An empirical evaluation of GDPR compliance violations in android mhealth apps

Ming Fan, Le Yu, Sen Chen, Hao Zhou, Xiapu Luo, Shuyue Li, Yang Liu, Jun Liu, Ting Liu

Research output: Chapter in book / Conference proceedingConference article published in proceeding or bookAcademic researchpeer-review

Abstract

The purpose of the General Data Protection Regulation (GDPR) is to provide improved privacy protection. If an app controls personal data from users, it needs to be compliant with GDPR. However, GDPR lists general rules rather than exact step-by-step guidelines about how to develop an app that fulfills the requirements. Therefore, there may exist GDPR compliance violations in existing apps, which would pose severe privacy threats to app users. In this paper, we take mobile health applications (mHealth apps) as a peephole to examine the status quo of GDPR compliance in Android apps. We first propose an automated system, named HPDROID, to bridge the semantic gap between the general rules of GDPR and the app implementations by identifying the data practices declared in the app privacy policy and the data relevant behaviors in the app code. Then, based on HPDROID, we detect three kinds of GDPR compliance violations, including the incompleteness of privacy policy, the inconsistency of data collections, and the insecurity of data transmission. We perform an empirical evaluation of 796 mHealth apps. The results reveal that 189 (23.7%) of them do not provide complete privacy policies. Moreover, 59 apps collect sensitive data through different measures, but 46 (77.9%) of them contain at least one inconsistent collection behavior. Even worse, among the 59 apps, only 8 apps try to ensure the transmission security of collected data. However, all of them contain at least one encryption or SSL misuse. Our work exposes severe privacy issues to raise awareness of privacy protection for app users and developers.

Original languageEnglish
Title of host publicationProceedings - 2020 IEEE 31st International Symposium on Software Reliability Engineering, ISSRE 2020
EditorsMarco Vieira, Henrique Madeira, Nuno Antunes, Zheng Zheng
PublisherIEEE Computer Society
Pages253-264
Number of pages12
ISBN (Electronic)9781728198705
DOIs
Publication statusPublished - Oct 2020
Event31st IEEE International Symposium on Software Reliability Engineering, ISSRE 2020 - Virtual, Coimbra, Portugal
Duration: 12 Oct 202015 Oct 2020

Publication series

NameProceedings - International Symposium on Software Reliability Engineering, ISSRE
Volume2020-October
ISSN (Print)1071-9458

Conference

Conference31st IEEE International Symposium on Software Reliability Engineering, ISSRE 2020
Country/TerritoryPortugal
CityVirtual, Coimbra
Period12/10/2015/10/20

Keywords

  • Data flow
  • GDPR
  • GUI
  • Privacy policy

ASJC Scopus subject areas

  • Software
  • Safety, Risk, Reliability and Quality

Cite this