关键词: 隐私条例, 静态分析, 动态分析, 第三方库, 移动应用

Abstract: Mobile Apps frequently request access to sensitive information. Google recommends that developers should publish privacy policy document when uploading an App, with the aim of making the user aware of how the privacy information is used for better protection of users?? privacy. Many studies focus on detecting the consistence between App behavior and privacy policy. However, most of them only focus on static analysis and use white-list to identify third-party libraries, which is inaccurate and incomplete. An automated detection tool is proposed to check whether the App privacy document is consistent with the App behavior. First, an improved natural language approach is used to extract the declared sensitive behavior in the privacy policy. Then, both static analysis and dynamic analysis are used to analyze the sensitive behavior of mobile App. Besides, a clustering-based approach is used to identify third-party library used in the App, which is more accurate than the traditional white-list based approach. Finally, the consistence detection is conducted with the statement of privacy policy and the analysis of the privacy permission in code. Based on the experiment of 455 Apps, the tool can accurately extract 94.75% of the privacy information in the privacy policy statement. Experiment results show that for roughly 50% of the Apps, there exists inconsistence between App behavior and privacy policy.

Key words: privacy policy, static analysis, dynamic analysis, the third party, mobile App