Abstract
As Android’s permission-based system cannot fulfill the requirements of personal data protection, several countries around the world are requesting application developers to provide privacy policies for their applications. To address the issue, this study proposes a framework to Manage Privacy Policies of Android Applications (MaPPA). MaPPA provides standard format for application providers to present privacy policies in machine processable format and to embed the policies into applications. Application verifiers or marketplace providers can then verify whether an application complies with embedded privacy policies and envelop verification reports in the application. Therefore, users can extract privacy policies and verification reports from applications directly. Compared to providing URL links to privacy policies in marketplaces, the proposed framework can reduce the cost for application developers to maintain additional servers to provide privacy policies. Moreover, application users can obtain verification reports in an application to comfirm the consistency between privacy policies and application behavior. In light of this, the study can hopefully solve current problems of privacy policy notification for Android applications.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
- 3.
- 4.
Note that if applications need to support over-the-air (OTA) updates, the whole APK files need to be signed by OTA servers assigned by smartphone vendors [7]. This study does not address the OTA updates scenario because normal applications do not need to support OTA updates.
References
Agrawal, R., Bird, P., Grandison, T., Kiernan, J., Logan, S., Rjaibi, W.: Extending relational database systems to automatically enforce privacy policies. In: 21st International Conference on Data Engineering 2005 (ICDE 2005), Proceedings, pp. 1013–1022, April 2005
Alhamed, M., Amiri, K., Omari, M., Le, W.: Comparing privacy control methods for smartphone platforms. In: 2013 1st International Workshop on the Engineering of Mobile-Enabled Systems (MOBS), pp. 36–41, May 2013
Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. SIGPLAN Not. 49(6), 259–269 (2014)
Bal, G.: Explicitness of consequence information in privacy warnings: experimentally investigating the effects on perceived risk, trust, and privacy information quality. In: Myers, M.D., Straub, D.W., (eds.) ICIS. Association for Information Systems (2014)
Balebako, R., Schaub, F., Adjerid, I., Acquisti, A., Cranor, L: The impact of timing on the salience of smartphone app privacy notices. In: Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM 2015), New York, NY, USA, pp. 63–74. ACM (2015)
Cha, S.-C., Huang, K.J., Chang, H.M.: An efficient and flexible way to protect privacy in RFID environment with licenses. In: 2008 IEEE International Conference on RFID, pp. 35–42, April 2008
Elenkov, N., Internals, A.S.: An In-Depth Guide to Android’s Security Architecture. No Starch Press, San Francisco (2014)
Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for real time privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation (OSDI 2010), Berkeley, pp. 393–407. USENIX Association (2010)
European Commission Article 29 Data Protection Working Party. Opinion 02/2013 on apps on smart devices. 00461/13/EN, Wp. 202 (2013)
Felt, A.P., Greenwood, K, Wagner, D.: The effectiveness of application permissions. In: Proceedings of the 2nd USENIX Conference on Web Application Development (WebApps 2011), Berkeley, CA, USA, p. 7. USENIX Association (2011)
Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS 2012), New York, NY, USA, pp. 3:1–3:14. ACM (2012)
Gates, C.S., Chen, J., Li, N., Proctor, R.W.: Effective risk communication for android apps. IEEE Trans. Dependable Secure Comput. 11(3), 252–265 (2014)
Gates, C.S., Li, N., Peng, H., Sarma, B., Qi, Y., Potharaju, R., Nita-Rotaru, C., Molloy, I.: Generating summary risk scores for mobile applications. IEEE Trans. Dependable Secure Comput. 11(3), 238–251 (2014)
Hao, S., Liu, B., Nath, S., Halfond, W.G.J., Govindan, R.: PUMA: programmable UI-automation for large-scale dynamic analysis of mobile apps. In: Proceedings of the 12th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys 2014), New York, NY, USA, pp. 204–217. ACM (2014)
Harris, K.D.: Privacy on the go, recommendations for the mobile ecosystem. California Dept. of Justice Recommendations (2013)
IDC Research, Inc. Smartphone os market share, 2015 q2. IDC Research Report (2013). http://www.idc.com/prodserv/smartphone-os-market-share.jsp. Accessed 24 June 2016
Jing, Y., Ahn, G.-J., Zhao, Z., Hu, H.: RiskMon: continuous and automated risk assessment of mobile applications. In: Proceedings of the 4th ACM Conference on Data and Application Security and Privacy (CODASPY 2014), New York, NY, USA, pp. 99–110. ACM (2014)
Kelley, P.G., Consolvo, S., Cranor, L.F., Jung, J., Sadeh, N., Wetherall, D.: A conundrum of permissions: installing applications on an android smartphone. In: Blyth, J., Dietrich, S., Camp, L.J. (eds.) FC 2012. LNCS, vol. 7398, pp. 68–79. Springer, Heidelberg (2012)
Kong, D., Cen, L., Jin, H.: AUTOREB: automatically understanding the review-to-behavior fidelity in android applications. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS 2015), New York, NY, USA, pp. 530–541. ACM (2015)
Lake, I.: Building better apps with runtime permissions. Android Developers Blog (2015). http://android-developers.blogspot.tw/2015/08/building-better-apps-with-runtime.html. Accessed 24 June 2016
Liccardi, I., Pato, J., Weitzner, D.J.: Improving mobile app selection through transparency and better permission analysis. J. Priv. Confidentiality 5(2), 1–55 (2013)
Lin, B., Chen, Y., Chen, X., Yu, Y.: Comparison between JSON and XML in applications based on AJAX. In: Proceedings of the 2012 International Conference on Computer Science and Service System (CSSS 2012), Washington, DC, USA, pp. 1174–1177. IEEE Computer Society (2012)
Lin, J., Amini, S., Hong, J.I., Sadeh, N., Lindqvist, J., Zhang, J.: Expectation and purpose: understanding users’ mental models of mobile app privacy through crowdsourcing. In: Proceedings of the 2012 ACM Conference on Ubiquitous Computing (UbiComp 2012), New York, NY, USA, pp. 501–510. ACM (2012)
Egelman, S., Cranor, L., Dobbs, B., Hogben, G., Humphrey, J., Langheinrich, M., Marchiori, M., Presler-Marshall, M., Reagle, J., Schunter, M., Stampley, D.A., Wenning, R.: The platform for privacy preferences 1.1 (P3P1.1) specification. In: W3C Specification (2006). https://www.w3.org/TR/P3P11/. Accessed 24 June 2016
Mobile Marketing Association Privacy and Advicacy Committee. Mobile application privacy policy framework. MMA White Paper (2011). http://www.mmaglobal.com/news/mobile-marketing-association-releases-final-privacy-policy-guidelines-mobile-apps. Accessed 24 June 2016
Office of the Privacy Commissioner of Canada, IPC of Alberta external, and IPC for British Columbia. Seizing opportunity: good privacy practices for developing mobile apps. OPC Guidance Documents (2012). https://www.priv.gc.ca/information/pub/gd_app_201210_e.asp
Olurin, M., Adams, C., Logrippo, L.: Platform for privacy preferences (P3P): current status and future directions. In: 2012 Tenth Annual International Conference on Privacy, Security and Trust (PST), pp. 217–220, July 2012
Payment Card Industry (PCI) Security Standards Council, LLC. Template for report on compliance for use with PCI DSS v3.1, PCI reporting templates (2015). https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_1_ROC_Reporting_Template.pdf
Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of android malware. In: Proceedings of the Seventh European Workshop on System Security (EuroSec 2014), New York, NY, USA, pp. 5:1–5:6. ACM (2014)
Rastogi, V., Chen, Y., Enck, W.: Apps playground: automatic security analysis of smart phone applications. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy (CODASPY 2013), New York, NY,USA, pp. 209–220. ACM (2013)
Reed, B.: IDC: smartphone shipments to top feature phone shipments for first time ever in 2013. Yahoo! News (2013). http://news.yahoo.com/idc-smartphone-shipments-top-feature-phone-shipments-first-020026360.html. Accessed 24 June 2016
Said, A.A., Hussin, A.R.C., Dahlan, H.M., Pour, M.M.H.: Privacy policy preference (P3P) in e-commerce: key for improvement. In: 2012 International Conference on Information Retrieval Knowledge Management (CAMP), pp. 177–181, March 2012
Shen, F., Vishnubhotla, N., Todarka, C., Arora, M., Dhandapani, B., Lehner, E.J., Ko, S.Y., Ziarek, L.: Information flows as a permission mechanism. In: Proceedings of the 29th ACM/IEEE International Conference on Automated Software Engineering (ASE 2014), New York, NY, USA, pp. 515–526. ACM (2014)
Terms feed. Sample privacy policy template. Online document (2014). https://termsfeed.com/blog/sample-privacy-policy-template/. Accessed 24 June 2016
Tian, Y., Liu, B., Dai, W., Ur, B., Tague, P., Cranor, L.F.: Supporting privacy-conscious app update decisions with user reviews. In: Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM 2015), New York, NY, USA, pp. 51–61. ACM (2015)
Tomuro, N., Lytinen, S., Hornsburg, K.: Automatic summarization of privacy policies using ensemble learning. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy (CODASPY 2016), New York, NY, USA, pp. 133–135. ACM (2016)
US NTIA. Short form notice code of conduct to promote transparency in mobile app practices (2013). https://www.ntia.doc.gov/files/ntia/publications/july_25_code_draft.pdf. Accessed 29 Mar 2016
US State of California Department of Justice. Attorney general Kamala D. Harris notifies mobile app developers of non-compliance with california privacy law. US California Dept of Justice Press News (2012). https://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-notifies-mobile-app-developers-non-compliance. Accessed 24 June 2016
Vidas, T., Christin, N.: Evading android runtime analysis via sandbox detection. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIA CCS 2014), New York, NY, USA, pp. 447–458. ACM (2014)
Vidas, T., Tan, J., Nahata, J., Tan, C.L., Christin, N., Tague, P.: A5: automated analysis of adversarial android applications. In: Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM 2014), New York, NY, USA, pp. 39–50. ACM (2014)
Xu, Z., Zhu, S.: Semadroid: a privacy-aware sensor management framework for smartphones. In: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy (CODASPY 2015), New York, NY, USA, pp. 61–72. ACM (2015)
Yan, L.K., Yin, H.: Droidscope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic android malware analysis. In: Proceedings of the 21st USENIX Conference on Security Symposium (Security 2012), Berkeley, CA, USA, p. 29. USENIX Association (2012)
Yang, Z., Yang, M., Zhang, Y., Gu, G., Ning, P., Wang, X.S.: AppIntent: analyzing sensitive data transmission in android for privacy leakage detection. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS 2013), New York, NY, USA, pp. 1043–1054. ACM (2013)
Zhang, Y., Yang, M., Xu, B., Yang, Z., Gu, G., Ning, P., Wang, X.S., Zang, B.: Vetting undesirable behaviors in android apps with permission use analysis. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS 2013), pp. 611–622. ACM (2013)
Acknowledgement
This work was supported in part by the Taiwan Ministry of Science and Technology under grants 103-2221-E-011-092-MY2.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Cha, SC., Shiung, CM., Liu, TC., Syu, SC., Chien, LD., Tsai, TY. (2016). A Framework for Major Stakeholders in Android Application Industry to Manage Privacy Policies of Android Applications. In: Schiffner, S., Serna, J., Ikonomou, D., Rannenberg, K. (eds) Privacy Technologies and Policy. APF 2016. Lecture Notes in Computer Science(), vol 9857. Springer, Cham. https://doi.org/10.1007/978-3-319-44760-5_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-44760-5_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-44759-9
Online ISBN: 978-3-319-44760-5
eBook Packages: Computer ScienceComputer Science (R0)