App合规性检测综述

doi:10.3778/j.issn.1002-8331.2206-0453

摘要/Abstract

摘要： 随着App使用者数量迅速增长，个人信息主体隐私泄露问题也日渐严重。为此，近年来我国相继出台了有关App个人隐私信息安全的相关法律文件，有关部门也相继开展了App整治工作，旨在对App个人信息的采集、存储和处理等方面进行规范。综述了App合规性问题，揭示出我国App安全面临的挑战性问题，列举了我国各层次部门颁布的App相关法规和政策，并介绍了国家在App治理方面推出的相关措施；综述了App合规性检测方法，将国内外App合规性检测分成App隐私政策的完整性检测、一致性检测和可读性检测三类，并从不同维度和切入点对这三类检测方法进行了分析和总结；对国内App合规性检测平台及其相应功能进行了整理和分析；提出了App合规性检测仍存在的挑战性问题，并展望了未来的发展方向。

关键词: App合规性检测, 隐私政策, 完整性, 一致性, 可读性

Abstract: With the rapid growth of the number of App users, the privacy disclosure of personal information subjects has become increasingly serious. Therefore, in recent years, China has successively issued relevant legal documents on App personal privacy information security, and relevant departments have also carried out App rectification work to regulate the collection, storage and processing of App personal information. This paper summarizes the compliance problems of App. Firstly, it reveals the challenging problems of App security in China, lists the relevant regulations and policies of App issued by various levels of departments in China, and introduces the relevant measures launched by the state in App governance. Then, the App compliance detection methods are summarized, and the App compliance detection at home and abroad is divided into three categories：integrity detection, consistency detection and readability detection of App privacy policies. The three detection methods are analyzed and summarized from different dimensions and entry points. Thirdly, sorting out the domestic App compliance detecting platform and corresponding functions. Finally, the challenges that still exist in App compliance detecting are proposed, and the future development direction is prospected.

Key words: App compliance detection, privacy policy, integrity, consistency, readability

刘晓建, 彭玉坤. App合规性检测综述[J]. 计算机工程与应用, 2023, 59(3): 1-12.

LIU Xiaojian, PENG Yukun. Review of App Compliance Detection[J]. Computer Engineering and Applications, 2023, 59(3): 1-12.

参考文献

[1] 魏立斐，李梦思，张蕾，等.基于安全两方计算的隐私保护线性回归算法[J].计算机工程与应用，2021，57（22）：139-146.
WEI L P，LI M S，ZHANG L，et al.Privacy-preserving linear regression algorithm based on secure two-party computation[J].Computer Engineering and Applications，2021，57（22）：139-146.
[2] VOIGT P，VON DEM BUSSCHE A.The eu general data protection regulation（GDPR）[M].Cham：Springer International Publishing，2017.
[3] 市场化个人征信行业个人信息保护问题分析[EB/OL].[2022].https：//www.creditchina.gov.cn/home/lfyj/202107/t20210714_239446.html.
Analysis of personal information protection in marketized personal credit reference industry[EB/OL].[2022].https：//www.creditchina.gov.cn/home/lfyj/202107/t20210714_239446.html.
[4] 朱侯，张明鑫，路永和.社交媒体用户隐私政策阅读意愿实证研究[J].情报学报，2018，37（4）：362-371.
ZHU H，ZHANG M X，LU Y H.An empirical study on privacy policy reading intention of social media users[J].Journal of the China Society for Scientific and Technical Information，2018，37（4）：362-371.
[5] 信息安全技术个人信息安全规范[EB/OL].[2022].https：//ansafe.xust.edu.cn/DownLoad/2020SafeInstruction.pdf.
Personal information security specification[EB/OL].[2022].https：//ansafe.xust.edu.cn/DownLoad/2020SafeI-nstruction.pdf.
[6] 中华人民共和国个人信息保护法[EB/OL].[2022].http：//fsga.foshan.gov.cn/attachment/0/224/224359/5099735.pdf.
Personal information protection law of the people’s republic of china full translation[EB/OL].[2022].http：//fsga.foshan.gov.cn/attachment/0/224/224359/5099735.pdf.
[7] 灵鲲App隐私合规产品白皮书[R/OL].[2022].https：//max.book118.com/html/2021/1015/5244022313004031.shtm.
Lingkun App privacy compliance product white paper[R/OL].[2022].https：//max.book118.com/html/2021/1015/5244022313004031.shtm.
[8] 张艳丰，邱怡.硬规则下我国移动阅读App隐私政策合规性研究[J].现代情报，2022，42（1）：167-176.
ZHANG Y F，QIU Y.Research on compliance of privacy policy of mobile reading App in China under hard rules[J].Journal of Modern Information，2022，42（1）：167-176.
[9] 移动互联网应用程序（App）收集使用个人信息自评估指南[EB/OL].[2022].https：//www.tc260.org.cn/front/postDetail.html?id=20200722134829.
Mobile Internet application（App）collection and use of personal information self-assessment guide[EB/OL].[2022].https：//www.tc260.org.cn/front/postDetail.html?id=202007
22134829.
[10] 中华人民共和国数据安全法[EB/OL].[2022].https：//gkml.samr.gov.cn/nsjg/bgt/202111/t20211105_336461.html.
Data security law of the people’s republic of China[EB/OL].[2022].https：//gkml.samr.gov.cn/nsjg/bgt/202111/t20211105_336461.html.
[11] 我国197项数据安全政策回顾汇总[EB/OL].[2022].http：//www.ciphergateway.com/product/40738.html.
Summary of 197 data security policies in China[EB/OL].[2022].http：//www.ciphergateway.com/product/40738.html.
[12] 苗慧.中外移动App的个人信息保护研究[D].北京：北京邮电大学，2021.
MIAO H.Research on personal information protection of Chinese and foreign mobile Apps[D].Beijing：Beijing University of Posts and Telecommunications，2021.
[13] 张艳丰，邱怡.我国移动阅读应用个人信息保护政策合规性测度研究[J].图书情报工作，2021，65（22）：35-43.
ZHANG Y F，QIU Y.Research on compliance measurement of personal information protection policy for mobile reading application in China[J].Library and Information Service，2021，65（22）：35-43.
[14] TORRE D，ABUALHAIJA S，SABETZADEH M，et al.An AI-assisted approach for checking the completeness of privacy policies against GDPR[C]//2020 IEEE 28th International Requirements Engineering Conference（RE），2020.
[15] AMARAL O，ABUALHAIJA S，TORRE D，et al.AI-enabled automation for completeness checking of privacy policies[J].arXiv：2106.05688，2021.
[16] MüLLER N M，KOWATSCH D，DEBUS P，et al.On GDPR compliance of companies’privacy policies[C]//International Conference on Text，Speech，and Dialogue.Cham：Springer，2019：151-159.
[17] FAN M，YU L，CHEN S，et al.An empirical evaluation of GDPR compliance violations in Android mHealth Apps[C]//2020 IEEE 31st International Symposium on Software Reliability Engineering（ISSRE），2020：253-264.
[18] 朱璋颖，陆亦恬，唐祝寿，等.基于隐私政策条款和机器学习的应用分类[J].通信技术，2020，53（11）：2749-2757.
ZHU Z Y，LU Y K，TANG Z S，et al.Application classification based on privacy policy terms and machine learning[J].Communications Technology，2020，53（11）：2749-2757.
[19] VERDERAME L，CAPUTO D，ROMDHANA A，et al.On the （un）reliability of privacy policies in Android Apps[C]//2020 International Joint Conference on Neural Networks（IJCNN），2020：1-9.
[20] 赵波，刘贤刚，刘行，等.Android应用程序个人信息安全量化评估模型研究[J].通信技术，2020，53（8）：2019-2026.
ZHAO B，LIU X G，LIU X，et al.Quantitative evaluation model of personal information security for Android applications[J].Communications Technology，2020，53（8）：2019-2026.
[21] SUN R，XUE M.Quality assessment of online automated privacy policy generators：an empirical study[C]//Proceedings of the Evaluation and Assessment in Software Engineering，2020：270-275.
[22] 姚胜译，吴丹.App隐私政策用户友好度评价研究[J].信息资源管理学报，2021，11（1）：30-39.
YAO S Y，WU D.Assessment research to App privacy policy user-frendliness[J].Journal of Information Resources Management，2021，11（1）：30-39.
[23] 徐磊，郭旭.大数据时代读者个人信息保护的实践逻辑与规范路径——以图书类App隐私政策文本为视角[J].图书馆建设，2021（1）：74-83.
XU L，GUO X.Practice logic and normative path of protecting readers’ personal information in the age of big data—From the perspective of privacy policy of book Apps[J].Library Development，2021（1）：74-83.
[24] 杜永欣，周茂君.我国网站个人信息保护的合规性考察——基于九家网站隐私政策的文本分析[J].重庆邮电大学学报（社会科学版），2021，33（4）：62-72.
DU Y X，ZHOU M J.Study on the compliance of website personal information protection in China—Text analysis based on privacy policy of nine websites[J].Journal of Chongqing University of Posts and Telecommunications（Social Science Edition），2021，33（4）：62-72.
[25] 唐远清，赖星星.社交媒体隐私政策文本研究——基于Facebook与微信的对比分析[J].新闻与写作，2018（8）：31-37.
TANG Y Q，LAI X X.Social media privacy policy text research—Comparative analysis based on Facebook and WeChat[J].News and Writing，2018（8）：31-37.
[26] 马骋宇，刘乾坤.移动健康应用程序的隐私政策评价及实证研究[J].图书情报工作，2020，64（7）：46-55.
MA C Y，LIU Q K.Research on the privacy policy’s evaluation and empirical study of mobile health applications[J].Library and Information Service，2020，64（7）：46-55.
[27] 何培育，马雅鑫，涂萌.Web浏览器用户隐私安全政策问题与对策研究[J].图书馆，2019（2）：19-26.
HE Y P，MA Y X，TU M.A study on problems and countermeasures of web browser user privacy security policy[J].Library，2019（2）：19-26.
[28] 姜盼盼.图书馆隐私政策合规性的依据与标准[J].图书馆建设，2019（4）：79-86.
JIANG P P.Compliance basis and standards of library privacy policy[J].Library Development，2019（4）：79-86.
[29] ARZT S，RASTHOFER S，FRITZ C，et al.Flowdroid：precise context，flow，field，object-sensitive and lifecycle-aware taint analysis for Android Apps[J].ACM Sigplan Notices，2014，49（6）：259-269.
[30] QIAN C，LUO X，LE Y，et al.Vulhunter：toward discovering vulnerabilities in Android applications[J].IEEE Micro，2015，35（1）：44-53.
[31] CHURCH K W.Word2Vec[J].Natural Language Engineering，2017，23（1）：155-162.
[32] ANDOW B，MAHMUD S Y，WHITAKER J，et al.Actions speak louder than words：entity-sensitive privacy policy and data flow analysis with policheck[C]//29th USENIX Security Symposium（USENIX Security 20），2020：985-1002.
[33] YU L，LUO X，LIU X，et al.Can we trust the privacy policies of Android Apps?[C]//2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks（DSN），2016：538-549.
[34] KUNUNKA S，MEHANDJIEV N，SAMPAIO P.A comparative study of Android and iOS mobile applications’ data handling practices versus compliance to privacy policy[C]//IFIP International Summer School on Privacy and Identity Management.Cham：Springer，2017：301-313.
[35] OLUKOYA O，MACKENZIE L，OMORONYIA I.Security-oriented view of App behaviour using textual descriptions and user-granted permission requests[J].Computers & Security，2020，89：101685.
[36] YU L，LUO X，QIAN C，et al.Enhancing the description-to-behavior fidelity in Android Apps with privacy policy[J].IEEE Transactions on Software Engineering，2017，44（9）：834-854.
[37] YU L，LUO X，QIAN C，et al.Revisiting the description-to-behavior fidelity in Android applications[C]//2016 IEEE 23rd International Conference on Software Analysis，Evolution，and Reengineering（SANER），2016：415-426.
[38] WANG R，WANG Z，TANG B，et al.Smartpi：understanding permission implications of Android Apps from user reviews[J].IEEE Transactions on Mobile Computing，2019，19（12）：2933-2945.
[39] 贺雪乔.iOS应用隐私条例与敏感行为一致性检测系统的设计与实现[D].北京：北京邮电大学，2020.
HE X Q.Design and implemention of consistency detection and generation technology for privacy policy of IOS Apps[D].Beijing：Beijing University of Posts and Telecommunications，2020.
[40] MA Z，WANG H，GUO Y，et al.Libradar：fast and accurate detection of third-party libraries in Android Apps[C]//Proceedings of the 38th International Conference on Software Engineering Companion，2016：653-656.
[41] 胡杰克.基于敏感数据流的Android恶意程序及隐私泄露检测方法研究[D].深圳：哈尔滨工业大学（深圳），2021.
HU J K.Research on Android malware and privacy leak detection method based on sensitive data flow[D].Shenzhen：Harbin Institute of Technology，Shenzhen，2021.
[42] 王靖瑜.Android应用隐私条例一致性检测及其生成技术的研究与实现[D].北京：北京邮电大学，2018.
WANG J Y.Research and implementation of consistency detection and generation technology for privacy policy of Android Apps[D].Beijing：Beijing University of Posts and Telecommunications，2018.
[43] 王靖瑜，徐明昆，王浩宇，等.Android应用隐私条例与敏感行为一致性检测[J].计算机科学与探索，2019，13（1）：56-69.
WANG J Y，XU M K，WANG H Y，et al.Automated detection of consistence between App behavior and privacy policy of Android Apps[J].Journal of Frontiers of Computer Science and Technology，2019，13（1）：56-69.
[44] ZHANG C，WANG H，WANG R，et al.Re?checking App behavior against App description in the context of third-party libraries[C]//International Conference on Software Engineering and Knowledge Engineering，2018.
[45] FENG Y，CHEN L，ZHENG A，et al.Ac-net：assessing the consistency of description and permission in Android Apps[J].IEEE Access，2019，7：57829-57842.
[46] YU L，LUO X，CHEN J，et al.PPchecker：towards accessing the trust worthiness of Android Apps’ privacy policies[J].IEEE Transactions on Software Engineering，2018，47（2）：221-242.
[47] 杜代忠.Android应用隐私政策与权限使用的一致性分析引擎的研究与实现[D].北京：北京邮电大学，2021.
DU D Z.Research and implementation of consistency analysis engine for Android application privacy policy and permission usage[D].Beijing：Beijing University of Posts and Telecommunications，2021.
[48] SLAVIN R，WANG X，HOSSEINI M B，et al.Toward a framework for detecting privacy policy violations in Android application code[C]//Proceedings of the 38th International Conference on Software Engineering，2016：25-36.
[49] SOLNYSHKINA M I，ZAMALETDINOV R R，GORODETSKAYA L A，et al.Evaluating text complexity and Flesch-Kincaid grade level[J].Journal of Social Studies Education Research，2017（3）.
[50] FARR J N，JENKINS J J，PATERSON D G.Simplification of Flesch reading ease formula[J].Journal of Applied Psychology，1951，35（5）：333.
[51] GUNNING R.The fog index after twenty years[J].Journal of Business Communication，1969，6（2）：3-13.
[52] MC LAUGHLIN G H.SMOG grading-a new readability formula[J].Journal of reading，1969，12（8）：639-646.
[53] FAROOQ E，GHANI MANUI，NASEER Z，et al.Privacy policies’ readability analysis of contemporary free healthcare Apps[C]//2020 14th International Conference on Open Source Systems and Technologies（ICOSST），2020：1-7.
[54] 陈世敏.中文可读性公式试拟[J].新闻学研究，1971（8）：181-225.
CHEN S M.Chinese readability formula[J].Mass Communication Research，1971（8）：181-225.
[55] DAS G，CHEUNG C，NEBEKER C，et al.Privacy policies for Apps targeted toward youth：descriptive analysis of readability[J].JMIR mHealth and uHealth，2018，6（1）：e7626.
[56] REDMILES E M，MORALES M，MASZKIEWICZ L，et al.First steps toward measuring the readability of security advice[C]//The 2018 IEEE Security & Privacy Workshop on Technology and Consumer Protection （ConPro），2018.
[57] POWELL A，SINGH P，TOROUS J.The complexity of mental health App privacy policies：a potential barrier to privacy[J].JMIR mHealth and uHealth，2018，6（7）：e9871.
[58] FOWLER L R，GILLARD C，MORAIN S R.Readability and accessibility of terms of service and privacy policies for menstruation?tracking smartphone applications[J].Health Promotion Practice，2020，21（5）：679-683.
[59] 秦克飞.手机App隐私政策的可读性研究[J].情报探索，2019（1）：18-23.
QIN K F.Research on readability of mobile App privacy policies[J].Information Research，2019（1）：18-23.
[60] SUNYAEV A，DEHLING T，TAYLOR P L，et al.Availability and quality of mobile health App privacy policies[J].Journal of the American Medical Informatics Association，2015，22（e1）：28-33.
[61] 王英.若干国家或地区图书馆协会隐私政策的纵向分析[J].图书馆理论与实践，2020（4）：28-34.
WANG Y.A longitudinal analysis on privacy policies of several national or regional library associations[J].Library Theory and Practice，2020（4）：28-34.
[62] ROBILLARD J M，FENG T L，SPORN A B，et al.Availability，readability，and content of privacy policies and terms of agreements of mental health Apps[J].Internet Interventions，2019，17：100243.
[63] JAVED Y，AL QAHTANI E，SHEHAB M.Privacy policy analysis of banks and mobile money services in the middle east[J].Future Internet，2021，13（1）：10.
[64] ZHANG M，CHOW A，SMITH H.COVID-19 contact-tracing Apps：analysis of the readability of privacy policies[J].Journal of Medical Internet Research，2020，22（12）：e21572.
[65] BASCH C H，MOHLMAN J，HILLYER G C，et al. Public health communication in time of crisis：readability of on-line COVID-19 information[J].Disaster Medicine and Public Health Preparedness，2020，14（5）：635-637.
[66] KRUMAY B，KLAR J.Readability of privacy policies[C]//IFIP Annual Conference on Data and Applications Security and Privacy.Cham：Springer，2020：388-399.
[67] FABIAN B，ERMAKOVA T，LENTZ T.Large-scale readability analysis of privacy policies[C]//Proceedings of the International Conference on Web Intelligence，2017：18-25.
[68] ANDERSON J.Lix and rix：variations on a little-known readability index[J].Journal of Reading，1983，26（6）：490-496.
[69] COLEMAN M，LIAU T L.A computer readability formula designed for machine scoring[J].Journal of Applied Psychology，1975，60（2）：283.
[70] SENTER R J，SMITH E A.Automated readability index[R].Cincinnati Univ OH，1967.
[71] 王蕾.初中级日韩留学生文本可读性公式初探[D].北京：北京语言大学，2005.
WANG L.Research on Chinese readability formula of texts for elementary and intermediate Korean and Japanese students[D].Beijing：Beijing Language and Culture University，2005.
[72] 左虹，朱勇.中级欧美留学生汉语文本可读性公式研究[J].世界汉语教学，2014，28（2）：14.
ZUO H，ZHU Y.Research on Chinese readability formula of texts for intermediate level European and America students[J].Chinese Teaching in the World，2014，28（2）：14.
[73] 杨金余.高级汉语精读教材语言难度测定研究[D].北京：北京大学，2008.
YANG J Y.The study on measurement of language difficulty of advanced Chinese intensive reading textbooks[D].Beijing：Peking University，2008.
[74] 郭望皓.对外汉语文本易读性公式研究[D].上海：上海交通大学，2010.
GUO W H.Research on readability formula of Chinese text for foreign students[D].Shanghai：Shanghai Jiao Tong University，2010.
[75] 孙汉银.中文易读性公式[D].北京：北京师范大学，1992.
SUN H Y.Chinese readability formula[D].Beijinig：Beijing Normal University，1992.
[76] 侯尧，陶洋，杨理，等.基于差分隐私的个人轨迹信息保护机制[J].计算机工程与应用，2020，56（9）：106-110.
HOU Y，TAO Y，YANG L，et al.Personal trajectory information protection based on differential privacy mechanism[J].Computer Engineering and Applications，2020，56（9）：106-110.