Do as You Say: Consistency Detection of Data Practice in Program Code and Privacy Policy in Mini-App

Mini-app is an emerging form of mobile application that combines web technology with native capabilities. Its features, e.g., no need to download and no installation, have made it popular rapidly. However, privacy issues that violate the laws or regulations are breeding in the swiftly expanding mini-app ecosystem. The consistency between what the mini-app does about the data in the program code and what it declares in its privacy policy description is important. But no work has systematically investigated the privacy problem of the mini-app before. In this paper, to our best knowledge, we are the first to conduct the compliance detection of data practice and policy description in mini-apps. In this paper, we first customize a taint analysis method based on data entity dependency network to adapt to the characteristics of the JavaScript language in the mini-apps. Then, we transform data types and data operations to data practices in program codes and privacy policies, so as to finish a fine-grained consistency matching model.We crawl 100,000 mini-apps on WeChat client in the wild and extract 2,998 with a privacy policy. Among them, only 318 meet the consistency requirements, 2,680 are inconsistent, and the proportion of inconsistencies is as high as 89.4%. The inconsistency in the mini-app is very serious. Based on 6 real-world cases analyzed, in order to reduce this potential data leakage risk, we suggest that the developer should reduce the collection of irrelevant information and the straightforward use of templates, and the platform should provide data flow detection tools and privacy policy writing support.