From Permission Usage to Compliance Analysis | Privacy Engineering & Technology Education Discussion (PETed)

From Permission Usage to Compliance Analysis: Lessons Learned Analyzing Android Apps for 10 years

We have been analyzing Android apps for regulatory requirements for eight years. We have analyzed Android apps for COPPA, CCPA, and Health Compliance (HIPAA, HBNR, and FTC Act). In this talk, I present the lessons learned after analyzing thousands of apps, the technical challenges we face while analyzing Android apps, patterns of non-compliance issues we uncovered, and the likely root causes of non-compliance. The talk will touch upon challenges posed by third-party code in complying with regulatory requirements, the importance of privacy assessment, and how the technical realm has changed over time for privacy assessments.

Problem Statement:

What are the risks posed by the use of third-party code in the mobile ecosystem? How can you identify those risks before they become a regulatory headache?

Related PETs (Privacy-Enhancing Technologies):

• Accountability

• Code Transparency

• Permission Usage

• Privacy Assessment

• Dynamic Analysis

Pre-Discussion Resources:

• https://petsymposium.org/popets/2018/popets-2018-0021.php 

• https://www.usenix.org/system/files/sec19-reardon.pdf 

• https://petsymposium.org/popets/2023/popets-2023-0072.php 

• https://conpro23.ieee-security.org/papers/samarin-conpro23.pdf 

• https://www.ieee-security.org/TC/SPW2021/ConPro/papers/samarin-conpro21.pdf 

• https://www.ieee-security.org/TC/SPW2019/ConPro/papers/okoyomon-conpro19.pdf 

• https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-wijesekera.pdf 

• https://petsymposium.org/popets/2022/popets-2022-0108.pdf 

• https://petsymposium.org/popets/2020/popets-2020-0050.pdf 

• https://www.issa.org/event/taking-responsibility-for-someone-elses-code-studying-the-privacy-behaviors-of-mobile-apps-at-scale/ 

Speaker:

Primal Wijesekera

Primal Wijesekera is a research scientist in the Usable Security and Privacy Research Group at ICSI and holds an EECS appointment at the University of California, Berkeley. His research exposes current privacy and security vulnerabilities and provides systematic solutions to meet consumers’ privacy expectations. He has extensive experience in mobile app analysis for privacy and security violations and implementing privacy protections for Android. He has published in top-tier security venues (IEEE S&P, USENIX Security) and usable security and privacy venues (ACM CHI, SOUPS, PETS). He received his Ph.D. from the University of British Columbia, although he carried out his Ph.D. research at UC Berkeley. His research on privacy on mobile platforms has received the Caspar Bowden Award for Outstanding Research in Privacy Enhancing Technologies, the USENIX Security Distinguished Paper Award, the AEPD Emilio Aced Personal Data Protection Research Award, and the CNIL-INRIA Privacy Award. He is a PI/Co-PI on multiple NSF Projects. He has also helped federal regulators in sensitive privacy investigations. He has also held an engineering position at Microsoft.

Moderator:

Janelle Hsia

Janelle Hsia is the President and Founder of Privacy SWAN Consulting working as a trainer, consultant, and trusted advisor for strategic and tactical decision-making. While she is focused on the field of privacy and data protection, Janelle Hsia is not a lawyer and brings a diverse background with strong leadership, technical, and business skills spanning 20 years in the areas of project management, IT, privacy, security, data governance, and process improvement. Janelle Hsia is also Co-Founder and Vice-President of the Institute of Operational Privacy Design.