Table of Contents
Fetching ...

mopri - An Analysis Framework for Unveiling Privacy Violations in Mobile Apps

Cornell Ziepel, Stephan Escher, Sebastian Rehms, Stefan Köpsell

TL;DR

Mopri addresses the challenge of auditing privacy compliance in mobile apps by delivering a modular framework that integrates static and dynamic analyses into an automated pipeline. The approach combines static extraction of permissions and libraries with dynamic traffic capture, decryption, and payload enrichment, anchored by a configurable analysis pipeline and a web-based UI. The contributions include the mopri architecture, a prototype for Android apps, automated installation/configuration, modular tooling, and enriched, interactive reports bridging policy and observed behavior. The work enables end users and authorities to assess data processing practices and supports ongoing adaptation to evolving privacy challenges in the mobile app ecosystem.

Abstract

Everyday services of society increasingly rely on mobile applications, resulting in a conflicting situation between the possibility of participation on the one side and user privacy and digital freedom on the other. In order to protect users' rights to informational self-determination, regulatory approaches for the collection and processing of personal data have been developed, such as the EU's GDPR. However, inspecting the compliance of mobile apps with privacy regulations remains difficult. Thus, in order to enable end users and enforcement bodies to verify and enforce data protection compliance, we propose mopri, a conceptual framework designed for analyzing the behavior of mobile apps through a comprehensive, adaptable, and user-centered approach. Recognizing the gaps in existing frameworks, mopri serves as a foundation for integrating various analysis tools into a streamlined, modular pipeline that employs static and dynamic analysis methods. Building on this concept, a prototype has been developed which effectively extracts permissions and tracking libraries while employing robust methods for dynamic traffic recording and decryption. Additionally, it incorporates result enrichment and reporting features that enhance the clarity and usability of the analysis outcomes. The prototype showcases the feasibility of a holistic and modular approach to privacy analysis, emphasizing the importance of continuous adaptation to the evolving challenges presented by the mobile app ecosystem.

mopri - An Analysis Framework for Unveiling Privacy Violations in Mobile Apps

TL;DR

Mopri addresses the challenge of auditing privacy compliance in mobile apps by delivering a modular framework that integrates static and dynamic analyses into an automated pipeline. The approach combines static extraction of permissions and libraries with dynamic traffic capture, decryption, and payload enrichment, anchored by a configurable analysis pipeline and a web-based UI. The contributions include the mopri architecture, a prototype for Android apps, automated installation/configuration, modular tooling, and enriched, interactive reports bridging policy and observed behavior. The work enables end users and authorities to assess data processing practices and supports ongoing adaptation to evolving privacy challenges in the mobile app ecosystem.

Abstract

Everyday services of society increasingly rely on mobile applications, resulting in a conflicting situation between the possibility of participation on the one side and user privacy and digital freedom on the other. In order to protect users' rights to informational self-determination, regulatory approaches for the collection and processing of personal data have been developed, such as the EU's GDPR. However, inspecting the compliance of mobile apps with privacy regulations remains difficult. Thus, in order to enable end users and enforcement bodies to verify and enforce data protection compliance, we propose mopri, a conceptual framework designed for analyzing the behavior of mobile apps through a comprehensive, adaptable, and user-centered approach. Recognizing the gaps in existing frameworks, mopri serves as a foundation for integrating various analysis tools into a streamlined, modular pipeline that employs static and dynamic analysis methods. Building on this concept, a prototype has been developed which effectively extracts permissions and tracking libraries while employing robust methods for dynamic traffic recording and decryption. Additionally, it incorporates result enrichment and reporting features that enhance the clarity and usability of the analysis outcomes. The prototype showcases the feasibility of a holistic and modular approach to privacy analysis, emphasizing the importance of continuous adaptation to the evolving challenges presented by the mobile app ecosystem.
Paper Structure (50 sections, 6 figures)

This paper contains 50 sections, 6 figures.

Figures (6)

  • Figure 1: Mitm Setup
  • Figure 2: Conceptual Design of mopri
  • Figure 3: Analysis Summary within the Setup Wizard
  • Figure 4: Aggregated Analysis Results
  • Figure 5: Network Requests
  • ...and 1 more figures