Problem
Abstract Mobile app development best practices suggest that developers obtain opt-in consent from users prior to accessing potentially sensitive information on the phone. We study challenges that mobile application developers have with meeting such requirements, and highlight the promise of using new automated, static analysis-based solutions that identify and in- sert missing prompts in order to guard otherwise unprotected resource accesses. We find evidence that third-party libraries, incorporated by develop- ers across the mobile industry, may access privacy- sensitive resources without seeking consent or even against the user’s choice.
Approach
Based on insights from real examples, we develop the theoretical underpinning of the problem of mediating resource accesses in mo- bile applications. We design and implement a graph- theoretic algorithm to place mediation prompts that protect every resource access, while avoiding repeti- tive prompting and prompting in background tasks or third-party libraries. We demonstrate the viability of our approach by analyzing 100 apps, averaging 7.3 MB in size and consisting of dozens of DLLs.
Results
Our approach scales well: once an app is represented in the form of a graph, the remaining static analysis takes under a second on average. Overall, our strategy succeeds in about 95% of all unique cases. 1