Abstract This convenience of mobile devices has driven significant growth in the volume of personal information users store on their devices as well as everyday mobile application usage. However, users are becoming increasingly aware of the access these applications have to their personal information and the risk that applications may transmit Personally Identifiable Information (PII) to external servers, sometimes unknowingly to users. There is no easy way to know whether or not an application transmits PII. If this information could be made available to users as early as when they are browsing application markets looking for new applications to install on their devices, they can weigh the pros and cons to make an informed decision on the associated risk of their private information potentially being exposed. Previously, detection of PII transmission has been tackled using heavy-weight techniques such as static code analysis and dynamic behavior analysis requiring from several minutes to hours of testing and analysis per application. In constrast, we propose using light-weight methods to extract features that we then use to develop a classification model to detect PII transmission in under a minute with performance that rivals the heavy-weight techniques. We evaluate our model using an extensive set of more than 8700 top-ranked Android applications. Our approach is precise and fast, making it suitable for real-time detection and analysis of PII transmission in mobile applications.

中文翻译：

---

使用轻量级静态分析检测 Android 应用程序中的个人身份信息传输

摘要 移动设备的便利性推动了用户在其设备上存储的个人信息量以及日常移动应用程序使用量的显着增长。但是，用户越来越意识到这些应用程序对其个人信息的访问权限以及应用程序可能会将个人身份信息 (PII) 传输到外部服务器（有时会在不知情的情况下传输给用户）的风险。没有简单的方法可以知道应用程序是否传输 PII。如果这些信息可以在用户浏览应用程序市场寻找新应用程序以安装在他们的设备上时尽早提供给用户，他们就可以权衡利弊，就他们的私人信息可能被泄露的相关风险做出明智的决定。裸露。之前，PII 传输的检测已使用重量级技术解决，例如静态代码分析和动态行为分析，每个应用程序需要几分钟到几小时的测试和分析。相比之下，我们建议使用轻量级方法来提取特征，然后我们使用这些特征来开发分类模型，以在不到一分钟的时间内检测 PII 传输，其性能可与重量级技术相媲美。我们使用包含 8700 多个排名靠前的 Android 应用程序的广泛集合来评估我们的模型。我们的方法精确且快速，适用于移动应用程序中 PII 传输的实时检测和分析。