In recent years, we have witnessed many major companies being penalized by regulators due to violations of personal data privacy. Many countries and territories, such as the US, the EU and China, have put in place strict regulations for security compliance and privacy. Users’ concerns on how applications collect and use their private data have also increased. Besides general security vulnerabilities, users are sensitive to those issues related to their privacy. In fact, compared to vulnerabilities, users have more intuitive understanding on privacy issues. As a result, privacy issues and data security are extensively reported by media, causing large-scale social concerns. Users wonder whether applications respect user privacy as they claim. For those privacy breaches, users also want to know the causes, whether enterprises lack enough security audit or they are doing it on particular purpose.
In order to better protect user privacy, assist enterprises in conducting self-assessment as well as provide comprehensive foundation and technical support for the regulators, we summarize the complicated privacy security audit methods into a systematic framework based on our experience in a large number of app privacy security audits. The preponderance of this framework is that it provides a testing guideline to audit app privacy issues from a global perspective. There are two ways to classify security auditing scenarios in this framework: logical classification and technical classification. The logical classification allows people to better understand the situations in which the privacy issues occur. The technical classification is able to instruct security auditors to make comprehensive inspections in a rapid and more comprehensive method.
In this framework, we focus on whether apps give users control over their data to be informed, to give consent, to be erased, to acquire data portability, and to be localized. There are also several automatic tools in the framework to help app developers and security researchers check their own apps in some respects. We also apply our framework on the Top-1,000 apps in Google play store and other stores, and find that privacy problems are pervasive. We aim to present our findings and raise an alarm to all app manufacturers.