Identifying Privacy Concerns in Upcoming Software Release: A Peek into the Future

TL;DR

Pre-PI is a novel approach that predicts and summarizes privacy concerns for upcoming software features, enabling proactive privacy management before release.

Contribution

It introduces a method to identify privacy concerns for unreleased features by simulating user feedback, filling a gap in pre-release privacy analysis.

Findings

Pre-PI outperforms Hark in identifying privacy concerns earlier.

Pre-PI generates additional valid privacy concern summaries.

Evaluation across three real-world apps demonstrates effectiveness.

Abstract

Identifying the features to be released in the next version of software, from a pool of potential candidates, is a challenging problem. User feedback from app stores is frequently used by software vendors for the evolution of apps across releases. Privacy feedback, although smaller in volume, carries a larger impact influencing app's success. Multiple existing work has focused on summarizing privacy concerns at the app level and has also shown that developers utilize feedback to implement security and privacy-related changes in subsequent releases. However, the current literature offers little support for release managers and developers in identifying privacy concerns prior to release. This gap exists as user reviews are typically available in app stores only after new features of a software system is released. In this paper, we introduce Pre-PI, a novel approach that summarizes privacy concerns for to-be-released features. Our method first maps existing features to semantically similar privacy reviews to learn feature-privacy review relations. We then simulate feedback for candidate features and generate concise summaries of privacy concerns. We evaluate Pre-PI across three real-world apps, and compare it with Hark, a state-of-the-art method that relies on post-release user feedback to identify privacy concerns. Results show that Pre-PI generates additional valid privacy concerns and identifies these concerns earlier than Hark, allowing proactive mitigation prior to release.