October 7, 2019
This new tool for developers can help preserve app users' privacy
When you open a newly-installed app on your phone and it says to you, "This app would like to use your location data," what do you do? Depending on the app, you might be thinking, Why does it need my location? Wouldn't it be great if it just told you why?
"When app developers are coding these types of data requests, privacy is oftentimes an afterthought," says CyLab's Jason Hong, a professor in the Human Computer Interaction Institute (HCII). "We wanted to create something that would bring privacy to the forefront of their thinking when developing these apps."
Hong teamed up with HCII Ph.D. student Tianshi Li and Institute for Software Research (ISR) professor Yuvraj Agarwal to create an integrated development environment (IDE) plugin that nudges developers to think a bit harder about user privacy when coding data requests.
Li presented the IDE plugin, which they dubbed "Coconut," at last month's ACM International Joint Conference on Pervasive and Ubiquitous Computing (Ubicomp) in London.
"Coconuts are versatile fruits, and we wanted our plugin to be versatile in its ability to provide multiple types of benefits for privacy," says Li.
When writing the code for an app using Coconut, the plugin's heuristics automatically detect when a request for user data is made, triggering a popup reminder to the developer to write an annotation explaining the reasons behind their request. Rather than requiring them to write one from scratch, developers have the option of choosing one from a list of pre-written annotations explaining the reason behind the request, such as, "Data collection for advertising," "Location-based game," or "Maps and navigation," among others.
A "PrivacyChecker" window within Coconut aggregates all of the data practices coded into the app, paired with the annotations that explain why they're there.
The researchers evaluated their plugin by asking 18 Android developers, including eight professional developers, to use it. They found that apps developed with Coconut dealt with privacy concerns better, and the developers themselves had a better understanding of the apps' data practices, which resulted in them writing better privacy policies.
Coconut is available for download on GitHub. The current version only works for Android developers.
The HCII and ISR are both housed in Carnegie Mellon's School of Computer Science.