Journal of Computer Applications ›› 2024, Vol. 44 ›› Issue (3): 788-796.DOI: 10.11772/j.issn.1001-9081.2023030290
Special Issue: 网络空间安全
• Cyber security • Previous Articles Next Articles
Baoshan YANG1, Zhi YANG1(), Xingyuan CHEN1,2, Bing HAN1, Xuehui DU1
Received:
2023-03-20
Revised:
2023-06-05
Accepted:
2023-06-08
Online:
2023-09-14
Published:
2024-03-10
Contact:
Zhi YANG
About author:
YANG Baoshan, born in 1998, M. S. candidate. His research interests include software security analysis.Supported by:
杨保山1, 杨智1(), 陈性元1,2, 韩冰1, 杜学绘1
通讯作者:
杨智
作者简介:
杨保山(1998—),男,河南驻马店人,硕士研究生,主要研究方向:软件安全分析基金资助:
CLC Number:
Baoshan YANG, Zhi YANG, Xingyuan CHEN, Bing HAN, Xuehui DU. Analysis of consistency between sensitive behavior and privacy policy of Android applications[J]. Journal of Computer Applications, 2024, 44(3): 788-796.
杨保山, 杨智, 陈性元, 韩冰, 杜学绘. Android应用敏感行为与隐私政策一致性分析[J]. 《计算机应用》唯一官方网站, 2024, 44(3): 788-796.
Add to citation manager EndNote|Ris|BibTeX
URL: https://www.joca.cn/EN/10.11772/j.issn.1001-9081.2023030290
分词 | 词性标注 | 分词 | 词性标注 |
---|---|---|---|
我们 | 代词r | 我们 | 代词r |
会 | 动词v | 会 | 动词v |
收集 | 动词v | 收集 | 动词v |
你 | 代词r | 你 | 代词r |
的 | 助词u | 的 | 助词u |
手机 | 名词n | 精确 | 形容词a |
联系人 | 名词n | 位置 | 名词n |
信息 | 名词n | 信息 | 名词n |
Tab. 1 Part-of-speech annotation of two declaration examples
分词 | 词性标注 | 分词 | 词性标注 |
---|---|---|---|
我们 | 代词r | 我们 | 代词r |
会 | 动词v | 会 | 动词v |
收集 | 动词v | 收集 | 动词v |
你 | 代词r | 你 | 代词r |
的 | 助词u | 的 | 助词u |
手机 | 名词n | 精确 | 形容词a |
联系人 | 名词n | 位置 | 名词n |
信息 | 名词n | 信息 | 名词n |
sources | sinks |
---|---|
LOCATION INFORMATION | PHONE CONNECTION |
CALENDAR INFORMATION | NETWORK CONNECTION |
NETWORK INFORMATION | LOG |
CONTACT INFORMATION | FILE |
ACCOUNT INFORMATION | INTENT |
DATABASE INFORMATION | |
PHONE INFORMATION | |
FILE INFORMATION | |
INTENT INFORMATION |
Tab. 2 Classification of sources and sinks
sources | sinks |
---|---|
LOCATION INFORMATION | PHONE CONNECTION |
CALENDAR INFORMATION | NETWORK CONNECTION |
NETWORK INFORMATION | LOG |
CONTACT INFORMATION | FILE |
ACCOUNT INFORMATION | INTENT |
DATABASE INFORMATION | |
PHONE INFORMATION | |
FILE INFORMATION | |
INTENT INFORMATION |
模型 | 准确率 | 精确率 | 召回率 | F1分数 |
---|---|---|---|---|
原始模型 | 92.31 | 90.91 | 86.96 | 88.89 |
增量模型 | 97.34 | 92.59 | 92.25 | 92.42 |
Tab. 3 Experimental results of different models
模型 | 准确率 | 精确率 | 召回率 | F1分数 |
---|---|---|---|---|
原始模型 | 92.31 | 90.91 | 86.96 | 88.89 |
增量模型 | 97.34 | 92.59 | 92.25 | 92.42 |
一致性 | 表述类型 | 所占比例 | |
---|---|---|---|
一致 | 明确的表述 | 0.5 | |
模糊的表述 | 实体模糊 | 7.6 | |
数据类型模糊 | 40.5 | ||
不一致 | 省略的表述 | 31.4 | |
不正确的表述 | 12.4 | ||
有歧义的表述 | 7.6 |
Tab. 4 Consistency analysis results
一致性 | 表述类型 | 所占比例 | |
---|---|---|---|
一致 | 明确的表述 | 0.5 | |
模糊的表述 | 实体模糊 | 7.6 | |
数据类型模糊 | 40.5 | ||
不一致 | 省略的表述 | 31.4 | |
不正确的表述 | 12.4 | ||
有歧义的表述 | 7.6 |
方法 | 支持语言 | 本体语义关系 | 是否自动化检测 | 分析目的 | 分析结果类别 |
---|---|---|---|---|---|
本文方法 | 中文 | 等价关系、从属关系、近似关系 | 自动化 | 披露隐私政策声明不规范的行为 | 一致的情况:清晰的表述、模糊的表述; 不一致的情况:省略的表述、有歧义的表述、不正确的表述 |
文献[ | 英文 | — | 半自动化 | 披露隐私政策声明的违规行为 | 无违规、强违规、弱违规 |
文献[ | 英文 | 近似关系 | 自动化 | 披露应用实际敏感行为与隐私政策声明不一致的问题 | 一致的表述、不完整的表述、不正确的表述、不一致的表述 |
文献[ | 英文 | 对等关系、包含关系、相似关系 | 自动化 | 披露应用实际敏感行为与隐私政策声明不一致的普遍性 | 一致的表述、有歧义的表述、不正确的表述 |
文献[ | 英文 | — | 自动化 | 披露隐私政策声明中关于第三方库声明的违规行为 | 一致的表述、省略的表述、不正确的表述 |
文献[ | 英文 | — | 自动化 | 披露隐私政策的变化趋势和演化规律 | 一致的表述、不一致的表述 |
文献[ | 英文 | 近似关系 | 自动化 | 披露隐私政策中的对敏感数据收集描述是否过于宽泛 | 隐私政策表述的风险级别 |
Tab. 5 Comparison with existing approaches
方法 | 支持语言 | 本体语义关系 | 是否自动化检测 | 分析目的 | 分析结果类别 |
---|---|---|---|---|---|
本文方法 | 中文 | 等价关系、从属关系、近似关系 | 自动化 | 披露隐私政策声明不规范的行为 | 一致的情况:清晰的表述、模糊的表述; 不一致的情况:省略的表述、有歧义的表述、不正确的表述 |
文献[ | 英文 | — | 半自动化 | 披露隐私政策声明的违规行为 | 无违规、强违规、弱违规 |
文献[ | 英文 | 近似关系 | 自动化 | 披露应用实际敏感行为与隐私政策声明不一致的问题 | 一致的表述、不完整的表述、不正确的表述、不一致的表述 |
文献[ | 英文 | 对等关系、包含关系、相似关系 | 自动化 | 披露应用实际敏感行为与隐私政策声明不一致的普遍性 | 一致的表述、有歧义的表述、不正确的表述 |
文献[ | 英文 | — | 自动化 | 披露隐私政策声明中关于第三方库声明的违规行为 | 一致的表述、省略的表述、不正确的表述 |
文献[ | 英文 | — | 自动化 | 披露隐私政策的变化趋势和演化规律 | 一致的表述、不一致的表述 |
文献[ | 英文 | 近似关系 | 自动化 | 披露隐私政策中的对敏感数据收集描述是否过于宽泛 | 隐私政策表述的风险级别 |
1 | 雷雨田. 严把APP上架审核关[N/OL]. 经济日报(2022-07-02) [2023-04-16]. . |
LEI Y T. Strictly control the review process for APP lauch[N/OL]. Economic Daily(2022-07-02) [2023-04-16]. . | |
2 | 信息通信管理局. 关于侵害用户权益行为的APP通报(2023年第 1批,总第27批)[EB/OL]. [2023-02-28]. . |
Information and Communication Administration. APP notification on infringement of user rights and interests (1st in 2023, total 27th) [EB/OL]. [2023-02-28]. . | |
3 | SLAVIN R, WANG X, HOSSEINI M B, et al. Toward a framework for detecting privacy policy violations in Android application code[C]// Proceedings of the 2016 IEEE/ACM 38th International Conference on Software Engineering. New York: ACM, 2016: 25-36. 10.1145/2884781.2884855 |
4 | YU L, LUO X, LIU X, et al. Can we trust the privacy policies of Android apps? [C]// Proceedings of the 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks. Piscataway: IEEE, 2016: 538-549. 10.1109/dsn.2016.55 |
5 | CER D, DE MARNEFFE M-C, JURAFSKY D, et al. Parsing to stanford dependencies: trade-offs between speed and accuracy[C/OL]// Proceedings of the 7th International Conference on Language Resources and Evaluation [2023-03-01]. . |
6 | QU Z, RASTOGI V, ZHANG X, et al. AutoCog: measuring the description-to-permission fidelity in Android applications [C]// Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2014: 1354-1365. 10.1145/2660267.2660287 |
7 | 王靖瑜, 徐明昆, 王浩宇, 等. Android应用隐私条例与敏感行为一致性检测[J]. 计算机科学与探索, 2019, 13(1):56-69. 10.3778/j.issn.1673-9418.1710031 |
WANG J Y, XU M K, WANG H Y, et al. Automated detection of consistence between App behavior and privacy policy of Android Apps [J]. Journal of Frontiers of Computer Science and Technology, 2019, 13(1): 56-69. 10.3778/j.issn.1673-9418.1710031 | |
8 | MA Z, WANG H, GUO Y, et al. LibRadar: fast and accurate detection of third-party libraries in Android apps [C]// Proceedings of the 2016 IEEE/ACM 38th International Conference on Software Engineering Companion. New York: ACM, 2016: 653-656. 10.1145/2889160.2889178 |
9 | ZIMMECK S, WANG Z, ZOU L, et al. Automated analysis of privacy requirements for mobile apps [EB/OL]. [2022-11-08]. . 10.14722/ndss.2017.23034 |
10 | DESNOS A. Androguard documentation: release 3.4.0 [EB/OL]. (2019-10-18) [2023-04-18]. . |
11 | WANG X, QIN X, HOSSEINI M B, et al. GUILeak: tracing privacy policy claims on user input data for Android applications[C]// Proceedings of the 2018 IEEE/ACM 40th International Conference on Software Engineering. New York: ACM, 2018: 37-47. 10.1145/3180155.3180196 |
12 | ROUNTEV A, YAN D. Static reference analysis for GUI objects in Android software [C]// Proceedings of 2014 Annual IEEE/ACM International Symposium on Code Generation and Optimization. New York: ACM, 2014: 143-153. 10.1145/2544137.2544159 |
13 | ARZT S, RASTHOFER S, FRITZ C, et al. FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps [J]. ACM SIGPLAN Notices, 2014, 49(6): 259-269. 10.1145/2666356.2594299 |
14 | BUI D, YAO Y, SHIN K G, et al. Consistency analysis of data-usage purposes in mobile apps [C]// Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2021: 2824-2843. 10.1145/3460120.3484536 |
15 | WANG Y, FAN M, LIU J, et al. Do as you say: consistency detection of data practice in program code and privacy policy in mini-app [EB/OL]. (2023-02-27) [2023-04-18]. . |
16 | ZHAO K, ZHAN Z, YU L, et al. Demystifying privacy policy of third-party libraries in mobile apps [EB/OL]. (2023-01-29) [2023-04-16]. . 10.1109/icse48619.2023.00137 |
17 | MARKOPOULOU A, TRIMANANDA R, CUI H. A CI-based auditing framework for data collection practices [EB/OL]. (2023-03-30) [2023-04-16]. . |
18 | HASHMI S S, WAHEED N, TANGARI G, et al. Longitudinal compliance analysis of Android applications with privacy policies[C]// Proceedings of the 18th EAI International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services. Cham: Springer, 2022: 280-305. 10.1007/978-3-030-94822-1_16 |
19 | ZHOU L, WEI C, ZHU T, et al. POLICYCOMP: counterpart comparison of privacy policies uncovers overbroad personal data collection practices [EB/OL]. [2023-02-18]. . |
20 | NGUYEN T T, BACKES M, STOCK B. Freely given consent? Studying consent notice of third-party tracking and its violations of GDPR in Android apps [C]// Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2022: 2369-2383. 10.1145/3548606.3560564 |
21 | JIAO Z, SUN S, SUN K. Chinese lexical analysis with deep Bi-GRU-CRF network [EB/OL]. (2018-07-05) [2023-03-20]. . |
22 | REPS T, HORWITZ S, SAGIV M. Precise interprocedural dataflow analysis via graph reachability [C]// Proceedings of the 22nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages. New York: ACM, 1995: 49-61. 10.1145/199448.199462 |
[1] | Qi SHUAI, Hairui WANG, Guifu ZHU. Chinese story ending generation model based on bidirectional contrastive training [J]. Journal of Computer Applications, 2024, 44(9): 2683-2688. |
[2] | Quanmei ZHANG, Runping HUANG, Fei TENG, Haibo ZHANG, Nan ZHOU. Automatic international classification of disease coding method incorporating heterogeneous information [J]. Journal of Computer Applications, 2024, 44(8): 2476-2482. |
[3] | Youren YU, Yangsen ZHANG, Yuru JIANG, Gaijuan HUANG. Chinese named entity recognition model incorporating multi-granularity linguistic knowledge and hierarchical information [J]. Journal of Computer Applications, 2024, 44(6): 1706-1712. |
[4] | Longtao GAO, Nana LI. Aspect sentiment triplet extraction based on aspect-aware attention enhancement [J]. Journal of Computer Applications, 2024, 44(4): 1049-1057. |
[5] | Xianfeng YANG, Yilei TANG, Ziqiang LI. Aspect-level sentiment analysis model based on alternating‑attention mechanism and graph convolutional network [J]. Journal of Computer Applications, 2024, 44(4): 1058-1064. |
[6] | Kaitian WANG, Qing YE, Chunlei CHENG. Classification method for traditional Chinese medicine electronic medical records based on heterogeneous graph representation [J]. Journal of Computer Applications, 2024, 44(2): 411-417. |
[7] | Yushan JIANG, Yangsen ZHANG. Large language model-driven stance-aware fact-checking [J]. Journal of Computer Applications, 2024, 44(10): 3067-3073. |
[8] | Chenghao FENG, Zhenping XIE, Bowen DING. Selective generation method of test cases for Chinese text error correction software [J]. Journal of Computer Applications, 2024, 44(1): 101-112. |
[9] | Xinyue ZHANG, Rong LIU, Chiyu WEI, Ke FANG. Aspect-based sentiment analysis method with integrating prompt knowledge [J]. Journal of Computer Applications, 2023, 43(9): 2753-2759. |
[10] | Xiaomin ZHOU, Fei TENG, Yi ZHANG. Automatic international classification of diseases coding model based on meta-network [J]. Journal of Computer Applications, 2023, 43(9): 2721-2726. |
[11] | Zexi JIN, Lei LI, Ji LIU. Transfer learning model based on improved domain separation network [J]. Journal of Computer Applications, 2023, 43(8): 2382-2389. |
[12] | Yao LIU, Xin TONG, Yifeng CHEN. Algorithm path self-assembling model for business requirements [J]. Journal of Computer Applications, 2023, 43(6): 1768-1778. |
[13] | Xingbin LIAO, Xiaolin QIN, Siqi ZHANG, Yangge QIAN. Review of interactive machine translation [J]. Journal of Computer Applications, 2023, 43(2): 329-334. |
[14] | Ming XU, Linhao LI, Qiaoling QI, Liqin WANG. Abductive reasoning model based on attention balance list [J]. Journal of Computer Applications, 2023, 43(2): 349-355. |
[15] | Jianle CAO, Nana LI. Semantically enhanced sentiment classification model based on multi-level attention [J]. Journal of Computer Applications, 2023, 43(12): 3703-3710. |
Viewed | ||||||
Full text |
|
|||||
Abstract |
|
|||||