摘要
近年来,移动应用超范围收集用户隐私信息,强制索取敏感权限等现象屡见不鲜。业界现有的隐私合规检测产品因缺乏对隐私政策的分析从而产生较高的误报率和漏报率。针对国内现行合规要求,设计并实现了一套大规模的半自动化合规检测框架。通过对现有应用市场中1941款应用进行实证评估,检测到52款典型违法违规移动应用。实验结果表明,该方法实用性强,拓展性高,具有广泛的应用前景。
In recent years,it is common for mobile applications to collect user privacy information in excess of the scope and abuse sensitive permissions.The existing privacy compliance detection products in the industry lack the analysis of privacy policies,resulting in high false positive and false negative.This study designs and implements a large-scale semi-automated compliance detection framework to address the current compliance requirements in China.The system extracts permission phrases through automated analysis of privacy policies and identifies sensitive permission calls through hybrid program analysis,ultimately achieving consistent compliance detection of privacy policies and permission calls.The empirical evaluation of 1941 applications in the existing application market detects 52 typical illegal and non-compliant mobile applications.The experimental results show that the method is practical and highly scalable,and has a wide application prospect.
作者
王申奥
王亚龙
王乾旭
贺紫怡
李晖
Wang Shenao;Wang Yalong;Wang Qianxu;He Ziyi;Li Hui(School of Cipher Engineering,Xidian University,Xi′an 710071,China)
出处
《网络安全与数据治理》
2023年第1期4-14,共11页
CYBER SECURITY AND DATA GOVERNANCE
关键词
隐私合规
权限滥用
自然语言处理
动静态程序分析
privacy compliance
permission abuse
natural language processing
dynamic and static program analysis
