GUILeak: Identifying Privacy Practices on GUI-Based Data

As the most popular mobile platform, Android devices have millions of users around the world. As these devices are used everyday and collects various data from users, effective privacy protection has been a well known challenge in the Android world. Existing privacy-protection approaches focus on information accessed from Android API methods, such as location and device ID, while existing security-enhancement approaches are not fine-grained enough to map user input data to concepts in privacy policies. In this paper, we proposed a novel approach that automatically detects privacy leakage on user input data for a given Android app, and determines whether such leakage may violate privacy policies coming with the Android app. For evaluation, we applied our approach to 80 popular apps from two important app categories: finance and health. The results show that our approach is able to detect 20 strong violations, and 10 weak violations from the studied apps.