk | Environment-Driven Abstraction Identification for Requirements-Based Testing Showcase Zedong Peng , Prachi Rathod , Nan Niu University of Cincinnati, Tanmay Bhowmik Mississippi State University, Hui Liu Beijing Institute of Technology, Lin Shi ISCAS, Zhi Jin Peking University | ||
14:45 7mTalk | A Web-Based Tool for Using Storyboard of Android Apps DEMO - Demonstrations | ||
14:52 7mTalk | InputGen: A Tool for Automatic Generation of Prototype Inputs to Support Rapid Requirements Validation DEMO - Demonstrations Shuanglong Chang Northeast Petroleum University, Juntao Gao Northeast Petroleum University, Yilong Yang Beihang University | ||
15:00 7mTalk | A Software Requirements Ecosystem: Linking Forum, Issue Tracker, and FAQs for Requirements Management Journal-First Papers James Tizard University of Auckland, Peter Devine The University of Auckland, Hechen Wang University of Auckland, Kelly Blincoe University of Auckland | ||
15:07 7mTalk | Towards Human-Centred Crowd Computing: Software for Better Use of Computational Resources NIER - New Ideas and Emerging Results Niroshinie Fernando Deakin University, Chetan Arora Monash University, Seng W.Loke Deakin University, Lubna Alam Deakin University, Stephen La Macchia Deakin University, Helen Graesser Deakin University Pre-print | ||