The privacy of personal information has received significant attention in mobile software. Although previous researchers have designed some methods to identify the conflict between app behavior and privacy policies, little is known about investigating regulation requirements for third-party libraries (TPLs). The regulators enacted multiple regulations to regulate the usage of personal information for TPLs (e.g., the "California Consumer Privacy Act" requires businesses clearly notify consumers if they share consumers' data with third parties or not). However, it remains challenging to analyze the legality of TPLs due to three reasons: 1) TPLs are mainly published on public repositoriesinstead of app market (e.g., Google play). The public repositories do not perform privacy compliance analysis for each TPL. 2) TPLs only provide independent functions or function sequences. They cannot run independently, which limits the application of performing dynamic analysis. 3) Since not all the functions of TPLs are related to user privacy, we must locate the functions of TPLs that access/process personal information before performing privacy compliance analysis. To overcome the above challenges, in this paper, we propose an automated system named ATPChecker to analyze whether the Android TPLs meet privacy-related regulations or not. Our findings remind developers to be mindful of TPL usage when developing apps or writing privacy policies to avoid violating regulations
翻译:个人信息的隐私在移动软件中受到高度重视。虽然以前的研究人员已经设计了一些方法来查明应用程序行为与隐私政策之间的冲突,但在调查第三方图书馆的监管要求方面却鲜为人知。监管者颁布了多项条例来规范对TPL个人信息的使用(例如“加利福尼亚消费者隐私法”要求企业在与第三方分享消费者数据时明确通知消费者。然而,由于以下三个原因,分析TPL是否合法仍具有挑战性:1) TPL主要在公共储存库中公布,而不是在应用市场(例如谷歌播放),公共储存库并不对每一TPL进行隐私遵守情况分析。 2 TPL仅提供独立的功能或功能序列,无法独立运行,这限制了动态分析的应用。 3)由于TPL的所有功能并非都与用户隐私有关,因此我们必须在进行隐私合规分析之前先找到访问/处理个人信息的TPL的功能。为了克服上述挑战,我们提议建立一个名为ATP检查官的自动化系统,以分析每个TPL的隐私遵守情况。 2) TPGererrger仅提供独立功能或功能序列,无法独立运作,限制进行动态分析研发者遵守我们的隐私监管。