Mini-app is an emerging form of mobile application that combines web technology with native capabilities. Its features, e.g., no need to download and no installation, have made it popular rapidly. However, privacy issues that violate the laws or regulations are breeding in the swiftly expanding mini-app ecosystem. The consistency between what the mini-app does about the data in the program code and what it declares in its privacy policy description is important. But no work has systematically investigated the privacy problem of the mini-app before. In this paper, to our best knowledge, we are the first to conduct the compliance detection of data practice and policy description in mini-apps. In this paper, we first customize a taint analysis method based on data entity dependency network to adapt to the characteristics of the JavaScript language in the mini-apps. Then, we transform data types and data operations to data practices in program codes and privacy policies, so as to finish a fine-grained consistency matching model.We crawl 100,000 mini-apps on WeChat client in the wild and extract 2,998 with a privacy policy. Among them, only 318 meet the consistency requirements, 2,680 are inconsistent, and the proportion of inconsistencies is as high as 89.4%. The inconsistency in the mini-app is very serious. Based on 6 real-world cases analyzed, in order to reduce this potential data leakage risk, we suggest that the developer should reduce the collection of irrelevant information and the straightforward use of templates, and the platform should provide data flow detection tools and privacy policy writing support.
翻译:微型应用是一种将网络技术与本地能力相结合的移动应用的新兴形式。 它的特征,例如不需要下载和不安装,已经迅速普及。 然而,违反法律或规章的隐私问题正在迅速扩大的微型应用生态系统中滋生。 微型应用对程序代码中的数据及其在隐私政策描述中所宣布的数据具有的一致性很重要。 但是,以前没有任何工作系统地调查微型应用的隐私问题。 根据我们最清楚的知识,我们是最先对小型应用中的数据做法和政策描述进行合规检测的。 在本文中,我们首先对基于数据实体依赖性网络的保密分析方法进行定制,以适应快速扩展的微型应用生态系统中JavaScript语言的特征。 然后,我们把数据类型和数据操作对程序代码和隐私政策描述中的数据做法加以统一。 我们从野生的WeChat客户那里收集了100 000个微型应用软件, 并提取了2 998个软件的政策描述。 在本文中,我们第一次定制了基于数据实体依赖性依赖性分析方法的分析方法分析方法的不一致性, 680 数据类型和数据分析中显示, 高度的不一致性是准确性分析,,, 数据序列是,, 数据序列分析,, 基础中的数据的不一致性是,,,,,,, 和,,,,, 和,,,, 和,,,,,,,,,,, 数据, 和,,,,,,,,,,,,, 和 和,,,,, 和 和,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,</s>