Real Privacy Impact of Mobile Applications: Checks Through Static Analysis

This research proposes the design of a PET (Privacy Enhancing Technologies) method and tool for analysing mobile applications and verifying compliance with privacy policies. The developed method will allow the comparison of the developers’ declarations on data protection with the requests to the system and the source code of the application, thus assessing the correspondence between permissions, data and resources. The main objective is to automate assistance to both developers and users, facilitating the verification of compliance and improving transparency in the use of personal data. Unlike previous studies, this work formally establishes the relationship between permissions, data and resources to identify privacy risks. We operationalize affected personal data through a taxonomy of privacy related data categories and a rule based mapping from Android APIs, UI inputs, and permissions to those categories, enabling systematic comparison with developers’ disclosures. To the best of our knowledge, prior work has not systematically triangulated code level evidence, permissions, and store/policy disclosures to produce a reproducible duty to inform consistency indicator grounded on the categories of personal data affected.