Research On The Problem Of Android Applications Leaking User Privacy To Third Partie

Android apps frequently access personal information to provide customized services.Since such information is sensitive in general,regulators increasingly require Android app developers to provide privacy policies that declare what information is collected and why it is collected.At present,there are some researches on this inconsistency.However,these researches focus on the inconsistency of data collection behavior in privacy policies,but rarely involve the consistency checking of the entity.Therefore,this paper mainly focuses on the consistency checking of privacy policy and source code on personal data sharing.The specific work includes:(1)Aiming at the shortcomings of existing methods,this paper proposes an automated method based on an entity-sensitive consistency checking strategy to detect whether the claims of third-party data collection in privacy policies are consistent with the actual behavior of apps.The basic idea is to make consistent comparisons by translating the natural language describing privacy policies and the programming language applying the source code into a logical language of the same dimension.(2)Based on the entity-sensitive consistency checking strategy,a prototype tool PTPDroid is implemented in this paper.PTPDroid consists of four modules.They are ontology and mapping establishment module,privacy policy analysis module,static analysis module and consistency checking module,respectively.Ontology and mapping establishment module is mainly responsible for building the environment of consistency checking.Privacy policy analysis module is mainly used to extract the statements that third-parties collect information in privacy policies.Static analysis module is mainly used to extract the data flows that third-parties collect information in code.Consistency checking module is mainly used to compare the results of privacy policy analysis module and static analysis module.(3)This paper evaluates the number of data flows that user privacy are collected by thirdparties by comparing with existing tools.The experimental results show that PTPDroid is more effective than existing tools in detecting data flows sent to third-parties.In addition,this paper tests 1000 business apps on Google Play and finds that the inconsistency between data sharing statements in privacy policies and the actual behavior of apps are common in practice.