GGrantIndex
← Search

CRII: SaTC: Enhancing Privacy Leak Detection through Source Discovery in Domain-Sensitive Data

$166,924FY2024CSENSF

Rochester Institute Of Tech, Rochester NY

Investigators

Abstract

Mobile applications (apps) are widely used and often process users' personal data. Several privacy-related regulations set strict guidelines for data collection, processing, and storage. Violations of these regulations can lead to legal consequences and substantial financial penalties. Detecting privacy leaks often involves data flow analysis, with many existing works focusing on private data such as user names, email addresses, and device IDs. However, beyond these conventional forms of private data, domain-sensitive information also poses significant privacy risks when leaked. Domain-sensitive information refers to data within specific contexts or domains that is considered sensitive, such as a user's order history in shopping apps or heart rate data in health apps. Advertisers and marketers can exploit such data for targeted advertising, profiling, and potential misuse, leading to privacy breaches and undermining user trust. However, existing data flow analysis approaches have not incorporated domain-sensitive data as a potential source of privacy leaks due to its diverse types and formats across different apps, making its identification challenging. This project’s novelties are its approach to identify and analyze sources of domain-sensitive data within the app code. The broader significance and importance of the project lie in its potential to enhance user trust and data security in the mobile app ecosystem, ultimately improving privacy protection for millions of users worldwide. The research plan includes 1) conducting a crowdsourcing study to categorize domain-sensitive data within the user interfaces (UIs) of mobile apps; 2) developing a novel approach based on static and dynamic program analysis to map the UI domain-sensitive data to the corresponding domain sources (function methods within apps that access domain-sensitive data); 3) developing a machine learning model to automatically detect these sources, which will be scalable and applicable to large-scale analyses of mobile apps. The expected advances include more accurate and efficient methods for identifying and mitigating privacy risks in mobile apps. The project's impact extends beyond academia, with potential applications in industry, regulatory compliance, and user advocacy. Through rigorous evaluation and dissemination efforts, the findings from this research endeavor will contribute to the advancement of mobile app security and privacy protection. This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

View original record on NSF Award Search →