Ethereum, the largest blockchain for running smart contracts, charges the people who send transactions to deploy or invoke smart contracts for thwarting resource abuse. The amount of transaction fee depends on the size of that contract and the operations executed by that contract. Consequently, smart contracts with inefficient code will waste money. In this paper, we propose and develop the first tool, named GasChecker, for automatically identifying gas-inefficient code in smart contracts, and conduct the first empirical study on the prevalence of gas-inefficient code in the deployed smart contracts. More precisely, we first summarize ten gas-inefficient programming patterns and propose a new approach based on symbolic execution (SE) to detect them in the bytecode of smart contracts. To make our approach scalable to analyze millions of smart contracts, we parallelize SE by tailoring it to the MapReduce programming model, and propose a new feedback-based load balancing strategy to effectively utilize cloud resources. Extensive experiments show that GasChecker scales well with the increase of workers. The empirical study demonstrates that lots of real smart contracts contain various inefficient code. Manual investigation demonstrates that only 2.5% of discovered gas-inefficient instances are false positives.
The purpose of the General Data Protection Regulation (GDPR) is to provide improved privacy protection. If an app controls personal data from users, it needs to be compliant with GDPR. However, GDPR lists general rules rather than exact step-by-step guidelines about how to develop an app that fulfills the requirements. Therefore, there may exist GDPR compliance violations in existing apps, which would pose severe privacy threats to app users. In this paper, we take mobile health applications (mHealth apps) as a peephole to examine the status quo of GDPR compliance in Android apps. We first propose an automated system, named HPDROID, to bridge the semantic gap between the general rules of GDPR and the app implementations by identifying the data practices declared in the app privacy policy and the data relevant behaviors in the app code. Then, based on HPDROID, we detect three kinds of GDPR compliance violations, including the incompleteness of privacy policy, the inconsistency of data collections, and the insecurity of data transmission. We perform an empirical evaluation of 796 mHealth apps. The results reveal that 189 (23.7%) of them do not provide complete privacy policies. Moreover, 59 apps collect sensitive data through different measures, but 46 (77.9%) of them contain at least one inconsistent collection behavior. Even worse, among the 59 apps, only 8 apps try to ensure the transmission security of collected data. However, all of them contain at least one encryption or SSL misuse. Our work exposes severe privacy issues to raise awareness of privacy protection for app users and developers.
Recent years have witnessed a sharp increase of malicious apps that steal users' personal information. To address users' concerns about privacy risks and to comply with data protection laws, more and more apps are supplied with privacy policies written in natural language to help users understand an app's privacy practices. However, little is known whether these privacy policies are trustworthy or not. Questionable privacy policies may be prepared by careless app developers or someone with malicious intention. In this paper, we carry out a systematic study on privacy policy by proposing a novel approach to automatically identify five kinds of problems in privacy policy. After tackling several challenging issues, we implement the approach in a system, named PPChecker, and evaluate it with real apps and their privacy policies. The experimental results show that PPChecker can effectively identify questionable privacy policies with high precision. Applying PPChecker to 2,500 popular apps, we find that 1,850 apps (i.e., 74.0%) have at least one kind of problems. This study sheds light on the research of improving and regulating apps' privacy policies.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.