Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Visualizing Privacy-Relevant Data Flows in Android Applications

Mugdha Khedkar, Michael Schlichtig, Santhosh Mohan, Eric Bodden

TL;DR

This work tackles the challenge of GDPR/CRA-driven data protection in Android apps by introducing SliceViz, a web tool that statically slices apps to expose privacy-relevant data sources and visualizes the resulting program slices in Jimple and Java. The approach combines a Visualizer with a Slicing Engine, leveraging an annotated identifier dataset and privacy-relevant libraries to label data sources and produce forward slices that reveal data flows through the code. An empirical evaluation—including a user study with 12 participants and a broader test on 36 apps—shows that SliceViz helps developers identify privacy-relevant properties, with the Java view offering clearer, more usable representations than the Jimple view, though large graphs pose cognitive load. The results support the feasibility of using program slicing for privacy analysis in Android, while suggesting further usability and scalability enhancements to better support DPIAs and GDPR compliance in real-world development workflows.

Abstract

Android applications collecting data from users must protect it according to the current legal frameworks. Such data protection has become even more important since in 2018 the European Union rolled out the General Data Protection Regulation (GDPR). Since app developers are not legal experts, they find it difficult to integrate privacy-aware practices into source code development. Despite these legal obligations, developers have limited tool support to reason about data protection throughout their app development process. This paper explores the use of static program slicing and software visualization to analyze privacy-relevant data flows in Android apps. We introduce SliceViz, a web tool that analyzes an Android app by slicing all privacy-relevant data sources detected in the source code on the back-end. It then helps developers by visualizing these privacy-relevant program slices. We conducted a user study with 12 participants demonstrating that SliceViz effectively aids developers in identifying privacy-relevant properties in Android apps. Our findings indicate that program slicing can be employed to identify and reason about privacy-relevant data flows in Android applications. With further usability improvements, developers can be better equipped to handle privacy-sensitive information.

Visualizing Privacy-Relevant Data Flows in Android Applications

TL;DR

This work tackles the challenge of GDPR/CRA-driven data protection in Android apps by introducing SliceViz, a web tool that statically slices apps to expose privacy-relevant data sources and visualizes the resulting program slices in Jimple and Java. The approach combines a Visualizer with a Slicing Engine, leveraging an annotated identifier dataset and privacy-relevant libraries to label data sources and produce forward slices that reveal data flows through the code. An empirical evaluation—including a user study with 12 participants and a broader test on 36 apps—shows that SliceViz helps developers identify privacy-relevant properties, with the Java view offering clearer, more usable representations than the Jimple view, though large graphs pose cognitive load. The results support the feasibility of using program slicing for privacy analysis in Android, while suggesting further usability and scalability enhancements to better support DPIAs and GDPR compliance in real-world development workflows.

Abstract

Android applications collecting data from users must protect it according to the current legal frameworks. Such data protection has become even more important since in 2018 the European Union rolled out the General Data Protection Regulation (GDPR). Since app developers are not legal experts, they find it difficult to integrate privacy-aware practices into source code development. Despite these legal obligations, developers have limited tool support to reason about data protection throughout their app development process. This paper explores the use of static program slicing and software visualization to analyze privacy-relevant data flows in Android apps. We introduce SliceViz, a web tool that analyzes an Android app by slicing all privacy-relevant data sources detected in the source code on the back-end. It then helps developers by visualizing these privacy-relevant program slices. We conducted a user study with 12 participants demonstrating that SliceViz effectively aids developers in identifying privacy-relevant properties in Android apps. Our findings indicate that program slicing can be employed to identify and reason about privacy-relevant data flows in Android applications. With further usability improvements, developers can be better equipped to handle privacy-sensitive information.

Paper Structure

This paper contains 18 sections, 8 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Problem Statement
  3. Motivating Example
  4. Research Problem
  5. Research Question
  6. Related Work
  7. Approach
  8. Visualizer
  9. Slicing Engine
  10. Implementation
  11. Visualizer
  12. Slicing Engine
  13. Correctness Check
  14. Evaluation
  15. Experimental Setup
  16. ...and 3 more sections

Figures (8)

  • Figure 1: Overview of our approach and its components.
  • Figure 2: Workflow of SliceViz.
  • Figure 3: SliceViz interactive dashboard for Roidsec taintbench.
  • Figure 4: SliceViz customization options for users.
  • Figure 5: Visualized Jimple slice in Roidsec taintbench, blue edge: data edge, green edge: control and data edge.
  • ...and 3 more figures