Hey, You, Get off My Private Data: Do Apps Respect Your Privacy as They Claim?

Presented at Black Hat Asia 2021 Virtual, May 7, 2021, 2:20 p.m. (40 minutes)

In recent years, we have witnessed many major companies being punished by regulators and legislations due to violation of personal data privacy. Some of the violations may be caused by misunderstandings or even complete unawareness of the data protection laws. In this talk, we will present our study on multinational data protection regulations and compliance assessment of massive apps. We will focus on whether apps give users control over their personal data, in particular, the right to be informed, to consent, to be erased and forgotten, and to acquire data portability. We developed a framework to assess the compliance of data protection regulations in Android apps. We will provide it as an automatic open-source tool for app developers to check their own apps. We also applied our framework to the Top-1,000 apps in the Google play store and other alternative stores, and surprisingly found that privacy violation is pervasive in them. We will present our findings and recommendations to raise an alert to all app manufacturers, among other stakeholders.

Presenters:

• Qing Zhang - Senior Security Researcher, Bytedance
  Zhang Qing is a senior security researcher. Previously, he was a visiting scholar of Model Checking Lab at the National University of Singapore. His interests include Android security, IoT security and payment security, specializing in reverse engineering and fuzzing. His work has appeared at syscan360 2016, Black Hat 2017, HITB 2017, HITB 2018 and more. In 2016, 2017 and 2018, he won the whole year's first-place prizes in vulnerability detection of some major companies, such as Samsung, Huawei, Meizu, Chuizi and OPPO.
• Guangdong Bai - Senior Lecturer, The University of Queensland
  Dr. Guangdong Bai is a Senior Lecturer at the University of Queensland. He received his PhD degree from the National University of Singapore in 2015. His research interest spans the broad areas of mobile security, web security, and protocol verification. During his previous research, he worked on analyzing authentication protocol implementation, online payment, and Android security. His research has helped identify and fix serious security vulnerabilities for major websites like Sina Weibo. His work appears in top security conferences, such as NDSS, Syscan, HITB and Black Hat Europe/Asia.

Links:

• https://www.blackhat.com/asia-21/briefings/schedule/#hey-you-get-off-my-private-data-do-apps-respect-your-privacy-as-they-claim-22323

Similar Presentations:

• VB2018 / Little Brother is watching - we know all your secrets!
• Black Hat Asia 2021 Virtual / A Mirage of Safety: Bug Finding and Exploit Techniques of Top Android Vendor's Privacy Protection Apps
• May Contain Hackers (MCH2022) / Your Data From Period-Tracking Apps May Be Used Against You