Toward an Android Static Analysis Approach for Data Protection

TL;DR

This paper proposes a static analysis approach to help Android app developers identify and understand data flows related to personal data, aiding compliance with data protection laws like GDPR.

Contribution

It introduces a static taint analysis method tailored for Android apps to diagnose data protection issues and support developers in ensuring privacy compliance.

Findings

Identifies sources of personal data in Android apps

Analyzes data flow from sources to assess privacy risks

Provides a foundation for tool support in privacy-aware app development

Abstract

Android applications collecting data from users must protect it according to the current legal frameworks. Such data protection has become even more important since the European Union rolled out the General Data Protection Regulation (GDPR). Since app developers are not legal experts, they find it difficult to write privacy-aware source code. Moreover, they have limited tool support to reason about data protection throughout their app development process. This paper motivates the need for a static analysis approach to diagnose and explain data protection in Android apps. The analysis will recognize personal data sources in the source code, and aims to further examine the data flow originating from these sources. App developers can then address key questions about data manipulation, derived data, and the presence of technical measures. Despite challenges, we explore to what extent one can realize this analysis through static taint analysis, a common method for identifying security vulnerabilities. This is a first step towards designing a tool-based approach that aids app developers and assessors in ensuring data protection in Android apps, based on automated static program analysis.