Visible to the public An Empirical Evaluation of GDPR Compliance Violations in Android mHealth Apps

TitleAn Empirical Evaluation of GDPR Compliance Violations in Android mHealth Apps
Publication TypeConference Paper
Year of Publication2020
AuthorsFan, M., Yu, L., Chen, S., Zhou, H., Luo, X., Li, S., Liu, Y., Liu, J., Liu, T.
Conference Name2020 IEEE 31st International Symposium on Software Reliability Engineering (ISSRE)
Date Publishedoct
KeywordsAndroid apps, android encryption, Android mHealth, app code, app implementations, app privacy policy, app users, data collections, data flow, data practices, data privacy, data protection, Data Transmission, GDPR, GDPR compliance violations, GDPR lists general rules, General Data Protection Regulation, GUI, Human Behavior, medical computing, medical information systems, Metrics, mHealth apps, mobile computing, patient monitoring, personal data, privacy, Privacy Policies, privacy policy, privacy protection, pubcrawl, resilience, Resiliency, Scalability, security, security of data, Semantics, sensitive data, severe privacy issues, severe privacy threats, software reliability, step-by-step guidelines, Systematics

The purpose of the General Data Protection Regulation (GDPR) is to provide improved privacy protection. If an app controls personal data from users, it needs to be compliant with GDPR. However, GDPR lists general rules rather than exact step-by-step guidelines about how to develop an app that fulfills the requirements. Therefore, there may exist GDPR compliance violations in existing apps, which would pose severe privacy threats to app users. In this paper, we take mobile health applications (mHealth apps) as a peephole to examine the status quo of GDPR compliance in Android apps. We first propose an automated system, named HPDROID, to bridge the semantic gap between the general rules of GDPR and the app implementations by identifying the data practices declared in the app privacy policy and the data relevant behaviors in the app code. Then, based on HPDROID, we detect three kinds of GDPR compliance violations, including the incompleteness of privacy policy, the inconsistency of data collections, and the insecurity of data transmission. We perform an empirical evaluation of 796 mHealth apps. The results reveal that 189 (23.7%) of them do not provide complete privacy policies. Moreover, 59 apps collect sensitive data through different measures, but 46 (77.9%) of them contain at least one inconsistent collection behavior. Even worse, among the 59 apps, only 8 apps try to ensure the transmission security of collected data. However, all of them contain at least one encryption or SSL misuse. Our work exposes severe privacy issues to raise awareness of privacy protection for app users and developers.

Citation Keyfan_empirical_2020