GDPR Compliance Assessment for Cross-Border Personal Data Transfers in Android Apps

The pervasiveness of Android mobile applications and the services they support allow the personal data of individuals to be collected and shared worldwide. However, data protection legislations usually require all participants in a personal data flow to ensure an equivalent level of personal data protection, regardless of location. In particular, the European General Data Protection Regulation constrains cross-border transfers of personal data to non-EU countries and establishes specific requirements to carry them out. This article presents a method to systematically assess compliance of Android mobile apps with the requirements for cross-border transfers established by the European data protection regulation. We have validated the method with one hundred Android apps, finding an outstanding 66% of ambiguous, inconsistent and omitted cross-border transfer disclosures.

[1]  Pietro Ferrara,et al.  Static Analysis for GDPR Compliance , 2018, ITASEC.

[2]  Ziqi Wang,et al.  Natural Language Processing for Mobile App Privacy Compliance , 2019 .

[3]  J. Borges,et al.  A TAXONOMY OF PRIVACY , 2006 .

[4]  Rajesh Krishna Balan,et al.  Graph-Aided Directed Testing of Android Applications for Checking Runtime Privacy Behaviours , 2016, 2016 IEEE/ACM 11th International Workshop in Automation of Software Test (AST).

[5]  Alireza Sadeghi,et al.  A Taxonomy and Qualitative Comparison of Program Analysis Techniques for Security Assessment of Android Software , 2017, IEEE Transactions on Software Engineering.

[6]  Narseo Vallina-Rodriguez,et al.  An Analysis of Pre-installed Android Software , 2019, 2020 IEEE Symposium on Security and Privacy (SP).

[7]  Paolina Centonze,et al.  Labyrinth: Visually Configurable Data-Leakage Detection in Mobile Applications , 2015, 2015 16th IEEE International Conference on Mobile Data Management.

[8]  Degang Sun,et al.  Secure HybridApp: A detection method on the risk of privacy leakage in HTML5 hybrid applications based on dynamic taint tracking , 2016, 2016 2nd IEEE International Conference on Computer and Communications (ICCC).

[9]  David Chenho Kung,et al.  Dexteroid: Detecting malicious behaviors in Android apps using reverse-engineered life cycle models , 2015, Comput. Secur..

[10]  Awais Rashid,et al.  Skip, Skip, Skip, Accept!!!: A Study on the Usability of Smartphone Manufacturer Provided Default Features and User Privacy , 2019, Proc. Priv. Enhancing Technol..

[11]  Michael R. Lyu,et al.  SpyAware: Investigating the privacy leakage signatures in app execution traces , 2015, 2015 IEEE 26th International Symposium on Software Reliability Engineering (ISSRE).

[12]  Juan C. Yelmo,et al.  Reusable Elements for the Systematic Design of Privacy-Friendly Information Systems: A Mapping Study , 2019, IEEE Access.

[13]  Peder Lind Mangset Analysis of Mobile Application's Compliance with the General Data Protection Regulation (GDPR) , 2018 .

[14]  Yanick Fratantonio,et al.  ANDRUBIS -- 1,000,000 Apps Later: A View on Current Android Malware Behaviors , 2014, 2014 Third International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS).

[15]  Narseo Vallina-Rodriguez,et al.  Studying TLS Usage in Android Apps , 2017, CoNEXT.

[16]  Alessandra Gorla,et al.  Automated Test Input Generation for Android: Are We There Yet? (E) , 2015, 2015 30th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[17]  Nikolay Mehandjiev,et al.  A Comparative Study of Android and iOS Mobile Applications' Data Handling Practices Versus Compliance to Privacy Policy , 2017, Privacy and Identity Management.

[18]  Norman M. Sadeh,et al.  MAPS: Scaling Privacy Compliance Analysis to a Million Apps , 2019, Proc. Priv. Enhancing Technol..

[19]  Danny S. Guamán,et al.  A Systematic Mapping Study on Software Quality Control Techniques for Assessing Privacy in Information Systems , 2020, IEEE Access.

[20]  Lorrie Faith Cranor,et al.  Disagreeable Privacy Policies: Mismatches between Meaning and Users’ Understanding , 2014 .

[21]  José M. del Álamo,et al.  Value-Based Core Areas of Trustworthiness in Online Services , 2019, IFIPTM.

[22]  Lorrie Faith Cranor,et al.  The Privacy and Security Behaviors of Smartphone App Developers , 2014 .

[23]  Timothy Libert,et al.  An Automated Approach to Auditing Disclosure of Third-Party Data Collection in Website Privacy Policies , 2018, WWW.

[24]  Sencun Zhu,et al.  Alde: Privacy Risk Analysis of Analytics Libraries in the Android Ecosystem , 2016, SecureComm.

[25]  Johnny Saldaña,et al.  The Coding Manual for Qualitative Researchers , 2009 .

[26]  Haojin Zhu,et al.  Who Leaks My Privacy: Towards Automatic and Association Detection with GDPR Compliance , 2019, WASA.

[27]  William Enck,et al.  Actions Speak Louder than Words: Entity-Sensitive Privacy Policy and Data Flow Analysis with PoliCheck , 2020, USENIX Security Symposium.

[28]  Seda F. Gürses Can you engineer privacy? , 2014, CACM.

[29]  Yang Wang,et al.  Nudges for Privacy and Security , 2017, ACM Comput. Surv..

[30]  Narseo Vallina-Rodriguez,et al.  Apps, Trackers, Privacy, and Regulators: A Global Study of the Mobile Tracking Ecosystem , 2018, NDSS.

[31]  Iulian Neamtiu,et al.  On the Effectiveness of Random Testing for Android: Or How I Learned to Stop Worrying and Love the Monkey , 2018, 2018 IEEE/ACM 13th International Workshop on Automation of Software Test (AST).

[32]  Jun Zhao,et al.  Third Party Tracking in the Mobile Ecosystem , 2018, WebSci.

[33]  Agostino Cortesi,et al.  DAPA: Degradation-Aware Privacy Analysis of Android Apps , 2016, STM.

[34]  Thomas Schreck,et al.  Mobile-sandbox: having a deeper look into android applications , 2013, SAC '13.

[35]  H. Nissenbaum Privacy as contextual integrity , 2004 .

[36]  Yang Liu,et al.  An Empirical Evaluation of GDPR Compliance Violations in Android mHealth Apps , 2020, 2020 IEEE 31st International Symposium on Software Reliability Engineering (ISSRE).

[37]  Narseo Vallina-Rodriguez,et al.  “Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale , 2018, Proc. Priv. Enhancing Technol..

[38]  Enhong Chen,et al.  Characterizing Privacy Risks of Mobile Apps with Sensitivity Analysis , 2018, IEEE Transactions on Mobile Computing.

[39]  Anderson Santana de Oliveira,et al.  Analyzing Remote Server Locations for Personal Data Transfers in Mobile Apps , 2017, Proc. Priv. Enhancing Technol..

[40]  Shinsaku Kiyomoto,et al.  PrivacyGuide: Towards an Implementation of the EU GDPR on Internet Privacy Policy Evaluation , 2018, IWSPA@CODASPY.

[41]  Sahin Albayrak,et al.  Using static analysis for automatic assessment and mitigation of unwanted and malicious activities within Android applications , 2011, 2011 6th International Conference on Malicious and Unwanted Software.

[42]  Agustí Verde Parera,et al.  General data protection regulation , 2018 .

[43]  Golden G. Richard,et al.  AspectDroid: Android App Analysis System , 2016, CODASPY.

[44]  Rui Dai,et al.  Analyzing HTTP-Based Information Exfiltration of Malicious Android Applications , 2018, 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE).

[45]  F. Dean,et al.  Better the devil you know , 2003 .

[46]  Sotiris Ioannidis,et al.  REAPER: Real-time App Analysis for Augmenting the Android Permission System , 2019, CODASPY.

[47]  Zhen Han,et al.  Dynamic Privacy Leakage Analysis of Android Third-Party Libraries , 2018, 2018 1st International Conference on Data Intelligence and Security (ICDIS).