Corpus ID: 5893105

GUILeak : Identifying Privacy Practices on GUI-Based Data

  title={GUILeak : Identifying Privacy Practices on GUI-Based Data},
  author={Xiaoyin Wang and Xue Qin and Mitra Bokaei Hosseini and Rocky Slavin and Travis D. Breaux and Jianwei Niu},
As the most popular mobile platform, Android devices have millions of users around the world. As these devices are used everyday and collects various data from users, effective privacy protection has been a well known challenge in the Android world. Existing privacy-protection approaches focus on information accessed from Android API methods, such as location and device ID, while existing security-enhancement approaches are not fine-grained enough to map user input data to concepts in privacy… Expand

Figures from this paper

MAPS: Scaling Privacy Compliance Analysis to a Million Apps
The Mobile App Privacy System (MAPS) is introduced for conducting an extensive privacy census of Android apps and a pipeline for retrieving and analyzing large app populations based on code analysis and machine learning techniques is designed. Expand
PrivacyFlash Pro: Automating Privacy Policy Generation for Mobile Apps
It is shown that policies generated with popular policy generators are often not reflective of apps’ privacy practices, and it is believed that policy generation can be improved by supplementing the questionnaire-based approach with code analysis. Expand
Utilizing Sentence Embedding for Dangerous Permissions Detection in Android Apps' Privacy Policies
The strengths and limitations of sentence embeddings to detect dangerous permissions in Android apps privacy policies are investigated to help regulators interested in deploying sentence embedding models to check for privacy policies' compliance with the government regulations and to identify points of inconsistencies or violations. Expand
Standardizing and Implementing Do Not Sell
Based on OptMeowt, the proof of concept Do Not Sell browser extension, experiments are conducted on the design, implementation, and current state of Do not Sell. Expand
Disambiguating Requirements Through Syntax-Driven Semantic Analysis of Information Types
A syntax-driven method to infer semantic relations from a given information type is proposed, which employs a shallow typology to categorize individual words in an information type, which are then used to discharge production rules in a context-free grammar. Expand
Requirements Engineering: Foundation for Software Quality: 26th International Working Conference, REFSQ 2020, Pisa, Italy, March 24–27, 2020, Proceedings
This research compares the impact of negations and quantifiers on readability in terms of reading effort, reading error rate and perceived reading difficulty of requirements. Expand


SUPOR: Precise and Scalable Sensitive User Input Detection for Android Apps
This paper designs and implements SUPOR, a novel static analysis tool that automatically examines the UIs to identify sensitive user inputs containing critical user data, such as user credentials, finance, and medical data, and builds a system that detects privacy disclosures ofsensitive user inputs by combining SUPOR with off-the-shelf static taint analysis. Expand
Toward a Framework for Detecting Privacy Policy Violations in Android Application Code
This work proposes a semi-automated framework that consists of a policy terminology- API method map that links policy phrases to API methods that pro- duce sensitive information, and information flow analysis to detect misalignments. Expand
UIPicker: User-Input Privacy Identification in Mobile Applications
UIPicker, an adaptable framework for automatic identification of sensitive user inputs, designed to detect the semantic information within the application layout resources and program code, and further analyze it for the locations where security-critical information may show up, can support a variety of existing security analysis on mobile apps. Expand
A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks
SUSI, a novel machine-learning guided approach for identifying sources and sinks directly from the code of any Android API, is proposed and shown that SUSI can reliably classify sources and sink even in new, previously unseen Android versions and components like Google Glass or the Chromecast API. Expand
AsDroid: detecting stealthy behaviors in Android applications by user interface and program behavior contradiction
This paper uses static program analysis to attribute a top level function that is usually a user interaction function with the behavior it performs, and analyzes the text extracted from the user interface component associated with the toplevel function to detect stealthy behavior. Expand
FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps
FlowDroid is presented, a novel and highly precise static taint analysis for Android applications that successfully finds leaks in a subset of 500 apps from Google Play and about 1,000 malware apps from the VirusShare project. Expand
Static Reference Analysis for GUI Objects in Android Software
The first static analysis is proposed to model GUI-related Android objects, their flow through the application, and their interactions with each other via the abstractions defined by the Android platform, which enables static modeling of control/data flow that is foundational for compiler analyses, instrumentation for event/interaction profiling, static error checking, security analysis, test generation, and automated debugging. Expand
Detecting sensitive data disclosure via bi-directional text correlation analysis
BidText is a novel static technique to detect sensitive data disclosures that is evaluated on 10,000 Android apps and features a novel bi-directional propagation technique that propagates the variable label sets through forward and backward data-flow. Expand
Towards an information type lexicon for privacy policies
  • Jaspreet Bhatia, T. Breaux
  • Computer Science
  • 2015 IEEE Eighth International Workshop on Requirements Engineering and Law (RELAW)
  • 2015
An information type lexicon is constructed from manual, human annotations and an entity extractor based on part-of-speech tagging that has a 31-78% chance of containing a word from any previously seen policy. Expand
Scaling requirements extraction to the crowd: Experiments with privacy policies
  • T. Breaux, F. Schaub
  • Computer Science
  • 2014 IEEE 22nd International Requirements Engineering Conference (RE)
  • 2014
This work conducted three experiments to evaluate crowdsourcing a manual requirements extraction task to a larger number of untrained workers, and presents results from two pilot studies and a third experiment to justify applying a task decomposition approach to requirements extraction. Expand