An Empirical Evaluation of GDPR Compliance Violations in Android mHealth Apps

被引:25
|
作者
Fan, Ming [1 ]
Yu, Le [2 ]
Chen, Sen [3 ,4 ]
Zhou, Hao [2 ]
Luo, Xiapu [2 ]
Li, Shuyue [1 ]
Liu, Yang [4 ]
Liu, Jun [1 ]
Liu, Ting [1 ]
机构
[1] Xi An Jiao Tong Univ, Sch Cyber Sci & Engn, MoE KLINNS, Xian, Peoples R China
[2] Hong Kong Polytech Univ, Dept Comp, Hong Kong, Peoples R China
[3] Tianjin Univ, Coll Intelligence & Comp, Tianjin, Peoples R China
[4] Nanyang Technol Univ, Sch Comp Sci & Engn, Singapore, Singapore
基金
中国博士后科学基金; 中国国家自然科学基金; 国家重点研发计划;
关键词
GDPR; Privacy policy; Data flow; GUI;
D O I
10.1109/ISSRE5003.2020.00032
中图分类号
TP31 [计算机软件];
学科分类号
081202 ; 0835 ;
摘要
The purpose of the General Data Protection Regulation (GDPR) is to provide improved privacy protection. If an app controls personal data from users, it needs to be compliant with GDPR. However, GDPR lists general rules rather than exact step-by-step guidelines about how to develop an app that fulfills the requirements. Therefore, there may exist GDPR compliance violations in existing apps, which would pose severe privacy threats to app users. In this paper, we take mobile health applications (mHealth apps) as a peephole to examine the status quo of GDPR compliance in Android apps. We first propose an automated system, named HPDROID, to bridge the semantic gap between the general rules of GDPR and the app implementations by identifying the data practices declared in the app privacy policy and the data relevant behaviors in the app code. Then, based on HPDROID, we detect three kinds of GDPR compliance violations, including the incompleteness of privacy policy, the inconsistency of data collections, and the insecurity of data transmission. We perform an empirical evaluation of 796 mHealth apps. The results reveal that 189 (23.7%) of them do not provide complete privacy policies. Moreover, 59 apps collect sensitive data through different measures, but 46 (77.9%) of them contain at least one inconsistent collection behavior. Even worse, among the 59 apps, only 8 apps try to ensure the transmission security of collected data. However, all of them contain at least one encryption or SSL misuse. Our work exposes severe privacy issues to raise awareness of privacy protection for app users and developers.
引用
收藏
页码:253 / 264
页数:12
相关论文
共 50 条
  • [1] HIPAAChecker: The Comprehensive Solution for HIPAA Compliance in Android mHealth Apps
    Saha, Bilash
    Tahora, Sharaban
    Barek, Abdul
    Shahriar, Hossain
    [J]. 2023 IEEE 47TH ANNUAL COMPUTERS, SOFTWARE, AND APPLICATIONS CONFERENCE, COMPSAC, 2023, : 1822 - 1827
  • [2] GDPR Compliance Assessment for Cross-Border Personal Data Transfers in Android Apps
    Guaman, Danny S.
    Del Alamo, Jose M.
    Caiza, Julio C.
    [J]. IEEE ACCESS, 2021, 9 : 15961 - 15982
  • [3] Share First, Ask Later (or Never?) Studying Violations of GDPR's Explicit Consent in Android Apps
    Trung Tin Nguyen
    Backes, Michael
    Marnau, Ninja
    Stock, Ben
    [J]. PROCEEDINGS OF THE 30TH USENIX SECURITY SYMPOSIUM, 2021, : 3667 - 3684
  • [4] Security Testing for Android mHealth Apps
    Knorr, Konstantin
    Aspinall, David
    [J]. 2015 IEEE EIGHTH INTERNATIONAL CONFERENCE ON SOFTWARE TESTING, VERIFICATION AND VALIDATION WORKSHOPS (ICSTW), 2015,
  • [5] HIPAA Technical Compliance Evaluation of Laravel-based mHealth Apps
    Akter, Mst Shapna
    Barek, Md Abdul
    Rahman, Md Mostafizur
    Riad, Abm Kamrul Islam
    Rahman, Md Abdur
    Mia, Md Raihan
    Shahriar, Hossain
    Chu, William
    Ahamed, Sheikh Iqbal
    [J]. 2024 IEEE INTERNATIONAL CONFERENCE ON DIGITAL HEALTH, ICDH 2024, 2024, : 58 - 67
  • [6] Forensic Taxonomy of Popular Android mHealth Apps
    Azfar, Abdullah
    Choo, Kim-Kwang Raymond
    Liu, Lin
    [J]. AMCIS 2015 PROCEEDINGS, 2015,
  • [7] A security framework for mHealth apps on Android platform
    Hussain, Muzammil
    Al-Haiqi, Ahmed
    Zaidan, A. A.
    Zaidan, B. B.
    Kiah, M.
    Iqbal, Salman
    Iqbal, S.
    Abdulnabi, Mohamed
    [J]. COMPUTERS & SECURITY, 2018, 75 : 191 - 217
  • [8] Static Analysis for Android GDPR Compliance Assurance
    Khedkar, Mugdha
    [J]. 2023 IEEE/ACM 45TH INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING: COMPANION PROCEEDINGS, ICSE-COMPANION, 2023, : 197 - 199
  • [9] VioDroid-Finder: automated evaluation of compliance and consistency for Android apps
    Chen, Junren
    Huang, Cheng
    Han, Jiaxuan
    [J]. EMPIRICAL SOFTWARE ENGINEERING, 2024, 29 (03)
  • [10] An empirical analysis of android apps bug and automated testing approach for Android apps
    [J]. 1600, Science and Engineering Research Support Society (11):