18,082 research outputs found
Demystifying Privacy Policy of Third-Party Libraries in Mobile Apps
The privacy of personal information has received significant attention in
mobile software. Although previous researchers have designed some methods to
identify the conflict between app behavior and privacy policies, little is
known about investigating regulation requirements for third-party libraries
(TPLs). The regulators enacted multiple regulations to regulate the usage of
personal information for TPLs (e.g., the "California Consumer Privacy Act"
requires businesses clearly notify consumers if they share consumers' data with
third parties or not). However, it remains challenging to analyze the legality
of TPLs due to three reasons: 1) TPLs are mainly published on public
repositoriesinstead of app market (e.g., Google play). The public repositories
do not perform privacy compliance analysis for each TPL. 2) TPLs only provide
independent functions or function sequences. They cannot run independently,
which limits the application of performing dynamic analysis. 3) Since not all
the functions of TPLs are related to user privacy, we must locate the functions
of TPLs that access/process personal information before performing privacy
compliance analysis. To overcome the above challenges, in this paper, we
propose an automated system named ATPChecker to analyze whether the Android
TPLs meet privacy-related regulations or not. Our findings remind developers to
be mindful of TPL usage when developing apps or writing privacy policies to
avoid violating regulation
Overcoming Language Dichotomies: Toward Effective Program Comprehension for Mobile App Development
Mobile devices and platforms have become an established target for modern
software developers due to performant hardware and a large and growing user
base numbering in the billions. Despite their popularity, the software
development process for mobile apps comes with a set of unique, domain-specific
challenges rooted in program comprehension. Many of these challenges stem from
developer difficulties in reasoning about different representations of a
program, a phenomenon we define as a "language dichotomy". In this paper, we
reflect upon the various language dichotomies that contribute to open problems
in program comprehension and development for mobile apps. Furthermore, to help
guide the research community towards effective solutions for these problems, we
provide a roadmap of directions for future work.Comment: Invited Keynote Paper for the 26th IEEE/ACM International Conference
on Program Comprehension (ICPC'18
The simpler, the better? Presenting the COPING Android permission-granting interface for better privacy-related decisions
One of the great innovations of the modern world is the Smartphone app. The sheer multitude of available apps attests to their popularity and general ability to satisfy our wants and needs. The flip side of the functionality these apps offer is their potential for privacy invasion. Apps can, if granted permission, gather a vast amount of very personal and sensitive information. App developers might exploit the combination of human propensities and the design of the Android permission-granting interface to gain permission to access more information than they really need. This compromises personal privacy. The fact that the Android is the globally dominant phone means widespread privacy invasion is a real concern.
We, and other researchers, have proposed alternatives to the Android permission-granting interface. The aim of these alternatives is to highlight privacy considerations more effectively during app installation: to ensure that privacy becomes part of the decision-making process. We report here on a study with 344 participants that compared the impact of a number of permission-granting interface proposals, including our own (called the COPING interface — COmprehensive PermIssioN Granting) and two Android interfaces. To conduct the comparison we carried out an online study with a mixed-model design.
Our main finding is that the focus in these interfaces ought to be on improving the quality of the provided information rather than merely simplifying the interface. The intuitive approach is to reduce and simplify information, but we discovered that this actually impairs the quality of the decision. Our recommendation is that further investigation is required in order to find the “sweet spot” where understandability and comprehensiveness are maximised
Towards Secure and Safe Appified Automated Vehicles
The advancement in Autonomous Vehicles (AVs) has created an enormous market
for the development of self-driving functionalities,raising the question of how
it will transform the traditional vehicle development process. One adventurous
proposal is to open the AV platform to third-party developers, so that AV
functionalities can be developed in a crowd-sourcing way, which could provide
tangible benefits to both automakers and end users. Some pioneering companies
in the automotive industry have made the move to open the platform so that
developers are allowed to test their code on the road. Such openness, however,
brings serious security and safety issues by allowing untrusted code to run on
the vehicle. In this paper, we introduce the concept of an Appified AV platform
that opens the development framework to third-party developers. To further
address the safety challenges, we propose an enhanced appified AV design schema
called AVGuard, which focuses primarily on mitigating the threats brought about
by untrusted code, leveraging theory in the vehicle evaluation field, and
conducting program analysis techniques in the cybersecurity area. Our study
provides guidelines and suggested practice for the future design of open AV
platforms
AndroShield:automated Android applications vulnerability detection, a hybrid static and dynamic analysis approach
The security of mobile applications has become a major research field which is associated with a lot of challenges. The high rate of developing mobile applications has resulted in less secure applications. This is due to what is called the “rush to release” as defined by Ponemon Institute. Security testing—which is considered one of the main phases of the development life cycle—is either not performed or given minimal time; hence, there is a need for security testing automation. One of the techniques used is Automated Vulnerability Detection. Vulnerability detection is one of the security tests that aims at pinpointing potential security leaks. Fixing those leaks results in protecting smart-phones and tablet mobile device users against attacks. This paper focuses on building a hybrid approach of static and dynamic analysis for detecting the vulnerabilities of Android applications. This approach is capsuled in a usable platform (web application) to make it easy to use for both public users and professional developers. Static analysis, on one hand, performs code analysis. It does not require running the application to detect vulnerabilities. Dynamic analysis, on the other hand, detects the vulnerabilities that are dependent on the run-time behaviour of the application and cannot be detected using static analysis. The model is evaluated against different applications with different security vulnerabilities. Compared with other detection platforms, our model detects information leaks as well as insecure network requests alongside other commonly detected flaws that harm users’ privacy. The code is available through a GitHub repository for public contribution
- …