An empirical evaluation of GDPR compliance violations in android mhealth apps

Ming Fan; Le Yu; Sen Chen; Hao Zhou; Xiapu Luo; Shuyue Li; Yang Liu; Jun Liu; Ting Liu

doi:10.1109/ISSRE5003.2020.00032

An empirical evaluation of GDPR compliance violations in android mhealth apps

Ming Fan, Le Yu, Sen Chen, Hao Zhou, Xiapu Luo, Shuyue Li, Yang Liu, Jun Liu, Ting Liu

Research output: Chapter in book / Conference proceeding › Conference article published in proceeding or book › Academic research › peer-review

15 Citations (Scopus)

Abstract

The purpose of the General Data Protection Regulation (GDPR) is to provide improved privacy protection. If an app controls personal data from users, it needs to be compliant with GDPR. However, GDPR lists general rules rather than exact step-by-step guidelines about how to develop an app that fulfills the requirements. Therefore, there may exist GDPR compliance violations in existing apps, which would pose severe privacy threats to app users. In this paper, we take mobile health applications (mHealth apps) as a peephole to examine the status quo of GDPR compliance in Android apps. We first propose an automated system, named HPDROID, to bridge the semantic gap between the general rules of GDPR and the app implementations by identifying the data practices declared in the app privacy policy and the data relevant behaviors in the app code. Then, based on HPDROID, we detect three kinds of GDPR compliance violations, including the incompleteness of privacy policy, the inconsistency of data collections, and the insecurity of data transmission. We perform an empirical evaluation of 796 mHealth apps. The results reveal that 189 (23.7%) of them do not provide complete privacy policies. Moreover, 59 apps collect sensitive data through different measures, but 46 (77.9%) of them contain at least one inconsistent collection behavior. Even worse, among the 59 apps, only 8 apps try to ensure the transmission security of collected data. However, all of them contain at least one encryption or SSL misuse. Our work exposes severe privacy issues to raise awareness of privacy protection for app users and developers.

Original language	English
Title of host publication	Proceedings - 2020 IEEE 31st International Symposium on Software Reliability Engineering, ISSRE 2020
Editors	Marco Vieira, Henrique Madeira, Nuno Antunes, Zheng Zheng
Publisher	IEEE Computer Society
Pages	253-264
Number of pages	12
ISBN (Electronic)	9781728198705
DOIs	https://doi.org/10.1109/ISSRE5003.2020.00032
Publication status	Published - Oct 2020
Event	31st IEEE International Symposium on Software Reliability Engineering, ISSRE 2020 - Virtual, Coimbra, Portugal Duration: 12 Oct 2020 → 15 Oct 2020

Publication series

Name	Proceedings - International Symposium on Software Reliability Engineering, ISSRE
Volume	2020-October
ISSN (Print)	1071-9458

Conference

Conference	31st IEEE International Symposium on Software Reliability Engineering, ISSRE 2020
Country/Territory	Portugal
City	Virtual, Coimbra
Period	12/10/20 → 15/10/20

Keywords

Data flow
GDPR
GUI
Privacy policy

ASJC Scopus subject areas

Software
Safety, Risk, Reliability and Quality

More information

10.1109/ISSRE5003.2020.00032

Cite this

Fan, M., Yu, L., Chen, S., Zhou, H., Luo, X., Li, S., Liu, Y., Liu, J., & Liu, T. (2020). An empirical evaluation of GDPR compliance violations in android mhealth apps. In M. Vieira, H. Madeira, N. Antunes, & Z. Zheng (Eds.), Proceedings - 2020 IEEE 31st International Symposium on Software Reliability Engineering, ISSRE 2020 (pp. 253-264). [09251060] (Proceedings - International Symposium on Software Reliability Engineering, ISSRE; Vol. 2020-October). IEEE Computer Society. https://doi.org/10.1109/ISSRE5003.2020.00032

Fan, Ming ; Yu, Le ; Chen, Sen et al. / An empirical evaluation of GDPR compliance violations in android mhealth apps. Proceedings - 2020 IEEE 31st International Symposium on Software Reliability Engineering, ISSRE 2020. editor / Marco Vieira ; Henrique Madeira ; Nuno Antunes ; Zheng Zheng. IEEE Computer Society, 2020. pp. 253-264 (Proceedings - International Symposium on Software Reliability Engineering, ISSRE).

@inproceedings{3173f8a7f40b4f248cb082266bbfdb86,

title = "An empirical evaluation of GDPR compliance violations in android mhealth apps",

abstract = "The purpose of the General Data Protection Regulation (GDPR) is to provide improved privacy protection. If an app controls personal data from users, it needs to be compliant with GDPR. However, GDPR lists general rules rather than exact step-by-step guidelines about how to develop an app that fulfills the requirements. Therefore, there may exist GDPR compliance violations in existing apps, which would pose severe privacy threats to app users. In this paper, we take mobile health applications (mHealth apps) as a peephole to examine the status quo of GDPR compliance in Android apps. We first propose an automated system, named HPDROID, to bridge the semantic gap between the general rules of GDPR and the app implementations by identifying the data practices declared in the app privacy policy and the data relevant behaviors in the app code. Then, based on HPDROID, we detect three kinds of GDPR compliance violations, including the incompleteness of privacy policy, the inconsistency of data collections, and the insecurity of data transmission. We perform an empirical evaluation of 796 mHealth apps. The results reveal that 189 (23.7%) of them do not provide complete privacy policies. Moreover, 59 apps collect sensitive data through different measures, but 46 (77.9%) of them contain at least one inconsistent collection behavior. Even worse, among the 59 apps, only 8 apps try to ensure the transmission security of collected data. However, all of them contain at least one encryption or SSL misuse. Our work exposes severe privacy issues to raise awareness of privacy protection for app users and developers. ",

keywords = "Data flow, GDPR, GUI, Privacy policy",

author = "Ming Fan and Le Yu and Sen Chen and Hao Zhou and Xiapu Luo and Shuyue Li and Yang Liu and Jun Liu and Ting Liu",

note = "Funding Information: This work was supported by National Key R&D Program of China (2016YFB1000903), National Natural Science Foundation of China (61902306, 61632015, 61772408, U1766215, 61721002, 61532015, 61833015), Ministry of Education Innovation Research Team (IRT_17R86), China Postdoctoral Science Foundation (2019TQ0251), and the Key Research Program of State Grid Shaanxi Electric Power Company. Publisher Copyright: {\textcopyright}2020 IEEE.; 31st IEEE International Symposium on Software Reliability Engineering, ISSRE 2020 ; Conference date: 12-10-2020 Through 15-10-2020",

year = "2020",

month = oct,

doi = "10.1109/ISSRE5003.2020.00032",

language = "English",

series = "Proceedings - International Symposium on Software Reliability Engineering, ISSRE",

publisher = "IEEE Computer Society",

pages = "253--264",

editor = "Marco Vieira and Henrique Madeira and Nuno Antunes and Zheng Zheng",

booktitle = "Proceedings - 2020 IEEE 31st International Symposium on Software Reliability Engineering, ISSRE 2020",

address = "United States",

}

Fan, M, Yu, L, Chen, S, Zhou, H, Luo, X, Li, S, Liu, Y, Liu, J & Liu, T 2020, An empirical evaluation of GDPR compliance violations in android mhealth apps. in M Vieira, H Madeira, N Antunes & Z Zheng (eds), Proceedings - 2020 IEEE 31st International Symposium on Software Reliability Engineering, ISSRE 2020., 09251060, Proceedings - International Symposium on Software Reliability Engineering, ISSRE, vol. 2020-October, IEEE Computer Society, pp. 253-264, 31st IEEE International Symposium on Software Reliability Engineering, ISSRE 2020, Virtual, Coimbra, Portugal, 12/10/20. https://doi.org/10.1109/ISSRE5003.2020.00032

An empirical evaluation of GDPR compliance violations in android mhealth apps. / Fan, Ming; Yu, Le; Chen, Sen et al.

Proceedings - 2020 IEEE 31st International Symposium on Software Reliability Engineering, ISSRE 2020. ed. / Marco Vieira; Henrique Madeira; Nuno Antunes; Zheng Zheng. IEEE Computer Society, 2020. p. 253-264 09251060 (Proceedings - International Symposium on Software Reliability Engineering, ISSRE; Vol. 2020-October).

Research output: Chapter in book / Conference proceeding › Conference article published in proceeding or book › Academic research › peer-review

TY - GEN

T1 - An empirical evaluation of GDPR compliance violations in android mhealth apps

AU - Fan, Ming

AU - Yu, Le

AU - Chen, Sen

AU - Zhou, Hao

AU - Luo, Xiapu

AU - Li, Shuyue

AU - Liu, Yang

AU - Liu, Jun

AU - Liu, Ting

N1 - Funding Information: This work was supported by National Key R&D Program of China (2016YFB1000903), National Natural Science Foundation of China (61902306, 61632015, 61772408, U1766215, 61721002, 61532015, 61833015), Ministry of Education Innovation Research Team (IRT_17R86), China Postdoctoral Science Foundation (2019TQ0251), and the Key Research Program of State Grid Shaanxi Electric Power Company. Publisher Copyright: ©2020 IEEE.

PY - 2020/10

Y1 - 2020/10

N2 - The purpose of the General Data Protection Regulation (GDPR) is to provide improved privacy protection. If an app controls personal data from users, it needs to be compliant with GDPR. However, GDPR lists general rules rather than exact step-by-step guidelines about how to develop an app that fulfills the requirements. Therefore, there may exist GDPR compliance violations in existing apps, which would pose severe privacy threats to app users. In this paper, we take mobile health applications (mHealth apps) as a peephole to examine the status quo of GDPR compliance in Android apps. We first propose an automated system, named HPDROID, to bridge the semantic gap between the general rules of GDPR and the app implementations by identifying the data practices declared in the app privacy policy and the data relevant behaviors in the app code. Then, based on HPDROID, we detect three kinds of GDPR compliance violations, including the incompleteness of privacy policy, the inconsistency of data collections, and the insecurity of data transmission. We perform an empirical evaluation of 796 mHealth apps. The results reveal that 189 (23.7%) of them do not provide complete privacy policies. Moreover, 59 apps collect sensitive data through different measures, but 46 (77.9%) of them contain at least one inconsistent collection behavior. Even worse, among the 59 apps, only 8 apps try to ensure the transmission security of collected data. However, all of them contain at least one encryption or SSL misuse. Our work exposes severe privacy issues to raise awareness of privacy protection for app users and developers.

AB - The purpose of the General Data Protection Regulation (GDPR) is to provide improved privacy protection. If an app controls personal data from users, it needs to be compliant with GDPR. However, GDPR lists general rules rather than exact step-by-step guidelines about how to develop an app that fulfills the requirements. Therefore, there may exist GDPR compliance violations in existing apps, which would pose severe privacy threats to app users. In this paper, we take mobile health applications (mHealth apps) as a peephole to examine the status quo of GDPR compliance in Android apps. We first propose an automated system, named HPDROID, to bridge the semantic gap between the general rules of GDPR and the app implementations by identifying the data practices declared in the app privacy policy and the data relevant behaviors in the app code. Then, based on HPDROID, we detect three kinds of GDPR compliance violations, including the incompleteness of privacy policy, the inconsistency of data collections, and the insecurity of data transmission. We perform an empirical evaluation of 796 mHealth apps. The results reveal that 189 (23.7%) of them do not provide complete privacy policies. Moreover, 59 apps collect sensitive data through different measures, but 46 (77.9%) of them contain at least one inconsistent collection behavior. Even worse, among the 59 apps, only 8 apps try to ensure the transmission security of collected data. However, all of them contain at least one encryption or SSL misuse. Our work exposes severe privacy issues to raise awareness of privacy protection for app users and developers.

KW - Data flow

KW - GDPR

KW - GUI

KW - Privacy policy

UR - http://www.scopus.com/inward/record.url?scp=85097341528&partnerID=8YFLogxK

U2 - 10.1109/ISSRE5003.2020.00032

DO - 10.1109/ISSRE5003.2020.00032

M3 - Conference article published in proceeding or book

AN - SCOPUS:85097341528

T3 - Proceedings - International Symposium on Software Reliability Engineering, ISSRE

SP - 253

EP - 264

BT - Proceedings - 2020 IEEE 31st International Symposium on Software Reliability Engineering, ISSRE 2020

A2 - Vieira, Marco

A2 - Madeira, Henrique

A2 - Antunes, Nuno

A2 - Zheng, Zheng

PB - IEEE Computer Society

T2 - 31st IEEE International Symposium on Software Reliability Engineering, ISSRE 2020

Y2 - 12 October 2020 through 15 October 2020

ER -

Fan M, Yu L, Chen S, Zhou H, Luo X, Li S et al. An empirical evaluation of GDPR compliance violations in android mhealth apps. In Vieira M, Madeira H, Antunes N, Zheng Z, editors, Proceedings - 2020 IEEE 31st International Symposium on Software Reliability Engineering, ISSRE 2020. IEEE Computer Society. 2020. p. 253-264. 09251060. (Proceedings - International Symposium on Software Reliability Engineering, ISSRE). doi: 10.1109/ISSRE5003.2020.00032

An empirical evaluation of GDPR compliance violations in android mhealth apps

Abstract

Publication series

Conference

Keywords

ASJC Scopus subject areas

More information

Other files and links

Fingerprint

Cite this