Skip to main content
SpringerLink
Log in

A Framework for Major Stakeholders in Android Application Industry to Manage Privacy Policies of Android Applications

  • Conference paper
  • First Online:
Privacy Technologies and Policy (APF 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9857))

Included in the following conference series:

Abstract

As Android’s permission-based system cannot fulfill the requirements of personal data protection, several countries around the world are requesting application developers to provide privacy policies for their applications. To address the issue, this study proposes a framework to Manage Privacy Policies of Android Applications (MaPPA). MaPPA provides standard format for application providers to present privacy policies in machine processable format and to embed the policies into applications. Application verifiers or marketplace providers can then verify whether an application complies with embedded privacy policies and envelop verification reports in the application. Therefore, users can extract privacy policies and verification reports from applications directly. Compared to providing URL links to privacy policies in marketplaces, the proposed framework can reduce the cost for application developers to maintain additional servers to provide privacy policies. Moreover, application users can obtain verification reports in an application to comfirm the consistency between privacy policies and application behavior. In light of this, the study can hopefully solve current problems of privacy policy notification for Android applications.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://www.iubenda.com/en/mobile.

  2. 2.

    https://termsfeed.com/privacy-policy/generator/.

  3. 3.

    http://www.appprivacy.net/.

  4. 4.

    Note that if applications need to support over-the-air (OTA) updates, the whole APK files need to be signed by OTA servers assigned by smartphone vendors [7]. This study does not address the OTA updates scenario because normal applications do not need to support OTA updates.

References

  1. Agrawal, R., Bird, P., Grandison, T., Kiernan, J., Logan, S., Rjaibi, W.: Extending relational database systems to automatically enforce privacy policies. In: 21st International Conference on Data Engineering 2005 (ICDE 2005), Proceedings, pp. 1013–1022, April 2005

    Google Scholar 

  2. Alhamed, M., Amiri, K., Omari, M., Le, W.: Comparing privacy control methods for smartphone platforms. In: 2013 1st International Workshop on the Engineering of Mobile-Enabled Systems (MOBS), pp. 36–41, May 2013

    Google Scholar 

  3. Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. SIGPLAN Not. 49(6), 259–269 (2014)

    Article  Google Scholar 

  4. Bal, G.: Explicitness of consequence information in privacy warnings: experimentally investigating the effects on perceived risk, trust, and privacy information quality. In: Myers, M.D., Straub, D.W., (eds.) ICIS. Association for Information Systems (2014)

    Google Scholar 

  5. Balebako, R., Schaub, F., Adjerid, I., Acquisti, A., Cranor, L: The impact of timing on the salience of smartphone app privacy notices. In: Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM 2015), New York, NY, USA, pp. 63–74. ACM (2015)

    Google Scholar 

  6. Cha, S.-C., Huang, K.J., Chang, H.M.: An efficient and flexible way to protect privacy in RFID environment with licenses. In: 2008 IEEE International Conference on RFID, pp. 35–42, April 2008

    Google Scholar 

  7. Elenkov, N., Internals, A.S.: An In-Depth Guide to Android’s Security Architecture. No Starch Press, San Francisco (2014)

    Google Scholar 

  8. Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for real time privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation (OSDI 2010), Berkeley, pp. 393–407. USENIX Association (2010)

    Google Scholar 

  9. European Commission Article 29 Data Protection Working Party. Opinion 02/2013 on apps on smart devices. 00461/13/EN, Wp. 202 (2013)

    Google Scholar 

  10. Felt, A.P., Greenwood, K, Wagner, D.: The effectiveness of application permissions. In: Proceedings of the 2nd USENIX Conference on Web Application Development (WebApps 2011), Berkeley, CA, USA, p. 7. USENIX Association (2011)

    Google Scholar 

  11. Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS 2012), New York, NY, USA, pp. 3:1–3:14. ACM (2012)

    Google Scholar 

  12. Gates, C.S., Chen, J., Li, N., Proctor, R.W.: Effective risk communication for android apps. IEEE Trans. Dependable Secure Comput. 11(3), 252–265 (2014)

    Article  Google Scholar 

  13. Gates, C.S., Li, N., Peng, H., Sarma, B., Qi, Y., Potharaju, R., Nita-Rotaru, C., Molloy, I.: Generating summary risk scores for mobile applications. IEEE Trans. Dependable Secure Comput. 11(3), 238–251 (2014)

    Article  Google Scholar 

  14. Hao, S., Liu, B., Nath, S., Halfond, W.G.J., Govindan, R.: PUMA: programmable UI-automation for large-scale dynamic analysis of mobile apps. In: Proceedings of the 12th Annual International Conference on Mobile Systems, Applications, and Services (MobiSys 2014), New York, NY, USA, pp. 204–217. ACM (2014)

    Google Scholar 

  15. Harris, K.D.: Privacy on the go, recommendations for the mobile ecosystem. California Dept. of Justice Recommendations (2013)

    Google Scholar 

  16. IDC Research, Inc. Smartphone os market share, 2015 q2. IDC Research Report (2013). http://www.idc.com/prodserv/smartphone-os-market-share.jsp. Accessed 24 June 2016

  17. Jing, Y., Ahn, G.-J., Zhao, Z., Hu, H.: RiskMon: continuous and automated risk assessment of mobile applications. In: Proceedings of the 4th ACM Conference on Data and Application Security and Privacy (CODASPY 2014), New York, NY, USA, pp. 99–110. ACM (2014)

    Google Scholar 

  18. Kelley, P.G., Consolvo, S., Cranor, L.F., Jung, J., Sadeh, N., Wetherall, D.: A conundrum of permissions: installing applications on an android smartphone. In: Blyth, J., Dietrich, S., Camp, L.J. (eds.) FC 2012. LNCS, vol. 7398, pp. 68–79. Springer, Heidelberg (2012)

    Google Scholar 

  19. Kong, D., Cen, L., Jin, H.: AUTOREB: automatically understanding the review-to-behavior fidelity in android applications. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS 2015), New York, NY, USA, pp. 530–541. ACM (2015)

    Google Scholar 

  20. Lake, I.: Building better apps with runtime permissions. Android Developers Blog (2015). http://android-developers.blogspot.tw/2015/08/building-better-apps-with-runtime.html. Accessed 24 June 2016

  21. Liccardi, I., Pato, J., Weitzner, D.J.: Improving mobile app selection through transparency and better permission analysis. J. Priv. Confidentiality 5(2), 1–55 (2013)

    Google Scholar 

  22. Lin, B., Chen, Y., Chen, X., Yu, Y.: Comparison between JSON and XML in applications based on AJAX. In: Proceedings of the 2012 International Conference on Computer Science and Service System (CSSS 2012), Washington, DC, USA, pp. 1174–1177. IEEE Computer Society (2012)

    Google Scholar 

  23. Lin, J., Amini, S., Hong, J.I., Sadeh, N., Lindqvist, J., Zhang, J.: Expectation and purpose: understanding users’ mental models of mobile app privacy through crowdsourcing. In: Proceedings of the 2012 ACM Conference on Ubiquitous Computing (UbiComp 2012), New York, NY, USA, pp. 501–510. ACM (2012)

    Google Scholar 

  24. Egelman, S., Cranor, L., Dobbs, B., Hogben, G., Humphrey, J., Langheinrich, M., Marchiori, M., Presler-Marshall, M., Reagle, J., Schunter, M., Stampley, D.A., Wenning, R.: The platform for privacy preferences 1.1 (P3P1.1) specification. In: W3C Specification (2006). https://www.w3.org/TR/P3P11/. Accessed 24 June 2016

  25. Mobile Marketing Association Privacy and Advicacy Committee. Mobile application privacy policy framework. MMA White Paper (2011). http://www.mmaglobal.com/news/mobile-marketing-association-releases-final-privacy-policy-guidelines-mobile-apps. Accessed 24 June 2016

  26. Office of the Privacy Commissioner of Canada, IPC of Alberta external, and IPC for British Columbia. Seizing opportunity: good privacy practices for developing mobile apps. OPC Guidance Documents (2012). https://www.priv.gc.ca/information/pub/gd_app_201210_e.asp

  27. Olurin, M., Adams, C., Logrippo, L.: Platform for privacy preferences (P3P): current status and future directions. In: 2012 Tenth Annual International Conference on Privacy, Security and Trust (PST), pp. 217–220, July 2012

    Google Scholar 

  28. Payment Card Industry (PCI) Security Standards Council, LLC. Template for report on compliance for use with PCI DSS v3.1, PCI reporting templates (2015). https://www.pcisecuritystandards.org/documents/PCI_DSS_v3_1_ROC_Reporting_Template.pdf

  29. Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of android malware. In: Proceedings of the Seventh European Workshop on System Security (EuroSec 2014), New York, NY, USA, pp. 5:1–5:6. ACM (2014)

    Google Scholar 

  30. Rastogi, V., Chen, Y., Enck, W.: Apps playground: automatic security analysis of smart phone applications. In: Proceedings of the Third ACM Conference on Data and Application Security and Privacy (CODASPY 2013), New York, NY,USA, pp. 209–220. ACM (2013)

    Google Scholar 

  31. Reed, B.: IDC: smartphone shipments to top feature phone shipments for first time ever in 2013. Yahoo! News (2013). http://news.yahoo.com/idc-smartphone-shipments-top-feature-phone-shipments-first-020026360.html. Accessed 24 June 2016

  32. Said, A.A., Hussin, A.R.C., Dahlan, H.M., Pour, M.M.H.: Privacy policy preference (P3P) in e-commerce: key for improvement. In: 2012 International Conference on Information Retrieval Knowledge Management (CAMP), pp. 177–181, March 2012

    Google Scholar 

  33. Shen, F., Vishnubhotla, N., Todarka, C., Arora, M., Dhandapani, B., Lehner, E.J., Ko, S.Y., Ziarek, L.: Information flows as a permission mechanism. In: Proceedings of the 29th ACM/IEEE International Conference on Automated Software Engineering (ASE 2014), New York, NY, USA, pp. 515–526. ACM (2014)

    Google Scholar 

  34. Terms feed. Sample privacy policy template. Online document (2014). https://termsfeed.com/blog/sample-privacy-policy-template/. Accessed 24 June 2016

  35. Tian, Y., Liu, B., Dai, W., Ur, B., Tague, P., Cranor, L.F.: Supporting privacy-conscious app update decisions with user reviews. In: Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM 2015), New York, NY, USA, pp. 51–61. ACM (2015)

    Google Scholar 

  36. Tomuro, N., Lytinen, S., Hornsburg, K.: Automatic summarization of privacy policies using ensemble learning. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy (CODASPY 2016), New York, NY, USA, pp. 133–135. ACM (2016)

    Google Scholar 

  37. US NTIA. Short form notice code of conduct to promote transparency in mobile app practices (2013). https://www.ntia.doc.gov/files/ntia/publications/july_25_code_draft.pdf. Accessed 29 Mar 2016

  38. US State of California Department of Justice. Attorney general Kamala D. Harris notifies mobile app developers of non-compliance with california privacy law. US California Dept of Justice Press News (2012). https://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-notifies-mobile-app-developers-non-compliance. Accessed 24 June 2016

  39. Vidas, T., Christin, N.: Evading android runtime analysis via sandbox detection. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIA CCS 2014), New York, NY, USA, pp. 447–458. ACM (2014)

    Google Scholar 

  40. Vidas, T., Tan, J., Nahata, J., Tan, C.L., Christin, N., Tague, P.: A5: automated analysis of adversarial android applications. In: Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM 2014), New York, NY, USA, pp. 39–50. ACM (2014)

    Google Scholar 

  41. Xu, Z., Zhu, S.: Semadroid: a privacy-aware sensor management framework for smartphones. In: Proceedings of the 5th ACM Conference on Data and Application Security and Privacy (CODASPY 2015), New York, NY, USA, pp. 61–72. ACM (2015)

    Google Scholar 

  42. Yan, L.K., Yin, H.: Droidscope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic android malware analysis. In: Proceedings of the 21st USENIX Conference on Security Symposium (Security 2012), Berkeley, CA, USA, p. 29. USENIX Association (2012)

    Google Scholar 

  43. Yang, Z., Yang, M., Zhang, Y., Gu, G., Ning, P., Wang, X.S.: AppIntent: analyzing sensitive data transmission in android for privacy leakage detection. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS 2013), New York, NY, USA, pp. 1043–1054. ACM (2013)

    Google Scholar 

  44. Zhang, Y., Yang, M., Xu, B., Yang, Z., Gu, G., Ning, P., Wang, X.S., Zang, B.: Vetting undesirable behaviors in android apps with permission use analysis. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS 2013), pp. 611–622. ACM (2013)

    Google Scholar 

Download references

Acknowledgement

This work was supported in part by the Taiwan Ministry of Science and Technology under grants 103-2221-E-011-092-MY2.

Author information

Authors and Affiliations

  1. Department of Information Management, National Taiwan University of Science and Technology, Taipei, Taiwan

    Shi-Cho Cha, Tzu-Ching Liu, Sih-Cing Syu, Li-Da Chien & Tsung-Ying Tsai

  2. Criminal Investigation Bureau, Taipei, Taiwan

    Chuang-Ming Shiung

Authors
  1. Shi-Cho Cha
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chuang-Ming Shiung
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tzu-Ching Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Sih-Cing Syu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Li-Da Chien
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Tsung-Ying Tsai
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shi-Cho Cha .

Editor information

Editors and Affiliations

  1. ENISA , Athens, Greece

    Stefan Schiffner

  2. Goethe University Frankfurt am Main , Frankfurt, Germany

    Jetzabel Serna

  3. ENISA , Athens, Greece

    Demosthenes Ikonomou

  4. Goethe University Frankfurt am Main , Frankfurt, Germany

    Kai Rannenberg

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Cha, SC., Shiung, CM., Liu, TC., Syu, SC., Chien, LD., Tsai, TY. (2016). A Framework for Major Stakeholders in Android Application Industry to Manage Privacy Policies of Android Applications. In: Schiffner, S., Serna, J., Ikonomou, D., Rannenberg, K. (eds) Privacy Technologies and Policy. APF 2016. Lecture Notes in Computer Science(), vol 9857. Springer, Cham. https://doi.org/10.1007/978-3-319-44760-5_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-44760-5_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-44759-9

  • Online ISBN: 978-3-319-44760-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation