2024

Exploring ChatGPT App Ecosystem: Distribution, Deployment and Security
Exploring ChatGPT App Ecosystem: Distribution, Deployment and Security

Chuan Yan, Ruomai Ren, Mark Huasong Meng, Liuhuo Wan, Tian Yang Ooi, Guangdong Bai

CCF-A CORE-A* Distinguished Paper 🏆 ASE'24: The 39th IEEE/ACM International Conference on Automated Software Engineering 2024

We conduct the first comprehensive study of the ChatGPT app ecosystem, aiming to unveil its landscape to our research community. Our study focuses on the distribution and deployment models in the integration of LLMs and third-party apps, and assesses their security and privacy implications. We in- vestigate the runtime execution mechanism of ChatGPT apps and accordingly propose a three-layer security assessment model from the perspectives of users, app developers, and store operators.

[Code] [Paper]

Exploring ChatGPT App Ecosystem: Distribution, Deployment and Security
Exploring ChatGPT App Ecosystem: Distribution, Deployment and Security

Chuan Yan, Ruomai Ren, Mark Huasong Meng, Liuhuo Wan, Tian Yang Ooi, Guangdong Bai

CCF-A CORE-A* Distinguished Paper 🏆 ASE'24: The 39th IEEE/ACM International Conference on Automated Software Engineering 2024

We conduct the first comprehensive study of the ChatGPT app ecosystem, aiming to unveil its landscape to our research community. Our study focuses on the distribution and deployment models in the integration of LLMs and third-party apps, and assesses their security and privacy implications. We in- vestigate the runtime execution mechanism of ChatGPT apps and accordingly propose a three-layer security assessment model from the perspectives of users, app developers, and store operators.

[Code] [Paper]

Investigating Documented Privacy Changes in Android OS
Investigating Documented Privacy Changes in Android OS

Chuan Yan, Mark Huasong Meng, Fuman Xie, Guangdong Bai

CCF-A CORE-A* FSE'24: Proceedings of the ACM on Software Engineering, Volume 1, Issue FSE 2024

We conduct the first systematic study on the consistency between the operational behaviors of the OS at runtime and the officially disclosed DPCs. We propose DopCheck, an automatic DPC-driven testing framework equipped with a large language model (LLM) pipeline. It features a serial of analysis to extract the ontology from the privacy change documents written in natural language, and then harnesses the few-shot capability of LLMs to construct test cases for the detection of DPC-compliance issues in OS implementations.

[Code] [Paper]

Investigating Documented Privacy Changes in Android OS
Investigating Documented Privacy Changes in Android OS

Chuan Yan, Mark Huasong Meng, Fuman Xie, Guangdong Bai

CCF-A CORE-A* FSE'24: Proceedings of the ACM on Software Engineering, Volume 1, Issue FSE 2024

We conduct the first systematic study on the consistency between the operational behaviors of the OS at runtime and the officially disclosed DPCs. We propose DopCheck, an automatic DPC-driven testing framework equipped with a large language model (LLM) pipeline. It features a serial of analysis to extract the ontology from the privacy change documents written in natural language, and then harnesses the few-shot capability of LLMs to construct test cases for the detection of DPC-compliance issues in OS implementations.

[Code] [Paper]

Are Your Requests Your True Needs? Checking Excessive Data Collection in VPA App
Are Your Requests Your True Needs? Checking Excessive Data Collection in VPA App

Fuman Xie, Chuan Yan, Mark Huasong Meng, Shaoming Teng, Yanjun Zhang, Guangdong Bai

CCF-A CORE-A* ICSE '24: Proceedings of the IEEE/ACM 46th International Conference on Software Engineering 2024

We present Pico, a privacy inconsistency detector, which checks the VPA app's privacy compliance by analyzing (in)consistency between data requested and data essential for its functionality. Pico understands the app's functionality topics from its publicly available textual data, and leverages advanced GPT-based language models to address domain-specific challenges.

[Code] [Paper]

Are Your Requests Your True Needs? Checking Excessive Data Collection in VPA App
Are Your Requests Your True Needs? Checking Excessive Data Collection in VPA App

Fuman Xie, Chuan Yan, Mark Huasong Meng, Shaoming Teng, Yanjun Zhang, Guangdong Bai

CCF-A CORE-A* ICSE '24: Proceedings of the IEEE/ACM 46th International Conference on Software Engineering 2024

We present Pico, a privacy inconsistency detector, which checks the VPA app's privacy compliance by analyzing (in)consistency between data requested and data essential for its functionality. Pico understands the app's functionality topics from its publicly available textual data, and leverages advanced GPT-based language models to address domain-specific challenges.

[Code] [Paper]

Analyzing Excessive Permission Requests in Google Workspace Add-ons
Analyzing Excessive Permission Requests in Google Workspace Add-ons

Liuhuo Wan, Chuan Yan, Mark Huasong Meng, Kailong Wang, Haoyu Wang

CCF-C CORE-B ICECCS '24: 28th International Conference on Engineering of Complex Computer Systems 2024

We propose an end-to-end approach to automatically detecting excessive permissions among add-ons. It advocates purpose limitation that the requested permissions of the add-on should be for its specific functionality and in compliance with the actual needs in fulfilling the functionality. Our approach utilizes a hybrid analysis to detect excessive permissions, including analysis of the add-on’s runtime behavior and source code, and state-of-the-art language processing techniques for textual artifact interpretation. This approach can serve the users, developers and store operators as an efficient and practical detection mechanism for excessive permissions.

[Paper]

Analyzing Excessive Permission Requests in Google Workspace Add-ons
Analyzing Excessive Permission Requests in Google Workspace Add-ons

Liuhuo Wan, Chuan Yan, Mark Huasong Meng, Kailong Wang, Haoyu Wang

CCF-C CORE-B ICECCS '24: 28th International Conference on Engineering of Complex Computer Systems 2024

We propose an end-to-end approach to automatically detecting excessive permissions among add-ons. It advocates purpose limitation that the requested permissions of the add-on should be for its specific functionality and in compliance with the actual needs in fulfilling the functionality. Our approach utilizes a hybrid analysis to detect excessive permissions, including analysis of the add-on’s runtime behavior and source code, and state-of-the-art language processing techniques for textual artifact interpretation. This approach can serve the users, developers and store operators as an efficient and practical detection mechanism for excessive permissions.

[Paper]

2023

On the quality of privacy policy documents of virtual personal assistant applications
On the quality of privacy policy documents of virtual personal assistant applications

Chuan Yan, Fuman Xie, Mark Huasong Meng, Yanjun Zhang, Guangdong Bai

CCF-C CORE-A PETS'24:The 24th Privacy Enhancing Technologies Symposium 2024

We conduct the first systematic study on the quality of privacy policies in the VPA app domain. Based on our review of literature and documents from standard working groups, we identify four metrics that enable the quality of the privacy policy to become measurable, including timeliness, availability, completeness and readability. We then develop QuPer, which extracts the meta features (e.g., update history) and linguistic features (e.g., sentence semantics) from privacy policies, and assesses their quality. Our analysis reveals that the status of the quality of privacy policies in the VPA app domain is concerning.

[Code] [Paper]

On the quality of privacy policy documents of virtual personal assistant applications
On the quality of privacy policy documents of virtual personal assistant applications

Chuan Yan, Fuman Xie, Mark Huasong Meng, Yanjun Zhang, Guangdong Bai

CCF-C CORE-A PETS'24:The 24th Privacy Enhancing Technologies Symposium 2024

We conduct the first systematic study on the quality of privacy policies in the VPA app domain. Based on our review of literature and documents from standard working groups, we identify four metrics that enable the quality of the privacy policy to become measurable, including timeliness, availability, completeness and readability. We then develop QuPer, which extracts the meta features (e.g., update history) and linguistic features (e.g., sentence semantics) from privacy policies, and assesses their quality. Our analysis reveals that the status of the quality of privacy policies in the VPA app domain is concerning.

[Code] [Paper]

2022

Scrutinizing privacy policy compliance of virtual personal assistant apps
Scrutinizing privacy policy compliance of virtual personal assistant apps

Fuman Xie, Yanjun Zhang, Chuan Yan, Suwan Li, Lei Bu, Kai Chen, Zi Huang, Guangdong Bai

CCF-A CORE-A* Proceedings of the 37th IEEE/ACM international conference on automated software engineering 2022

We conduct the first systematic study on the privacy policy compliance issue of VPA apps. We develop Skipper, which targets Amazon Alexa skills. It automatically depicts the skill into the declared privacy profile by analyzing their privacy policy documents with Natural Language Processing (NLP) and machine learning techniques, and derives the behavioral privacy profile of the skill through a black-box testing. We conduct a large-scale analysis on all skills listed on Alexa store, and find that a large number of skills suffer from the privacy policy noncompliance issues.

[Code] [Paper]

Scrutinizing privacy policy compliance of virtual personal assistant apps
Scrutinizing privacy policy compliance of virtual personal assistant apps

Fuman Xie, Yanjun Zhang, Chuan Yan, Suwan Li, Lei Bu, Kai Chen, Zi Huang, Guangdong Bai

CCF-A CORE-A* Proceedings of the 37th IEEE/ACM international conference on automated software engineering 2022

We conduct the first systematic study on the privacy policy compliance issue of VPA apps. We develop Skipper, which targets Amazon Alexa skills. It automatically depicts the skill into the declared privacy profile by analyzing their privacy policy documents with Natural Language Processing (NLP) and machine learning techniques, and derives the behavioral privacy profile of the skill through a black-box testing. We conduct a large-scale analysis on all skills listed on Alexa store, and find that a large number of skills suffer from the privacy policy noncompliance issues.

[Code] [Paper]