Android has empowered third-party apps to access data and services on mobile devices since its genesis. This involves a wide spectrum of user privacy-sensitive data, such as the device ID and location. In recent years, Android has taken proactive measures to adapt its access control policies for such data, in response to the increasingly strict privacy protection regulations around the world. When each new Android version is released, its privacy changes induced by the version evolution are transparently disclosed, and we refer to them as \emph{documented privacy changes} (DPCs). Implementing DPCs in Android OS is a non-trivial task, due to not only the dispersed nature of those access control points within the OS, but also the challenges posed by backward compatibility. As a result, whether the actual access control enforcement in the OS implementations aligns with the disclosed DPCs becomes a critical concern.
In this work, we conduct the first systematic study on the consistency between the \emph{operational behaviors} of the OS at runtime and the \emph{officially disclosed DPCs}. We propose DopCheck, an automatic DPC-driven testing framework equipped with a large language model (LLM) pipeline. It features a serial of analysis to extract the ontology from the privacy change documents written in natural language, and then harnesses the few-shot capability of LLMs to construct test cases for the detection of \emph{DPC-compliance issues} in OS implementations. We apply DopCheck with the latest versions (10 to 13) of Android Open Source Project (AOSP). Our evaluation involving 79 privacy-sensitive APIs demonstrates that DopCheck can effectively recognize DPCs from Android documentation and generate rigorous test cases. Our study reveals that \emph{status quo} of the DPC-compliance issues is concerning, evidenced by 19 bugs identified by DopCheck. Notably, 12 of them are discovered in Android 13 and 6 in Android 10 for the first time, posing more than 35% Android users to the risk of privacy leakage. Our findings should raise an alert to Android users and app developers on the DPC compliance issues when using or developing an app, and would also underscore the necessity for Google to comprehensively validate the actual implementation against its privacy documentation prior to the OS release.
Fri 19 JulDisplayed time zone: Brasilia, Distrito Federal, Brazil change
10:30 - 11:00 | |||
10:30 30mPoster | Understanding the Impact of APIs Behavioral Breaking Changes on Client Applications Posters Dhanushka Jayasuriya University of Auckland, Valerio Terragni University of Auckland, Jens Dietrich Victoria University of Wellington, Kelly Blincoe University of Auckland | ||
10:30 30mPoster | Your Code Secret Belongs to Me: Neural Code Completion Tools Can Memorize Hard-coded Credentials Posters Yizhan Huang The Chinese University of Hong Kong, Yichen LI The Chinese University of Hong Kong, Weibin Wu Sun Yat-sen University, Jianping Zhang The Chinese University of Hong Kong, Michael Lyu The Chinese University of Hong Kong | ||
10:30 30mPoster | Natural Is The Best: Model-Agnostic Code Simplification for Pre-trained Large Language Models Posters Yan Wang Central University of Finance and Economics, Xiaoning Li Central University of Finance and Economics, Tien N. Nguyen University of Texas at Dallas, Shaohua Wang Central University of Finance and Economics, Chao Ni School of Software Technology, Zhejiang University, Ling Ding Central University of Finance and Economics | ||
10:30 30mPoster | PyRadar: Towards Automatically Retrieving and Validating Source Code Repository Information for PyPI Packages Posters Kai Gao Peking University, Weiwei Xu Peking University, Wenhao Yang Peking University, Minghui Zhou Peking University | ||
10:30 30mPoster | "The Law Doesn’t Work Like a Computer": Exploring Software Licensing Issues Faced by Legal Practitioners Posters Nathan Wintersgill William & Mary, Trevor Stalnaker William & Mary, Laura A. Heymann William & Mary, Oscar Chaparro William & Mary, Denys Poshyvanyk William & Mary | ||
10:30 30mPoster | RavenBuild: Context, Relevance, and Dependency Aware Build Outcome Prediction Posters Gengyi Sun University of Waterloo, Sarra Habchi Ubisoft Montréal, Shane McIntosh University of Waterloo | ||
10:30 30mPoster | MirrorFair: Fixing Fairness Bugs in Machine Learning Software via Counterfactual Predictions Posters Ying Xiao King's College London / Southern University of Science and Technology, Jie M. Zhang King's College London, Yepang Liu Southern University of Science and Technology, Mohammad Reza Mousavi King's College London, Sicen Liu Southern University of Science and Technology, Dingyuan Xue Southern University of Science and Technology | ||
10:30 30mPoster | Do Code Generation Models Think Like Us? - A Study of Attention Alignment between Large Language Models and Human Programmers Posters Bonan Kou Purdue University, Shengmai Chen Purdue University, Zhijie Wang University of Alberta, Lei Ma The University of Tokyo & University of Alberta, Tianyi Zhang Purdue University | ||
10:30 30mPoster | Dependency-Induced Waste in Continuous Integration: An Empirical Study on NPM Dependencies Posters Nimmi Weeraddana University of Waterloo, Mahmoud Alfadel University of Waterloo, Shane McIntosh University of Waterloo | ||
10:30 30mPoster | A Miss Is as Good as A Mile: Metamorphic Testing for Deep Learning Operators Posters Jinyin Chen Zhejiang University of Technology, Chengyu Jia Zhejiang University of Technology, Yunjie Yan Zhejiang University of Technology, Jie Ge Zhejiang University of Technology, haibin zheng Zhejiang University of Technology, Yao Cheng TÜV SÜD Asia Pacific Pte. Ltd. | ||
10:30 30mPoster | Investigating Documented Privacy Changes in Android OS Posters Chuan Yan University of Queensland, Mark Huasong Meng National University of Singapore, Fuman Xie University of Queensland, Guangdong Bai University of Queensland | ||
10:30 30mPoster | Analyzing Quantum Programs with LintQ: A Static Analysis Framework for Qiskit Posters | ||
10:30 30mPoster | Generative AI for Pull Request Descriptions: Adoption, Impact, and Developer Interventions Posters Tao Xiao Nara Institute of Science and Technology, Hideaki Hata Shinshu University, Christoph Treude Singapore Management University, Kenichi Matsumoto Nara Institute of Science and Technology | ||
10:30 30mPoster | Bloat beneath Python's Scales: A Fine-Grained Inter-Project Dependency Analysis Posters Georgios-Petros Drosos ETH Zurich, Thodoris Sotiropoulos ETH Zurich, Diomidis Spinellis Athens University of Economics and Business & Delft University of Technology, Dimitris Mitropoulos University of Athens | ||
This room is conjoined with the Foyer to provide additional space for the coffee break, and hold poster presentations throughout the event.