Who Leaks My Privacy: Towards Automatic and Association Detection with GDPR Compliance

The APPs running on smart devices have greatly enriched people’s lives. However, they are collecting personally identifiable information (PII) secretly. The unrestricted collection, processing and unsafe transmission of PII will result in the disclosure of privacy, which cause losses to users. With the advent of laws and regulations about data privacy such as GDPR, the major APP vendors have become more and more cautious about collecting PII. However, the researches on detecting privacy leakage under GDPR framework still receive less attention. In this paper, we analyze the clauses of GDPR about privacy processing and propose a method for PII leakage detection based on Association Mining. This method assists us to find many hidden privacy leakages in traffic data. Moreover, we design and implement an automated system to detect whether the traffic data sent by the APPs reveals users’ PII. We have tested 509 APPs of different categories in the Google Play Store. The result shows that 76.23% of the APPs would collect and transmit PII insecurely and 34.06% of them would send PII to third parties.

[1]  Artem Starostin,et al.  A framework for static detection of privacy leaks in android applications , 2012, SAC '12.

[2]  Florian Kammuller,et al.  Attack Trees in Isabelle , 2018, 1803.06494.

[3]  Jacques Klein,et al.  IccTA: Detecting Inter-Component Privacy Leaks in Android Apps , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[4]  Chong Xiang,et al.  APPCLASSIFIER: Automated App Inference on Encrypted Traffic via Meta Data Analysis , 2018, 2018 IEEE Global Communications Conference (GLOBECOM).

[5]  Yuan Zhang,et al.  Finding Clues for Your Secrets: Semantics-Driven, Learning-Based Privacy Discovery in Mobile Apps , 2018, NDSS.

[6]  Arnaud Legout,et al.  ReCon: Revealing and Controlling PII Leaks in Mobile Network Traffic , 2015, MobiSys.

[7]  Chris Bronk,et al.  I see you, you see me: Mobile advertisements and privacy , 2016, First Monday.

[8]  Di Ma,et al.  Demographic Information Inference through Meta-Data Analysis of Wi-Fi Traffic , 2018, IEEE Transactions on Mobile Computing.

[9]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[10]  Kai Rannenberg,et al.  PrivacyBot: Detecting Privacy Sensitive Information in Unstructured Texts , 2019, 2019 Sixth International Conference on Social Networks Analysis, Management and Security (SNAMS).

[11]  Aleksandar Kuzmanovic,et al.  Mosaic: quantifying privacy leakage in mobile networks , 2013, SIGCOMM.

[12]  Yuanfang Guo,et al.  Contextual approach for identifying malicious Inter-Component privacy leaks in Android apps , 2017, 2017 IEEE Symposium on Computers and Communications (ISCC).

[13]  Bin Liu,et al.  Automated Analysis of Privacy Requirements for Mobile Apps , 2016, NDSS.

[14]  Narseo Vallina-Rodriguez,et al.  “Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale , 2018, Proc. Priv. Enhancing Technol..

[15]  Xiaohui Liang,et al.  Privacy Leakage of Location Sharing in Mobile Social Networks: Attacks and Defense , 2016, IEEE Transactions on Dependable and Secure Computing.

[16]  Samuel Greengard,et al.  Weighing the impact of GDPR , 2018, Commun. ACM.

[17]  Shuai Li,et al.  Demographics inference through Wi-Fi network traffic analysis , 2016, IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer Communications.

[18]  Mianxiong Dong,et al.  Location Privacy in Usage-Based Automotive Insurance: Attacks and Countermeasures , 2019, IEEE Transactions on Information Forensics and Security.

[19]  Hou Rui,et al.  Investigation of taint analysis for Smartphone-implicit taint detection and privacy leakage detection , 2016, EURASIP J. Wirel. Commun. Netw..

[20]  Pietro Ferrara,et al.  Tailoring Taint Analysis to GDPR , 2018, APF.

[21]  Narseo Vallina-Rodriguez,et al.  Haystack: In Situ Mobile Traffic Analysis in User Space , 2015, ArXiv.

[22]  Florian Kammüller,et al.  Attack Trees in Isabelle , 2018, ICICS.

[23]  Mario Baldi,et al.  Identifying Personal Information in Internet Traffic , 2015, COSN.

[24]  Christopher Krügel,et al.  Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis , 2017, NDSS.