计算机科学与探索 ›› 2019, Vol. 13 ›› Issue (1): 56-69.DOI: 10.3778/j.issn.1673-9418.1710031

• 网络与信息安全 • 上一篇    下一篇

Android应用隐私条例与敏感行为一致性检测

王靖瑜1,徐明昆1,王浩宇2+,徐国爱3   

  1. 1. 北京邮电大学 网络技术研究院,北京 100876
    2. 北京邮电大学 计算机学院,北京 100876
    3. 北京邮电大学 网络空间安全学院,北京 100876
  • 出版日期:2019-01-01 发布日期:2019-01-09

Automated Detection of Consistence Between App Behavior and Privacy Policy of Android Apps

WANG Jingyu1, XU Mingkun1, WANG Haoyu2+, XU Guo'ai3   

  1. 1. Institute of Network Technology, Beijing University of Posts and Telecommunications, Beijing 100876, China
    2. School of Computer Science, Beijing University of Posts and Telecommunications, Beijing 100876, China
    3. School of Cyberspace Security, Beijing University of Posts and Telecommunications, Beijing 100876, China
  • Online:2019-01-01 Published:2019-01-09

摘要: 移动应用会频繁使用敏感信息,因此,Google建议开发者在上传应用时发布隐私条例文档,从而更好地保护用户隐私。尽管很多工作关注于隐私条例与应用行为的一致性分析,然而现有工作均使用静态分析和白名单分析第三方库的方法,导致隐私条例的一致性检测结果的不准确和不完整。提出一种自动化检测应用隐私条例文档是否与应用行为相一致的工具。首先,使用一种改进的自然语言处理的方法提取隐私条例文档中的隐私信息和应用敏感行为;然后,使用静态分析和动态分析相结合的方法分析应用实际的隐私行为,同时区别于传统的白名单对照方式,使用了基于聚类的第三方库的检测方法提高了检查的准确性,最后将文本中声明的隐私信息行为和代码中分析出的隐私权限进行一致性校验。实验对455个应用进行分析,工具对隐私条例中隐私信息提取的准确率为94.75%,大约有50%的应用存在着应用行为和隐私条例文档不一致的问题。

关键词: 隐私条例, 静态分析, 动态分析, 第三方库, 移动应用

Abstract: Mobile Apps frequently request access to sensitive information. Google recommends that developers should publish privacy policy document when uploading an App, with the aim of making the user aware of how the privacy information is used for better protection of users?? privacy. Many studies focus on detecting the consistence between App behavior and privacy policy. However, most of them only focus on static analysis and use white-list to identify third-party libraries, which is inaccurate and incomplete. An automated detection tool is proposed to check whether the App privacy document is consistent with the App behavior. First, an improved natural language approach is used to extract the declared sensitive behavior in the privacy policy. Then, both static analysis and dynamic analysis are used to analyze the sensitive behavior of mobile App. Besides, a clustering-based approach is used to identify third-party library used in the App, which is more accurate than the traditional white-list based approach. Finally, the consistence detection is conducted with the statement of privacy policy and the analysis of the privacy permission in code. Based on the experiment of 455 Apps, the tool can accurately extract 94.75% of the privacy information in the privacy policy statement. Experiment results show that for roughly 50% of the Apps, there exists inconsistence between App behavior and privacy policy.

Key words: privacy policy, static analysis, dynamic analysis, the third party, mobile App