Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Toward an Android Static Analysis Approach for Data Protection

Mugdha Khedkar, Eric Bodden

TL;DR

Android apps collect user data and must comply with GDPR, but developers lack legal expertise and tooling to reason about data protection. The authors propose a static-analysis pipeline that identifies personal data sources, traces data flows, and analyzes data processing and pseudonymization along code paths, extending beyond traditional taint analysis with privacy-aware program slicing. The work contributes a workflow for input classification, privacy-based pseudonymization labeling, a data-manipulation analysis, and GDPR-oriented visualizations, demonstrated conceptually with a case study. The goal is to provide automated, interpretable evidence of data handling in Android apps to help developers and assessors verify GDPR compliance throughout the app lifecycle.

Abstract

Android applications collecting data from users must protect it according to the current legal frameworks. Such data protection has become even more important since the European Union rolled out the General Data Protection Regulation (GDPR). Since app developers are not legal experts, they find it difficult to write privacy-aware source code. Moreover, they have limited tool support to reason about data protection throughout their app development process. This paper motivates the need for a static analysis approach to diagnose and explain data protection in Android apps. The analysis will recognize personal data sources in the source code, and aims to further examine the data flow originating from these sources. App developers can then address key questions about data manipulation, derived data, and the presence of technical measures. Despite challenges, we explore to what extent one can realize this analysis through static taint analysis, a common method for identifying security vulnerabilities. This is a first step towards designing a tool-based approach that aids app developers and assessors in ensuring data protection in Android apps, based on automated static program analysis.

Toward an Android Static Analysis Approach for Data Protection

TL;DR

Android apps collect user data and must comply with GDPR, but developers lack legal expertise and tooling to reason about data protection. The authors propose a static-analysis pipeline that identifies personal data sources, traces data flows, and analyzes data processing and pseudonymization along code paths, extending beyond traditional taint analysis with privacy-aware program slicing. The work contributes a workflow for input classification, privacy-based pseudonymization labeling, a data-manipulation analysis, and GDPR-oriented visualizations, demonstrated conceptually with a case study. The goal is to provide automated, interpretable evidence of data handling in Android apps to help developers and assessors verify GDPR compliance throughout the app lifecycle.

Abstract

Android applications collecting data from users must protect it according to the current legal frameworks. Such data protection has become even more important since the European Union rolled out the General Data Protection Regulation (GDPR). Since app developers are not legal experts, they find it difficult to write privacy-aware source code. Moreover, they have limited tool support to reason about data protection throughout their app development process. This paper motivates the need for a static analysis approach to diagnose and explain data protection in Android apps. The analysis will recognize personal data sources in the source code, and aims to further examine the data flow originating from these sources. App developers can then address key questions about data manipulation, derived data, and the presence of technical measures. Despite challenges, we explore to what extent one can realize this analysis through static taint analysis, a common method for identifying security vulnerabilities. This is a first step towards designing a tool-based approach that aids app developers and assessors in ensuring data protection in Android apps, based on automated static program analysis.
Paper Structure (5 sections, 1 figure)

This paper contains 5 sections, 1 figure.

Table of Contents

  1. Introduction
  2. Workflow and Challenges
  3. Case Study
  4. Related Work
  5. Future Plans and Conclusion

Figures (1)

  • Figure 1: Workflow of the envisioned static analysis