How Dangerous Permissions are Described in Android Apps' Privacy Policies?

Google requires Android apps which handle users' personal data such as photos and contacts information to post a privacy policy which describes comprehensively how the app collects, uses and shares users' information. Unfortunately, while knowing why the app wants to access specific users' information is considered very useful, permissions screen in Android does not provide such pieces of information. Accordingly, users reported their concerns about apps requiring permissions that seem to be not related to the apps' functions. To advance toward practical solutions that can assist users in protecting their privacy, a technique to automatically discover the rationales of dangerous permissions requested by Android apps, by extracting them from apps' privacy policies, could be a great advantage. However, before being able to do so, it is important to bridge the gap between technical terms used in Android permissions and natural language terminology in privacy policies. In this paper, we recorded the terminology used in Android apps' privacy policies which describe usage of dangerous permissions. The semi-automated approach employs NLP and IE techniques to map privacy policies' terminologies to Android dangerous permissions. The mapping links 128 information types to Android dangerous permissions. This mapping produces semantic information which can then be used to extract the rationales of dangerous permissions from apps' privacy policies

Consumers’ Understanding of Privacy Rules in the Marketplace

Studies suggest the general structure of Web sites leads consumers away from demanding that online merchants take certain approaches to privacy as a condition for dealing with them. This article presents findings from a nationally representative survey showing that the absence of such a privacy marketplace can also be attributed to the public’s incomplete knowledge of privacy regulations. Most respondents correctly understood that regulations regarding merchants’ sharing information are domain specific. The respondents were only sporadically correct, however, regarding which domains have which rules. The study raises questions about the best approaches to education in the absence of a coherent national policy of privacy regulation

A Fairness Heuristic Analysis of the Primacy Effect of Reputation on Perceived of Privacy Policy and Privacy Seals

When faced with the risk-benefit dilemma in online era, how would users make their decisions by procedural justice information as distributive justice information is uncertain? The literature implied reputation, privacy policy and seals can be regarded as the factors, which would eliminate users’ privacy concern, build trust and incentivize transaction. However, research-to- date is lacking of a comprehensive model to indicate practitioners whenever and however which factor is the core compared with others or their efforts are equal. Drawing upon the fairness heuristic theory, this paper explores the impact of the three factors on them. The results from an experimental study show that the primacy effects of reputation on perceived of privacy policy and seals exist. Theoretical and practical implications arising from our results were offered

A Broader View of Perceived Risk during Internet Transactions

Ubiquitous networking facilitates Internet access across multiple network environments, whose value is tied directly to user perceptions of its ability to securely execute transactions. Prior research has cited awareness, trust, and risk as critical determinants of adoption but has failed to examine these factors as they relate to infrastructure and its provider. Because information in transit is at risk from a network environment’s vulnerabilities, we focus on the implications of such risk on Internet activities. We examine the multiple parties that must be trusted to complete and facilitate an online transaction. We propose that the user must trust not only the information recipient to act benevolently but also the technologies and organizations that facilitate the online exchange

Web Application Weakness Ontology Based on Vulnerability Data

Web applications are becoming more ubiquitous. All manner of physical devices are now connected and often have a variety of web applications and web-interfaces. This proliferation of web applications has been accompanied by an increase in reported software vulnerabilities. The objective of this analysis of vulnerability data is to understand the current landscape of reported web application flaws. Along those lines, this work reviews ten years (2011 - 2020) of vulnerability data in the National Vulnerability Database. Based on this data, most common web application weaknesses are identified and their profiles presented. A weakness ontology is developed to capture the attributes of these weaknesses. These include their attack method and attack vectors. Also described is the impact of the weaknesses to software quality attributes. Additionally, the technologies that are susceptible to each weakness are presented, they include programming languages, frameworks, communication protocols, and data formats

A Taxonomy for Mining and Classifying Privacy Requirements in Issue Reports

Digital and physical footprints are a trail of user activities collected over the use of software applications and systems. As software becomes ubiquitous, protecting user privacy has become challenging. With the increasing of user privacy awareness and advent of privacy regulations and policies, there is an emerging need to implement software systems that enhance the protection of personal data processing. However, existing privacy regulations and policies only provide high-level principles which are difficult for software engineers to design and implement privacy-aware systems. In this paper, we develop a taxonomy that provides a comprehensive set of privacy requirements based on two well-established and widely-adopted privacy regulations and frameworks, the General Data Protection Regulation (GDPR) and the ISO/IEC 29100. These requirements are refined into a level that is implementable and easy to understand by software engineers, thus supporting them to attend to existing regulations and standards. We have also performed a study on how two large open-source software projects (Google Chrome and Moodle) address the privacy requirements in our taxonomy through mining their issue reports. The paper discusses how the collected issues were classified, and presents the findings and insights generated from our study.Comment: Submitted to IEEE Transactions on Software Engineering on 23 December 202

Secure Information Systems Engineering: A Manifesto

In this paper, we lay down the agenda for a discipline that is meant to promote research on increasing the development of secure information systems. In particular, we introduce areas related to the development of secure information systems; we identify limitations of existing approaches and the barriers that currently limit research and we discuss the characteristics for an engineering discipline for the development of secure information systems, its principles and the challenges that must be addressed

Security Attack Testing (SAT)—testing the security of information systems at design time

For the last few years a considerable number of efforts have been devoted into integrating security issues into information systems development practices. This has led to a number of languages, methods, methodologies and techniques for considering security issues during the developmental stages of an information system. However, these approaches mainly focus on security requirements elicitation, analysis and design issues and neglect testing. This paper presents the Security Attack Testing (SAT) approach, a novel scenario-based approach that tests the security of an information system at the design time. The approach is illustrated with the aid of a real-life case study involving the development of a health and social care information system