Project A3

Analysis of Software Privacy Leakage

Principal Investigators

Andreas Zeller

zeller@cispa.saarland


Lionel Briand

lionel.briand@uni.lu


Project Summary

As Web and mobile applications can access more and more sensitive data, such as photos, location, contacts, or sites visited, there is a need to analyze and understand how these applications treat these data—whether they access sensitive data; how they process sensitive data; and how and where they propagate sensitive data. In this project, we have developed a suite of novel software engineering techniques set up to analyze privacy leakage from existing software—resulting in privacy patterns that abstract and summarize how applications access, process, and propagate sensitive data. Our patterns express abstractions over sources and sinks of sensitive data—that is, where information comes from and where it goes; this information is automatically extracted from existing software. We have considered two domains: mobile applications, focusing on local, in-device privacy leakage, as well as Web applications, focusing on distributed, cross-device privacy leakage.
Our techniques rely on a multi-disciplinary approach, which combines program analysis, constraint solving, and meta-heuristics to tackle the challenges posed by industrial code bases.

Role Within the Collaborative Research Center

cdA3