Do as You Say: Consistency Detection of Data Practice in Program Code and Privacy Policy in Mini-App

by   Yin Wang, et al.

Mini-app is an emerging form of mobile application that combines web technology with native capabilities. Its features, e.g., no need to download and no installation, have made it popular rapidly. However, privacy issues that violate the laws or regulations are breeding in the swiftly expanding mini-app ecosystem. The consistency between what the mini-app does about the data in the program code and what it declares in its privacy policy description is important. But no work has systematically investigated the privacy problem of the mini-app before. In this paper, to our best knowledge, we are the first to conduct the compliance detection of data practice and policy description in mini-apps. In this paper, we first customize a taint analysis method based on data entity dependency network to adapt to the characteristics of the JavaScript language in the mini-apps. Then, we transform data types and data operations to data practices in program codes and privacy policies, so as to finish a fine-grained consistency matching model.We crawl 100,000 mini-apps on WeChat client in the wild and extract 2,998 with a privacy policy. Among them, only 318 meet the consistency requirements, 2,680 are inconsistent, and the proportion of inconsistencies is as high as 89.4 mini-app is very serious. Based on 6 real-world cases analyzed, in order to reduce this potential data leakage risk, we suggest that the developer should reduce the collection of irrelevant information and the straightforward use of templates, and the platform should provide data flow detection tools and privacy policy writing support.


page 1

page 2

page 3

page 4


Measuring the Leakage and Exploitability of Authentication Secrets in Super-apps: The WeChat Case

We conduct a large-scale measurement of developers' insecure practices l...

Lalaine: Measuring and Characterizing Non-Compliance of Apple Privacy Labels at Scale

As a key supplement to privacy policies that are known to be lengthy and...

An Empirical Evaluation of GDPR Compliance Violations in Android mHealth Apps

The purpose of the General Data Protection Regulation (GDPR) is to provi...

Don't Leak Your Keys: Understanding, Measuring, and Exploiting the AppSecret Leaks in Mini-Programs

Mobile mini-programs in WeChat have gained significant popularity since ...

A Small Leak Will Sink Many Ships: Vulnerabilities Related to Mini Programs Permissions

As a new format of mobile application, mini programs, which function wit...

Towards a Mini-App for Smoothed Particle Hydrodynamics at Exascale

The smoothed particle hydrodynamics (SPH) technique is a purely Lagrangi...

Quality Assessment of Online Automated Privacy Policy Generators: An Empirical Study

Online Automated Privacy Policy Generators (APPGs) are tools used by app...

Please sign up or login with your details

Forgot password? Click here to reset