Utilizing Sentence Embedding for Dangerous Permissions Detection in Android Apps' Privacy Policies

Baalous, Rawan; Poet, Ronald

doi:10.4018/ijisp.2021010109

Cited by 2 publications

(7 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This rationale is based upon the pragmatic realization that an app needs access to photo/media storage before giving a user the option to upload pictures. This observation of the subtlety between semantic and pragmatic meanings of Android permissions and privacy policy text is also supported by prior work of Baalous and Poet [16]. The researchers found that upon querying a Sent2Vec model [41] trained on app privacy policies with 'receive wap push' would return semantically similar sentences like "This application may send push-notifications to the user"-which is entirely unrelated to RECEIVE_WAP_PUSH permission.…”

Section: A Semantically-relevant Information Is Often Missingsupporting

confidence: 55%

“…After reviewing prior works [10][11][12][13][14][15][16], three significant shortcomings are found: First, the automated analysis approach often looks for sensitive data collection in privacy policies that may not be directly linked with Android's permission-based model of data collection (e.g., data collection during the user registration process, such as email, zip code, city, home address). Second, prior works often narrowly focus on a subset of permissions such as PERSISTENTID or LOCATION while ignoring permissions -that are potentially harder to predict from the privacy policy -such as accessing the camera or the phonebook (see § IX for details about prior works).…”

Section: Methodsmentioning

confidence: 99%

“…( § V). Prior works [10][11][12][13][14][15][16] often take an overly narrow focus on a subset of Android permissions, such as those related to accessing location or device identifiers, while ignoring other (potentially harder to predict from the privacy policy) permissions (e.g., accessing camera or phonebook). Thus, it is unclear how best to leverage machine learning models for permission inference from app policies and what combination of techniques yields the most accurate model.…”

Section: A Research Questionsmentioning

confidence: 99%

“…Note that the reported average F1 scores reflect the corresponding tool's machine learning performance based on privacy policy-related task. Except for Baalous and Poet [16], these F1 scores do not necessarily correspond to the final result of the tools, for example, the reported F1-score for PermPress refers to the permission prediction task (see § V for details). Among these four tools, only PermPress covers all ten dangerous permission groups in its permission inference task.…”

Section: A Detecting Privacy Leakage In Appsmentioning

confidence: 99%

“…PermPress is significantly different from PPChecker by demonstrating that permission-related information is not documented explicitly in privacy policies; thus, hand-derived NLP rules are brittle to checking the completeness of privacy policies. Another related work is Baalous and Poet [16], who trained a Sent2Vec model on privacy policies and later queried the model with a string of dangerous permission (e.g., READ_CONTACTS) to see if the model could retrieve useful semantic information from privacy policies. The researchers claimed that the model could find semantically relevant permission information from the privacy policy for some of the permissions, such as Camera and Location, but failed in other cases, such as Sensors and Calendar.…”

Section: B Checking Privacy Compliance Of Appsmentioning

confidence: 99%

See 4 more Smart Citations

PermPress: Machine Learning-Based Pipeline to Evaluate Permissions in App Privacy Policies

et al. 2022

View full text Add to dashboard Cite

Privacy laws and app stores (e.g., Google Play Store) require mobile apps to have transparent privacy policies to disclose sensitive actions and data collection, such as accessing the phonebook, camera, storage, GPS, and microphone. However, many mobile apps do not accurately disclose their sensitive data access that requires sensitive ('dangerous') permissions. Thus, analyzing discrepancies between apps' permissions and privacy policies facilitates the identification of compliance issues upon which privacy regulators and marketplace operators can act. This paper proposes PermPress -an automated machine-learning system to evaluate an Android app's permission-completeness, i.e., whether its privacy policy matches its dangerous permissions. PermPress combines machine learning techniques with human annotation of privacy policies to establish whether app policies contain permission-relevant information. PermPress leverages MPP-270, an annotated policy corpus, for establishing a gold standard dataset of permission completeness. This corpus shows that only 31% of apps disclose all dangerous permissions in privacy policies. By leveraging the annotated dataset and machine learning techniques, PermPress achieves an AUC score of 0.92 in predicting the permission-completeness of apps. A large-scale evaluation of 164, 156 Android apps shows that, on average, 7% of apps do not disclose more than half of their declared dangerous permissions in privacy policies, whereas 60% of apps omit to disclose at least one dangerous permission-related data collection in privacy policies. This paper's investigation uncovers the non-transparent state of app privacy policies and highlights the need to standardize app privacy policies' compliance and completeness checking process.

show abstract

Section: A Semantically-relevant Information Is Often Missingsupporting

confidence: 55%

Section: Methodsmentioning

confidence: 99%

Section: A Research Questionsmentioning

confidence: 99%

Section: A Detecting Privacy Leakage In Appsmentioning

confidence: 99%

Section: B Checking Privacy Compliance Of Appsmentioning

confidence: 99%

See 3 more Smart Citations

PermPress: Machine Learning-Based Pipeline to Evaluate Permissions in App Privacy Policies

et al. 2022

View full text Add to dashboard Cite

show abstract

Runtime and Design Time Completeness Checking of Dangerous Android App Permissions Against GDPR

Mcconkey,

Olukoya

2024

IEEE Access

View full text Add to dashboard Cite

Data and privacy laws, such as the GDPR, require mobile apps that collect and process the personal data of their citizens to have a legally-compliant policy. Since these mobile apps are hosted on app distribution platforms such as Google Play Store and App Store, the app publishers also require the app developers who wish to submit a new app or make changes to an existing app to be transparent about their app privacy practices regarding handling sensitive user data that requires sensitive permissions such as calendar, camera, microphone. To verify compliance with privacy regulators and app distribution platforms, the app privacy policies and permissions are investigated for consistency. However, little has been done to investigate GDPR completeness checking within the Android permission ecosystem. In this paper, we investigate the design and runtime approaches towards completeness checking of sensitive ('dangerous') Android permission policy declarations against GDPR. In this paper, we investigate the design and runtime approaches towards completeness checking of dangerous Android permission policy declarations against GDPR. Leveraging the MPP-270 annotated corpus that describes permission declarations in application privacy policies, six natural language processing and language modelling algorithms are developed to measure permission completeness during runtime while a proof of concept Class Unified Modeling Language Diagram (UML) tool is developed to generate GDPR-compliant permission policy declarations using UML diagrams during design time. This paper makes a significant contribution to the identification of appropriate permission policy declaration methodologies that a developer can use to target particular GDPR laws, increasing GDPR compliance by 12% in cases during runtime using BERT word embedding, measuring GDPR compliance in permission policy sentences, and a UML-driven tool to generate compliant permission declarations.

show abstract

Utilizing Sentence Embedding for Dangerous Permissions Detection in Android Apps' Privacy Policies

Cited by 2 publications

References 17 publications

PermPress: Machine Learning-Based Pipeline to Evaluate Permissions in App Privacy Policies

PermPress: Machine Learning-Based Pipeline to Evaluate Permissions in App Privacy Policies

Runtime and Design Time Completeness Checking of Dangerous Android App Permissions Against GDPR

Contact Info

Product

Resources

About