PermPress: Machine Learning-Based Pipeline to Evaluate Permissions in App Privacy Policies

Rahman, Muhammad Sajidur; Naghavi, Pirouz; Kojusner, Blas; Afroz, Sadia; Williams, Byron; Rampazzi, Sara; Bindschaedler, Vincent

doi:10.1109/access.2022.3199882

Cited by 7 publications

(8 citation statements)

References 52 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These permission categories include CAMERA, MICRO-PHONE, PHONE_CALL, SENSOR, SMS, CALENDAR, CONTACTS, LOCATION, STORAGE and PERSISTEN-TID (cf Table 1). The list of permissions considered is consistent with 30 dangerous permission APIs categorized in 10 permission groups in MPP-270 [13,14], an annotated policy corpus for mapping between dangerous android permissions and privacy. The GDPR and the MPP-270 corpus dataset were preprocessed for the N-grams, VSM, FSM and implementation of the BERT word embedding algorithms.…”

Section: B Datasetmentioning

confidence: 93%

“…Hatamian et al [64] studied the extent to which COVID-19 contact tracing Android apps comply with the legal requirements of GDPR. Rahman et al [13] proposed an automated machine learning solution to evaluate completeness checking in Android applications dangerous permissions against privacy policies and highlighted the non-transparent state of permission-policy declarations of dangerous Android permissions. Shezan et al [48] developed an NLP-driven approach, NLP2GDPR, to automatically extract text from Android applications and generate a GDPR-compliant feature.…”

Section: B Completeness Checking Of Applicationsmentioning

confidence: 99%

“…The DAPD identified with the highest cosine similarity result is extracted for each GDPR article on every algorithm for all the permission categories. As a benchmark dataset for permission completeness, the open-source MPP-270 annotated corpus was developed in [13]. We used the annotated corpus to investigate the GDPR compliance of permission-policy statements.…”

Section: A Overview Of Frameworkmentioning

confidence: 99%

“…In evaluating Android permission completeness, a largescale evaluation of 164156 Android apps was explored in [13,14] to investigate whether the privacy policy matches its dangerous permission request. The investigations have shown that app privacy policies and sensitive (or "dangerous") permission requests are not always transparent.…”

mentioning

confidence: 99%

See 3 more Smart Citations

Runtime and Design Time Completeness Checking of Dangerous Android App Permissions Against GDPR

Mcconkey,

Olukoya

2024

IEEE Access

View full text Add to dashboard Cite

Data and privacy laws, such as the GDPR, require mobile apps that collect and process the personal data of their citizens to have a legally-compliant policy. Since these mobile apps are hosted on app distribution platforms such as Google Play Store and App Store, the app publishers also require the app developers who wish to submit a new app or make changes to an existing app to be transparent about their app privacy practices regarding handling sensitive user data that requires sensitive permissions such as calendar, camera, microphone. To verify compliance with privacy regulators and app distribution platforms, the app privacy policies and permissions are investigated for consistency. However, little has been done to investigate GDPR completeness checking within the Android permission ecosystem. In this paper, we investigate the design and runtime approaches towards completeness checking of sensitive ('dangerous') Android permission policy declarations against GDPR. In this paper, we investigate the design and runtime approaches towards completeness checking of dangerous Android permission policy declarations against GDPR. Leveraging the MPP-270 annotated corpus that describes permission declarations in application privacy policies, six natural language processing and language modelling algorithms are developed to measure permission completeness during runtime while a proof of concept Class Unified Modeling Language Diagram (UML) tool is developed to generate GDPR-compliant permission policy declarations using UML diagrams during design time. This paper makes a significant contribution to the identification of appropriate permission policy declaration methodologies that a developer can use to target particular GDPR laws, increasing GDPR compliance by 12% in cases during runtime using BERT word embedding, measuring GDPR compliance in permission policy sentences, and a UML-driven tool to generate compliant permission declarations.

show abstract

Section: B Datasetmentioning

confidence: 93%

Section: B Completeness Checking Of Applicationsmentioning

confidence: 99%

Section: A Overview Of Frameworkmentioning

confidence: 99%

mentioning

confidence: 99%

See 2 more Smart Citations

Runtime and Design Time Completeness Checking of Dangerous Android App Permissions Against GDPR

Mcconkey,

Olukoya

2024

IEEE Access

View full text Add to dashboard Cite

show abstract

“…Torre et al [23] and Amaral et al [24] describe an automated solution which combines NLP and ML for the compliance verification of privacy policies according to GDPR. More recently, Rahman et al [66] and Aborujilah et al [67] presented MLbased techniques to monitor users' compliance with mobile applications. Tesfay et al [22] utilize ML for summarizing privacy concerns in privacy notices to make such notices more readable and comprehensible for non-experts.…”

Section: Related Workmentioning

confidence: 99%

ML-Based Compliance Verification of Data Processing Agreements against GDPR

Amaral,

Abualhaija,

Briand

2023

2023 IEEE 31st International Requirements Engineering Conference (RE)

View full text Add to dashboard Cite

Most current software systems involve processing personal data, an activity that is regulated in Europe by the general data protection regulation (GDPR) through data processing agreements (DPAs). Developing compliant software requires adhering to DPA-related requirements in GDPR. Verifying the compliance of DPAs entirely manually is however time-consuming and error-prone. In this paper, we propose an automation strategy based on machine learning (ML) for checking GDPR compliance in DPAs. Specifically, we create, based on existing work, a comprehensive conceptual model that describes the information types pertinent to DPA compliance. We then develop an automated approach that detects breaches of compliance by predicting the presence of these information types in DPAs. On an evaluation set of 30 real DPAs, our approach detects 483 out of 582 genuine violations while introducing 93 false violations, achieving thereby a precision of 83.9% and recall of 83.0%. We empirically compare our approach against an existing approach which does not employ ML but relies on manually-defined rules. Our results indicate that the two approaches perform on par. Therefore, to select the right solution in a given context, we discuss differentiating factors like the availability of annotated data and legal experts, and adaptation to regulation changes.

show abstract

CL2S4P: A Privacy Policy Translator for Comprehensive Interpretation in Smart Healthcare Systems

El Yamani,

Sadki,

Bakkali

et al. 2023

2023 IEEE 6th International Conference on Cloud Computing and Artificial Intelligence: Technologies and Applications (CloudTech

View full text Add to dashboard Cite

PermPress: Machine Learning-Based Pipeline to Evaluate Permissions in App Privacy Policies

Cited by 7 publications

References 52 publications

Runtime and Design Time Completeness Checking of Dangerous Android App Permissions Against GDPR

Runtime and Design Time Completeness Checking of Dangerous Android App Permissions Against GDPR

ML-Based Compliance Verification of Data Processing Agreements against GDPR

CL2S4P: A Privacy Policy Translator for Comprehensive Interpretation in Smart Healthcare Systems

Contact Info

Product

Resources

About