Abstract
The growth of IoT apps poses increasing concerns about sensitive data leaks. While privacy policies are required to describe how IoT apps use private user data (i.e., data practice), problems such as missing, inaccurate, and inconsistent policies have been repeatedly reported. Therefore, it is important to assess the actual data practice in IoT apps and identify the potential gaps between the actual and declared data usage. In this work, we conducted a measurement study using our framework called IoTPrivComp, which applies an automated analysis of IoT apps’ code and privacy policies to identify compliance gaps. We collected 1,489 IoT apps with English privacy policies from the Play Store. IoTPrivComp found 532 apps with sensitive external data flows, among which 408 (76.7%) apps had undisclosed data leaks. Moreover, 63.4% of the data flows that involved health and wellness data was inconsistent with the practices disclosed in the apps’ privacy policies.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
References
Aafer, Y., Tao, G., Huang, J., Zhang, X., Li, N.: Precise android API protection mapping derivation and reasoning. In: ACM CCS, pp. 1151–1164 (2018)
Amin, A., Eldessouki, A., Magdy, M.T., Abdeen, N., Hindy, H., Hegazy, I.: Androshield: automated android applications vulnerability detection, a hybrid static and dynamic analysis approach. Information 10(10), 326 (2019)
Andow, B., et al.: Policylint: investigating internal privacy policy contradictions on google play. In: USENIX Security, pp. 585–602 (2019)
Andow, B.,et al.: Actions speak louder than words: entity-sensitive privacy policy and data flow analysis with policheck. In: USENIX Security, pp. 985–1002 (2020)
Arzt, S., et al.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. ACM Sigplan. Notice. 49(6), 259–269 (2014)
Babun, L., Celik, Z.B., McDaniel, P., Uluagac, A.S.: Real-time analysis of privacy-(un) aware IoT applications. Proc. Privacy Enhanc. Technol. 2021(1), 145–166 (2021)
Backes, M., Bugiel, S., Derr, E., McDaniel, P., Octeau, D., Weisgerber, S.: On demystifying the android application framework: re-visiting android permission specification analysis. In: USENIX Security, pp. 1101–1118 (2016)
Bastys, I., Balliu, M., Sabelfeld, A.: If this then what? controlling flows in IoT apps. In: ACM CCS, pp. 1102–1119 (2018)
Celik, Z.B., et al.: Sensitive information tracking in commodity IoT. In: USENIX Security, pp. 1687–1704 (2018)
Celik, Z.B., Fernandes, E., Pauley, E., Tan, G., McDaniel, P.: Program analysis of commodity IoT applications for security and privacy: challenges and opportunities. ACM Comput. Surv. 52(4), 1–30 (2019)
Celik, Z.B., McDaniel, P., Tan, G.: Soteria: automated IoT safety and security analysis. In: USENIX ATC, pp. 147–158 (2018)
Celik, Z.B., Tan, G., McDaniel, P.D.: Iotguard: dynamic enforcement of security and safety policy in commodity IoT. In: NDSS (2019)
Degeling, M., Utz, C., Lentzsch, C., Hosseini, H., Schaub, F., Holz, T.: We value your privacy... now take some cookies: measuring the gdpr’s impact on web privacy. arXiv preprint arXiv:1808.05096 (2018)
Devlin, J., Chang, M., Lee, K., Toutanova, K.: BERT: pre-training of deep bidirectional transformers for language understanding. arXiv preprint arXiv:1810.04805 (2018)
Efron, B.: Bayes’ theorem in the 21st century. Science 340(6137), 1177–1178 (2013)
Egelman, S.: Taking responsibility for someone else’s code: studying the privacy behaviors of mobile apps at scale. In: USENIX PEPR (2020)
Ermakova, T., Fabian, B., Babina, E.: Readability of privacy policies of healthcare websites. Wirtschaftsinformatik 15, 1–15 (2015)
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 627–638 (2011)
Gibler, C., Crussell, J., Erickson, J., Chen, H.: AndroidLeaks: automatically detecting potential pivacy leaks in android applications on a large scale. In: Katzenbeisser, S., Weippl, E., Camp, L.J., Volkamer, M., Reiter, M., Zhang, X. (eds.) Trust 2012. LNCS, vol. 7344, pp. 291–307. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30921-2_17
Gyory, N., Chuah, M.: Iotone: integrated platform for heterogeneous IoT devices. In: 2017 International Conference on Computing, Networking and Communications (ICNC), pp. 783–787. IEEE (2017)
Han, C., et al.: The price is (not) right: comparing privacy in free and paid apps. Proc. Privacy Enhanc. Technol. 2020(3), 222–242 (2020)
Harkous, H., Fawaz, K., Lebret, R., Schaub, F., Shin, K.G., Aberer, K.: Polisis: automated analysis and presentation of privacy policies using deep learning. In: USENIX Security, pp. 531–548 (2018)
Hatamian, M., Serna, J., Rannenberg, K.: Revealing the unrevealed: mining smartphone users privacy perception on app markets. Comput. Secur. 83, 332–353 (2019)
Jia, Y.J., et al.: Contexlot: towards providing contextual integrity to appified IoT platforms. In: 24th Annual Network and Distributed System Security Symposium, San Diego, CA (2017)
Kumar, A.: Internet of things for smart cities. IEEE Internet Things J. 1(1) (2014)
Liao, S., Wilson, C., Cheng, L., Hu, H., Deng, H.: Measuring the effectiveness of privacy policies for voice assistant applications. In: Annual Computer Security Applications Conference, pp. 856–869 (2020)
Libert, T.: An automated approach to auditing disclosure of third-party data collection in website privacy policies. In: World Wide Web Conference, pp. 207–216 (2018)
Matwin, S., Sazonova, V.: Direct comparison between support vector machine and multinomial Naive Bayes algorithms for medical abstract classification. J. Am. Med. Inf. Assoc. 19(5), 917–917 (2012)
McDonald, A.M., Cranor, L.F.: The cost of reading privacy policies. ISJLP 4, 543 (2008)
Monkey. Google, inc. ui/application exerciser monkey. https://developer.android.com/tools/help/monkey.html. Accessed Aug 2021
Okoyomon, E., et al.: On the ridiculousness of notice and consent: contradictions in app privacy policies. In: Workshop on Technology and Consumer Protection (ConPro 2019), in Conjunction with the 39th IEEE Symposium on Security and Privacy (2019)
Qark. Tool to look for several security related android application vulnerabilities. https://github.com/linkedin/qark. Accessed Aug 2021
Rahmati, A., Fernandes, E., Jung, J., Prakash, A.: Ifttt vs. zapier: a comparative study of trigger-action programming frameworks. arXiv preprint arXiv:1709.02788 (2017)
Rasthofer, S., Arzt, S., Bodden, E.: A machine-learning approach for classifying and categorizing android sources and sinks. In: NDSS, vol. 14, p. 1125 (2014)
Rosen, S., Qian, Z., Mao, Z.M.: Appprofiler: a flexible method of exposing privacy-related behavior in android applications to end users. In: ACM CODASPY, pp. 221–232 (2013)
Schmeidl, F., Nazzal, B., Alalfi, M.H.: Security analysis for smart things IoT applications. In: 2019 IEEE/ACM 6th International Conference on Mobile Software Engineering and Systems (MOBILESoft), pp. 25–29. IEEE (2019)
Slavin, R., et al.: Toward a framework for detecting privacy policy violations in android application code. In: Proceedings of the 38th International Conference on Software Engineering, pp. 25–36 (2016)
StevenArzt. Soot-a java optimization framework (2021). https://github.com/Sable/soot. Accessed Aug 2021
A. STUDIO. Apkanalyzer (2020). https://developer.android.com/studio/command-line/apkanalyzer. Accessed Aug 2021
Subahi, A., Theodorakopoulos, G.: Ensuring compliance of IoT devices with their privacy policy agreement. In: 2018 IEEE 6th International Conference on Future Internet of Things and Cloud (FiCloud), pp. 100–107. IEEE (2018)
Subahi, A., Theodorakopoulos, G.: Detecting IoT user behavior and sensitive information in encrypted IoT-app traffic. Sensors 19(21), 4777 (2019)
Tesfay, W.B., Hofmann, P., Nakamura, T., Kiyomoto, S., Serna, J.: Privacyguide: towards an implementation of the EU GDPR on internet privacy policy evaluation. In: ACM Workshop on Security and Privacy Analytics, pp. 15–21 (2018)
Voigt, P., von dem Bussche, A.: The EU General Data Protection Regulation (GDPR). Springer, Cham (2017). https://doi.org/10.1007/978-3-319-57959-7
Wang, H., Lai, T. T.-T., Roy Choudhury, R.: Mole: Motion leaks through smartwatch sensors. In: Proceedings of the 21st Annual International Conference on Mobile Computing and Networking, pp. 155–166 (2015)
Wang, S.I., Manning, C.D.: Baselines and bigrams: simple, good sentiment and topic classification. In: Proceedings of the 50th Annual Meeting of the Association for Computational Linguistics (Volume 2: Short Papers), pp. 90–94 (2012)
Wang, X., Qin, X., Hosseini, M.B., Slavin, R., Breaux, T.D., Niu, J.: Guileak: tracing privacy policy claims on user input data for android applications. In: Proceedings of the 40th International Conference on Software Engineering, pp. 37–47 (2018)
Wolf, T., et al.: Transformers: state-of-the-art natural language processing. In: Proceedings of the 2020 Conference on Empirical Methods in Natural Language Processing: System Demonstrations, pp. 38–45 (2020)
Yu, H., Hua, J., Julien, C.: Dataset: analysis of IFTTT recipes to study how humans use internet-of-things (IOT) devices. arXiv preprint arXiv:2110.00068 (2021)
Yu, L., Luo, X., Liu, X., Zhang, T.: Can we trust the privacy policies of android apps? In: 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 538–549. IEEE (2016)
Yu, L., Zhang, T., Luo, X., Xue, L., Chang, H.: Toward automatically generating privacy policy for android apps. IEEE Trans. Inf. Forens. Secur. 12(4), 865–880 (2016)
Zimmeck, S., et al.: Maps: scaling privacy compliance analysis to a million apps. Proc. Priv. Enhancing Tech. 2019, 66 (2019)
Zimmeck, S., et al.: Automated analysis of privacy requirements for mobile apps. In: AAAI Fall Symposium (2016)
Acknowledgements
The authors were sponsored in part by NSF IIS-2014552, DGE-1565570, DGE-1922649, and the Ripple University Blockchain Research Initiative. The authors would like to thank the anonymous reviewers for their valuable comments and suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A A Ontologies
A A Ontologies
We have 121 entity ontology pairs, 52 data ontology pairs, and 7,592 synonyms in the IoT-specific ontology. Table 8 shows parts of the data and entity ontologies.
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Ahmad, J., Li, F., Luo, B. (2022). IoTPrivComp: A Measurement Study of Privacy Compliance in IoT Apps. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13555. Springer, Cham. https://doi.org/10.1007/978-3-031-17146-8_29
Download citation
DOI: https://doi.org/10.1007/978-3-031-17146-8_29
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17145-1
Online ISBN: 978-3-031-17146-8
eBook Packages: Computer ScienceComputer Science (R0)