PrivacyCAT: Privacy-Aware Code Analysis at Scale

Static and dynamic code analyses have been widely adopted in industry to enhance software reliability, security, and performance by automatically detecting bugs in the code. In this paper, we introduce PRIVACYCAT(1), a code analysis system developed and deployed at WhatsApp to protect user privacy. PRIVACYCAT automatically detects privacy defects in code at early stages (before reaching production and affecting users), and therefore, it prevents such vulnerabilities from evolving into privacy incidents. PRIVACYCAT comprises of a collection of static and dynamic taint analysers. We report on the technical development of PRIVACYCAT and the results of two years of its large-scale industrial deployment at WhatsApp. We present our experience in designing its system architecture, and continuous integration process. We discuss the unique challenges encountered in developing and deploying such kind of analyses within an industrial context. Since its deployment in 2021, PRIVACYCAT has safeguarded data privacy in 74% of privacy site events (SEVs). It has prevented 493 potential privacy SEVs from being introduced into the codebases, enabling developers to maintain a high privacy standard for the code that supports over two billion WhatsApp users.