Skip to main content

IoTPrivComp: A Measurement Study of Privacy Compliance in IoT Apps

  • Conference paper
  • First Online:
Computer Security – ESORICS 2022 (ESORICS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13555))

Included in the following conference series:

  • 2134 Accesses

Abstract

The growth of IoT apps poses increasing concerns about sensitive data leaks. While privacy policies are required to describe how IoT apps use private user data (i.e., data practice), problems such as missing, inaccurate, and inconsistent policies have been repeatedly reported. Therefore, it is important to assess the actual data practice in IoT apps and identify the potential gaps between the actual and declared data usage. In this work, we conducted a measurement study using our framework called IoTPrivComp, which applies an automated analysis of IoT apps’ code and privacy policies to identify compliance gaps. We collected 1,489 IoT apps with English privacy policies from the Play Store. IoTPrivComp found 532 apps with sensitive external data flows, among which 408 (76.7%) apps had undisclosed data leaks. Moreover, 63.4% of the data flows that involved health and wellness data was inconsistent with the practices disclosed in the apps’ privacy policies.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://github.com/IoTPrivComp.

References

  1. Aafer, Y., Tao, G., Huang, J., Zhang, X., Li, N.: Precise android API protection mapping derivation and reasoning. In: ACM CCS, pp. 1151–1164 (2018)

    Google Scholar 

  2. Amin, A., Eldessouki, A., Magdy, M.T., Abdeen, N., Hindy, H., Hegazy, I.: Androshield: automated android applications vulnerability detection, a hybrid static and dynamic analysis approach. Information 10(10), 326 (2019)

    Article  Google Scholar 

  3. Andow, B., et al.: Policylint: investigating internal privacy policy contradictions on google play. In: USENIX Security, pp. 585–602 (2019)

    Google Scholar 

  4. Andow, B.,et al.: Actions speak louder than words: entity-sensitive privacy policy and data flow analysis with policheck. In: USENIX Security, pp. 985–1002 (2020)

    Google Scholar 

  5. Arzt, S., et al.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. ACM Sigplan. Notice. 49(6), 259–269 (2014)

    Google Scholar 

  6. Babun, L., Celik, Z.B., McDaniel, P., Uluagac, A.S.: Real-time analysis of privacy-(un) aware IoT applications. Proc. Privacy Enhanc. Technol. 2021(1), 145–166 (2021)

    Article  Google Scholar 

  7. Backes, M., Bugiel, S., Derr, E., McDaniel, P., Octeau, D., Weisgerber, S.: On demystifying the android application framework: re-visiting android permission specification analysis. In: USENIX Security, pp. 1101–1118 (2016)

    Google Scholar 

  8. Bastys, I., Balliu, M., Sabelfeld, A.: If this then what? controlling flows in IoT apps. In: ACM CCS, pp. 1102–1119 (2018)

    Google Scholar 

  9. Celik, Z.B., et al.: Sensitive information tracking in commodity IoT. In: USENIX Security, pp. 1687–1704 (2018)

    Google Scholar 

  10. Celik, Z.B., Fernandes, E., Pauley, E., Tan, G., McDaniel, P.: Program analysis of commodity IoT applications for security and privacy: challenges and opportunities. ACM Comput. Surv. 52(4), 1–30 (2019)

    Article  Google Scholar 

  11. Celik, Z.B., McDaniel, P., Tan, G.: Soteria: automated IoT safety and security analysis. In: USENIX ATC, pp. 147–158 (2018)

    Google Scholar 

  12. Celik, Z.B., Tan, G., McDaniel, P.D.: Iotguard: dynamic enforcement of security and safety policy in commodity IoT. In: NDSS (2019)

    Google Scholar 

  13. Degeling, M., Utz, C., Lentzsch, C., Hosseini, H., Schaub, F., Holz, T.: We value your privacy... now take some cookies: measuring the gdpr’s impact on web privacy. arXiv preprint arXiv:1808.05096 (2018)

  14. Devlin, J., Chang, M., Lee, K., Toutanova, K.: BERT: pre-training of deep bidirectional transformers for language understanding. arXiv preprint arXiv:1810.04805 (2018)

  15. Efron, B.: Bayes’ theorem in the 21st century. Science 340(6137), 1177–1178 (2013)

    Article  MathSciNet  Google Scholar 

  16. Egelman, S.: Taking responsibility for someone else’s code: studying the privacy behaviors of mobile apps at scale. In: USENIX PEPR (2020)

    Google Scholar 

  17. Ermakova, T., Fabian, B., Babina, E.: Readability of privacy policies of healthcare websites. Wirtschaftsinformatik 15, 1–15 (2015)

    Google Scholar 

  18. Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 627–638 (2011)

    Google Scholar 

  19. Gibler, C., Crussell, J., Erickson, J., Chen, H.: AndroidLeaks: automatically detecting potential pivacy leaks in android applications on a large scale. In: Katzenbeisser, S., Weippl, E., Camp, L.J., Volkamer, M., Reiter, M., Zhang, X. (eds.) Trust 2012. LNCS, vol. 7344, pp. 291–307. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30921-2_17

  20. Gyory, N., Chuah, M.: Iotone: integrated platform for heterogeneous IoT devices. In: 2017 International Conference on Computing, Networking and Communications (ICNC), pp. 783–787. IEEE (2017)

    Google Scholar 

  21. Han, C., et al.: The price is (not) right: comparing privacy in free and paid apps. Proc. Privacy Enhanc. Technol. 2020(3), 222–242 (2020)

    Google Scholar 

  22. Harkous, H., Fawaz, K., Lebret, R., Schaub, F., Shin, K.G., Aberer, K.: Polisis: automated analysis and presentation of privacy policies using deep learning. In: USENIX Security, pp. 531–548 (2018)

    Google Scholar 

  23. Hatamian, M., Serna, J., Rannenberg, K.: Revealing the unrevealed: mining smartphone users privacy perception on app markets. Comput. Secur. 83, 332–353 (2019)

    Article  Google Scholar 

  24. Jia, Y.J., et al.: Contexlot: towards providing contextual integrity to appified IoT platforms. In: 24th Annual Network and Distributed System Security Symposium, San Diego, CA (2017)

    Google Scholar 

  25. Kumar, A.: Internet of things for smart cities. IEEE Internet Things J. 1(1) (2014)

    Google Scholar 

  26. Liao, S., Wilson, C., Cheng, L., Hu, H., Deng, H.: Measuring the effectiveness of privacy policies for voice assistant applications. In: Annual Computer Security Applications Conference, pp. 856–869 (2020)

    Google Scholar 

  27. Libert, T.: An automated approach to auditing disclosure of third-party data collection in website privacy policies. In: World Wide Web Conference, pp. 207–216 (2018)

    Google Scholar 

  28. Matwin, S., Sazonova, V.: Direct comparison between support vector machine and multinomial Naive Bayes algorithms for medical abstract classification. J. Am. Med. Inf. Assoc. 19(5), 917–917 (2012)

    Article  Google Scholar 

  29. McDonald, A.M., Cranor, L.F.: The cost of reading privacy policies. ISJLP 4, 543 (2008)

    Google Scholar 

  30. Monkey. Google, inc. ui/application exerciser monkey. https://developer.android.com/tools/help/monkey.html. Accessed Aug 2021

  31. Okoyomon, E., et al.: On the ridiculousness of notice and consent: contradictions in app privacy policies. In: Workshop on Technology and Consumer Protection (ConPro 2019), in Conjunction with the 39th IEEE Symposium on Security and Privacy (2019)

    Google Scholar 

  32. Qark. Tool to look for several security related android application vulnerabilities. https://github.com/linkedin/qark. Accessed Aug 2021

  33. Rahmati, A., Fernandes, E., Jung, J., Prakash, A.: Ifttt vs. zapier: a comparative study of trigger-action programming frameworks. arXiv preprint arXiv:1709.02788 (2017)

  34. Rasthofer, S., Arzt, S., Bodden, E.: A machine-learning approach for classifying and categorizing android sources and sinks. In: NDSS, vol. 14, p. 1125 (2014)

    Google Scholar 

  35. Rosen, S., Qian, Z., Mao, Z.M.: Appprofiler: a flexible method of exposing privacy-related behavior in android applications to end users. In: ACM CODASPY, pp. 221–232 (2013)

    Google Scholar 

  36. Schmeidl, F., Nazzal, B., Alalfi, M.H.: Security analysis for smart things IoT applications. In: 2019 IEEE/ACM 6th International Conference on Mobile Software Engineering and Systems (MOBILESoft), pp. 25–29. IEEE (2019)

    Google Scholar 

  37. Slavin, R., et al.: Toward a framework for detecting privacy policy violations in android application code. In: Proceedings of the 38th International Conference on Software Engineering, pp. 25–36 (2016)

    Google Scholar 

  38. StevenArzt. Soot-a java optimization framework (2021). https://github.com/Sable/soot. Accessed Aug 2021

  39. A. STUDIO. Apkanalyzer (2020). https://developer.android.com/studio/command-line/apkanalyzer. Accessed Aug 2021

  40. Subahi, A., Theodorakopoulos, G.: Ensuring compliance of IoT devices with their privacy policy agreement. In: 2018 IEEE 6th International Conference on Future Internet of Things and Cloud (FiCloud), pp. 100–107. IEEE (2018)

    Google Scholar 

  41. Subahi, A., Theodorakopoulos, G.: Detecting IoT user behavior and sensitive information in encrypted IoT-app traffic. Sensors 19(21), 4777 (2019)

    Article  Google Scholar 

  42. Tesfay, W.B., Hofmann, P., Nakamura, T., Kiyomoto, S., Serna, J.: Privacyguide: towards an implementation of the EU GDPR on internet privacy policy evaluation. In: ACM Workshop on Security and Privacy Analytics, pp. 15–21 (2018)

    Google Scholar 

  43. Voigt, P., von dem Bussche, A.: The EU General Data Protection Regulation (GDPR). Springer, Cham (2017). https://doi.org/10.1007/978-3-319-57959-7

  44. Wang, H., Lai, T. T.-T., Roy Choudhury, R.: Mole: Motion leaks through smartwatch sensors. In: Proceedings of the 21st Annual International Conference on Mobile Computing and Networking, pp. 155–166 (2015)

    Google Scholar 

  45. Wang, S.I., Manning, C.D.: Baselines and bigrams: simple, good sentiment and topic classification. In: Proceedings of the 50th Annual Meeting of the Association for Computational Linguistics (Volume 2: Short Papers), pp. 90–94 (2012)

    Google Scholar 

  46. Wang, X., Qin, X., Hosseini, M.B., Slavin, R., Breaux, T.D., Niu, J.: Guileak: tracing privacy policy claims on user input data for android applications. In: Proceedings of the 40th International Conference on Software Engineering, pp. 37–47 (2018)

    Google Scholar 

  47. Wolf, T., et al.: Transformers: state-of-the-art natural language processing. In: Proceedings of the 2020 Conference on Empirical Methods in Natural Language Processing: System Demonstrations, pp. 38–45 (2020)

    Google Scholar 

  48. Yu, H., Hua, J., Julien, C.: Dataset: analysis of IFTTT recipes to study how humans use internet-of-things (IOT) devices. arXiv preprint arXiv:2110.00068 (2021)

  49. Yu, L., Luo, X., Liu, X., Zhang, T.: Can we trust the privacy policies of android apps? In: 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 538–549. IEEE (2016)

    Google Scholar 

  50. Yu, L., Zhang, T., Luo, X., Xue, L., Chang, H.: Toward automatically generating privacy policy for android apps. IEEE Trans. Inf. Forens. Secur. 12(4), 865–880 (2016)

    Article  Google Scholar 

  51. Zimmeck, S., et al.: Maps: scaling privacy compliance analysis to a million apps. Proc. Priv. Enhancing Tech. 2019, 66 (2019)

    Google Scholar 

  52. Zimmeck, S., et al.: Automated analysis of privacy requirements for mobile apps. In: AAAI Fall Symposium (2016)

    Google Scholar 

Download references

Acknowledgements

The authors were sponsored in part by NSF IIS-2014552, DGE-1565570, DGE-1922649, and the Ripple University Blockchain Research Initiative. The authors would like to thank the anonymous reviewers for their valuable comments and suggestions.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Bo Luo .

Editor information

Editors and Affiliations

A A Ontologies

A A Ontologies

We have 121 entity ontology pairs, 52 data ontology pairs, and 7,592 synonyms in the IoT-specific ontology. Table 8 shows parts of the data and entity ontologies.

Table 8. Examples from the Data and Entity Ontologies.

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ahmad, J., Li, F., Luo, B. (2022). IoTPrivComp: A Measurement Study of Privacy Compliance in IoT Apps. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13555. Springer, Cham. https://doi.org/10.1007/978-3-031-17146-8_29

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-17146-8_29

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-17145-1

  • Online ISBN: 978-3-031-17146-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics