Chuan Yan
Logo Ph.D. student in University of Queensland

I’m a third-year Ph.D. student at the School of Electrical Engineering and Computer Science, the University of Queensland, mentored by A/Prof. Guangdong Bai.

My research focuses on detecting security and privacy issues in the system and third-party application ecosystem based on privacy documentation. My works have been published in leading conferences and journals, including FSE, ICSE, ASE, PETs etc.

Google Scholar
Honors & Awards
  • 2024 ASE Distinguished Paper Award.
    2024
  • Dean's Commendation for Academic Excellence.
    2022
  • Best emo award in UQ.
    2022
  • Outstanding flag-raiser.
    2012
Research Interests
  • LLM deployment security
  • Android testing
  • VR game engine reverse engineering
  • NLP analysis
News
2024
Our ASE'24 paper received a Distinguished Paper Award 🏆! We thank the community for the recognition of our work!
Oct 31
Oct 27
Our paper on LLM security testing is accepted by ASE’24!
Aug 08
Jul 14
Our paper on LLM-driven testing is accepted by FSE’24!
Apr 19
One paper on web permission request is accepted by ICECCS'24!
Mar 16
2023
Our paper on user privacy fairness of VPA apps is accepted by ICSE’24!
Oct 11
Our paper on privacy compliance is accepted by PETS’24!
Aug 07
2022
Our paper on VPA privacy compliance is accepted by ASE'22!
Sep 01
Homepage
Selected Publications (view all )
Exploring ChatGPT App Ecosystem: Distribution, Deployment and Security
Exploring ChatGPT App Ecosystem: Distribution, Deployment and Security

Chuan Yan, Ruomai Ren, Mark Huasong Meng, Liuhuo Wan, Tian Yang Ooi, Guangdong Bai

CCF-A CORE-A* Distinguished Paper 🏆 ASE'24: The 39th IEEE/ACM International Conference on Automated Software Engineering 2024

We conduct the first comprehensive study of the ChatGPT app ecosystem, aiming to unveil its landscape to our research community. Our study focuses on the distribution and deployment models in the integration of LLMs and third-party apps, and assesses their security and privacy implications. We in- vestigate the runtime execution mechanism of ChatGPT apps and accordingly propose a three-layer security assessment model from the perspectives of users, app developers, and store operators.

[Code] [Paper]

Exploring ChatGPT App Ecosystem: Distribution, Deployment and Security
Exploring ChatGPT App Ecosystem: Distribution, Deployment and Security

Chuan Yan, Ruomai Ren, Mark Huasong Meng, Liuhuo Wan, Tian Yang Ooi, Guangdong Bai

CCF-A CORE-A* Distinguished Paper 🏆 ASE'24: The 39th IEEE/ACM International Conference on Automated Software Engineering 2024

We conduct the first comprehensive study of the ChatGPT app ecosystem, aiming to unveil its landscape to our research community. Our study focuses on the distribution and deployment models in the integration of LLMs and third-party apps, and assesses their security and privacy implications. We in- vestigate the runtime execution mechanism of ChatGPT apps and accordingly propose a three-layer security assessment model from the perspectives of users, app developers, and store operators.

[Code] [Paper]

Investigating Documented Privacy Changes in Android OS
Investigating Documented Privacy Changes in Android OS

Chuan Yan, Mark Huasong Meng, Fuman Xie, Guangdong Bai

CCF-A CORE-A* FSE'24: Proceedings of the ACM on Software Engineering, Volume 1, Issue FSE 2024

We conduct the first systematic study on the consistency between the operational behaviors of the OS at runtime and the officially disclosed DPCs. We propose DopCheck, an automatic DPC-driven testing framework equipped with a large language model (LLM) pipeline. It features a serial of analysis to extract the ontology from the privacy change documents written in natural language, and then harnesses the few-shot capability of LLMs to construct test cases for the detection of DPC-compliance issues in OS implementations.

[Code] [Paper]

Investigating Documented Privacy Changes in Android OS
Investigating Documented Privacy Changes in Android OS

Chuan Yan, Mark Huasong Meng, Fuman Xie, Guangdong Bai

CCF-A CORE-A* FSE'24: Proceedings of the ACM on Software Engineering, Volume 1, Issue FSE 2024

We conduct the first systematic study on the consistency between the operational behaviors of the OS at runtime and the officially disclosed DPCs. We propose DopCheck, an automatic DPC-driven testing framework equipped with a large language model (LLM) pipeline. It features a serial of analysis to extract the ontology from the privacy change documents written in natural language, and then harnesses the few-shot capability of LLMs to construct test cases for the detection of DPC-compliance issues in OS implementations.

[Code] [Paper]

On the quality of privacy policy documents of virtual personal assistant applications
On the quality of privacy policy documents of virtual personal assistant applications

Chuan Yan, Fuman Xie, Mark Huasong Meng, Yanjun Zhang, Guangdong Bai

CCF-C CORE-A PETS'24:The 24th Privacy Enhancing Technologies Symposium 2024

We conduct the first systematic study on the quality of privacy policies in the VPA app domain. Based on our review of literature and documents from standard working groups, we identify four metrics that enable the quality of the privacy policy to become measurable, including timeliness, availability, completeness and readability. We then develop QuPer, which extracts the meta features (e.g., update history) and linguistic features (e.g., sentence semantics) from privacy policies, and assesses their quality. Our analysis reveals that the status of the quality of privacy policies in the VPA app domain is concerning.

[Code] [Paper]

On the quality of privacy policy documents of virtual personal assistant applications
On the quality of privacy policy documents of virtual personal assistant applications

Chuan Yan, Fuman Xie, Mark Huasong Meng, Yanjun Zhang, Guangdong Bai

CCF-C CORE-A PETS'24:The 24th Privacy Enhancing Technologies Symposium 2024

We conduct the first systematic study on the quality of privacy policies in the VPA app domain. Based on our review of literature and documents from standard working groups, we identify four metrics that enable the quality of the privacy policy to become measurable, including timeliness, availability, completeness and readability. We then develop QuPer, which extracts the meta features (e.g., update history) and linguistic features (e.g., sentence semantics) from privacy policies, and assesses their quality. Our analysis reveals that the status of the quality of privacy policies in the VPA app domain is concerning.

[Code] [Paper]

All publications