| Mobile apps frequently request access to sensitive information.Google,designer of Android,recommended that developers should publish privacy policy document when uploading an app,with the aim of making the user aware of how the privacy information is used for better protection users’privacy.Recent work showed that there is a huge gap between the app behavior and the privacy policy,thus many research studies focus on detecting the inconsistence between app behavior and the privacy policy.However,most of them only focus on static analysis and use white-list to identify third-party libraries,which is inaccurate and incomplete.Besides,lack of the knowledge of the actual sensitive behavior between app and the third party,it is hard to guarantee accuracy to publication.An automated detection tool is proposed to check whether the app privacy document is consistent with the app behavior and generate accurate privacy policy.First,an improved semanic analysis approach is used to extract the declared sensitive behavior in the privacy policy.Then,use both static analysis and dynamic analysis to analyze the sensitive behavior of mobile app.Besides,a multi-level clustering based approach is used to identify third-party library used in the app,which is more accurate than the traditional white-list based approach.Finally,genetate the privacy policy and conduct the consistence detection with the statement of privacy policy and the analysis of the privacy permission in code.Based on the experiment of 455 apps,the tool can accurately extract 94.75%of the privacy information in the privacy policy statement.Experiment results show that for roughly 50%of the apps exist inaccurateness between app behavior and privacy policy. |
PDF Full Text Request