Do as You Say: Consistency Detection of Data Practice in Program Code and Privacy Policy in Mini-App

Abstract

Mini-app is an emerging form of mobile application that combines web technology with native capabilities. Its features, e.g., no need to download and no installation, have made it popular rapidly. However, privacy issues that violate the laws or regulations are breeding in the swiftly expanding mini-app ecosystem. Ensuring consistency between the mini-app's data practices embedded in its program code behavior and privacy policy description is crucial. But no work has systematically investigated the privacy problem of the mini-app before. To achieve this purpose, there are two main challenges. Firstly, the mini-app represents a novel application form, and a deficiency exists in information-sensitive code analysis tools capable of accurately discerning data practices from the code. Secondly, previous studies focusing on consistency have exhibited granularity issues related to data types and consistency patterns. This paper introduces MiniDetector, a novel approach for identifying consistency issues in mini-apps. MiniDetector employs data flow analysis to pinpoint data practices within the program code and utilizes a two-stage prompt engineering process to extract data practices from privacy policies. The results from both analyses are then compared to establish a consistency match. The proposed method undergoes sufficiency evaluations on a dataset comprising 70 mini-apps. Additionally, we conduct a comprehensive analysis of 100,000 mini-apps on the WeChat client in the wild, extracting 3,369 with privacy policies. Astonishingly, only 11 of these meet the consistency requirements, while 3,358 exhibit inconsistencies, resulting in an alarming inconsistency rate of 99.7%.