SaTC: CORE: Small: Detecting Personal Information Abuse in Mobile Apps and Their Backend Servers

Mobile applications (apps) require users to provide sensitive data such as home address, phone number, or credit card numbers, for offering full-fledged functionality. This data is stored on servers outside users' purview, once provided, users have little or no control over what happens to the data, which exposes both users and app developers to privacy risks. This project exposes and aims to reduce such issues/risks in mobile apps and their corresponding servers. The project's novelties are computing the minimal amount of information required for app functioning, inferring server-side behavior, and exposing unauthorized data collection. The project's broader significance and importance are protecting the users from wide and unauthorized data collection, and improving the state-of-practice in secure development toward more privacy-friendly data collection and data retention practices. The project consists of two thrusts. The first thrust uses program analysis to compute the minimal personal information required for proper functioning: this allows identifying unnecessary, excessively collected information. This thrust also exposes unauthorized collection, via novel in-tandem modeling of app policy and implementation, to identify temporal violations such as data collection prior to user consent. This approach is generalizable in other contexts, such as identification of discrepancies between software implementations and their stated or governing policies. The second thrust develops novel combinations of program and network traffic analysis to infer personal information retained on servers, without accessing the server. These techniques are widely applicable to understanding how data is processed server-side after leaving users' mobile phones or browsers. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.