NSF Award
1817248
The International Computer Science Institute (ICSI) is developing a framework to automatically detect privacy violations in mobile applications. The project leverages prototype work in augmenting the Android operating system with instrumentation to detect when applications access sensitive user data, what they do with it, and with whom they share it. The project modifies this system to support the analysis of thousands of applications in parallel, through virtualization. This infrastructure enables better understanding of the mobile privacy landscape, as well as making available new techniques for auditing programs at scale. The project offers end-users an online resource (https://www.appcensus.mobi/) to research the privacy behaviors of their applications; regulators can use these tools for enforcement, and developers can use them to detect and fix privacy violations in their mobil applications prior to releasing them.<br/><br/>Current program analysis approaches either do not actually observe program execution, and instead only examine program code, or do not scale well. This approach instruments the operating system and then uses simulated user behavior via computer-generated user interface events to passively observe what personal information applications access and exfiltrate. A prototype of the framework was used to detect thousands of potential violations of the Children's Online Privacy Protection Act (COPPA). This project expands that initial infrastructure to enable evaluation of thousands of applications simultaneously with real user input from crowdworkers, as well as to offer a programming interface for both developers and regulators to be able to evaluate new mobile applications on demand.<br/><br/>This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.
