Carnegie Mellon University

Summer 2018 Capstone Project

Developing a Process to Test Privacy in Mobile Apps

Sponsor:  Phillips
Presented by:  Sharada Boda

This project developed a process specification for Philips to test privacy for mobile apps and tested two apps using the developed process. The process addresses a few aspects of GDPR which are ‘Purpose Identifications’, ‘Third-Part library identification and their access’, Consent and Portability. The process involved a 3-step methodology which combined the use of automated tools with manual analysis. The first phase involved identification of personal data, the third-party libraries and their access to personal data. The second phases involved determining the behavior of personal data in terms of identifying the purpose of processing the personal data, consent and portability. These aspects were manually verified by analyzing the code, interacting with the application, inspecting the network traffic and learning more about the various third-party libraries used in the app. The data was also analyzed to determine how it was stored and transmitted and checked for encryption. The last phase of the process involved analyzing the policy text. The policy text was analyzed to identify possible violations (contradiction as to how personal data is processed in the app compared to the privacy policy text) and omissions (missing information in the privacy policy). Four different automated tools were identified for various parts of the process and were combined with manual analysis for a comprehensive privacy testing. The entire process involved both static analysis as well as dynamic analysis. The process was implemented on two Philips apps and few potential issues were found. While the process is capable of finding certain potential issues, the process aims to help raise pertinent questions that must be addressed through team collaboration with the developers and privacy officers. The finding suggests there is scope for further improvement that can address some of the aspects of GDPR and secure client data in mobile application.

Developing a Process to Test Privacy in Mobile Apps - Executive Summary