Toward LLM-Driven GDPR Compliance Checking for Android Apps

[en] Android apps extensively collect sensitive personal data from our devices daily. Despite stringent regulations like the European Union's General Data Protection Regulation (GDPR), many applications (apps) fail to comply with these legal requirements. While previous studies have focused on the compliance of privacy policies, checking how these policies are implemented in the actual code has not yet been extensively investigated. Moreover, previous efforts have often been limited in scope. This paper explores the potential of Large Language Models (LLMs) to address the challenge of verifying privacy regulation compliance in Android apps. Specifically, we address scenarios where source code is unavailable by investigating whether LLM can work with Smali code—a human-readable representation of Android bytecode extracted from APK files. Through this exploratory investigation, we aim to uncover if LLMs can bridge the gap between legal privacy requirements and their technical implementation in mobile apps. Through initial experiments, we assess the feasibility and effectiveness of a straightforward LLM-driven method for identifying compliance issues and provide directions for our future research efforts to improve our approach and perform large-scale experiments.

Research center :

Interdisciplinary Centre for Security, Reliability and Trust (SnT) > TruX - Trustworthy Software Engineering
Interdisciplinary Centre for Security, Reliability and Trust (SnT) > SVV - Software Verification and Validation
NCER-FT - FinTech National Centre of Excellence in Research

Disciplines :

Computer science

Author, co-author :

ALECCI, Marco ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

SANNIER, Nicolas ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV

CECI, Marcello ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV

ABUALHAIJA, Sallam ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV

SAMHI, Jordan ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

BIANCULLI, Domenico ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV

BISSYANDE, Tegawendé François d Assise ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

KLEIN, Jacques ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX

External co-authors :

Language :

English

Title :

Toward LLM-Driven GDPR Compliance Checking for Android Apps

Publication date :

28 July 2025

Event name :

33rd ACM International Conference on the Foundations of Software Engineering (FSE Companion '25)

Event organizer :

ACM

Event place :

Trondheim, Norway

Event date :

23-27 June 2025

Audience :

International

Main work title :

Proceedings of the 33rd ACM International Conference on the Foundations of Software Engineering (FSE Companion '25)

Publisher :

ACM - Association for Computing Machinery

Pages :

606-610

Peer reviewed :

Peer reviewed

FnR Project :

FNR16344458 - REPROCESS - Pre And Post Processing For Comprehensive And Practical Android App Static Analysis, 2021 (01/07/2022-30/06/2025) - Jacques Klein
FNR16570468 - NCER-FT - 2021 (01/03/2023-28/02/2025) - Gilbert Fridgen

Funders :

FNR - Luxembourg National Research Fund

Funding number :

NCER22/IS/16 570468/NCER-FT; C21/IS/16344458

Funding text :

This research was funded in whole, or in part, by the Luxembourg National Research Fund (FNR), grant reference NCER22/IS/16570468/NCER-FT and REPROCESS grant reference C21/IS/16344458. For the purpose of open access, and in fulfillment of the obligations arising from the grant agreement, the author has applied a Creative Commons Attribution 4.0 International (CC BY 4.0) license to any Author Accepted Manuscript version arising from this submission.

Data Set :

AppComplianceLLM

Available on ORBilu :

since 07 April 2025

Statistics

Number of views

350 (39 by Unilu)

Number of downloads

413 (24 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

OpenCitations

OpenAlex citations

Bibliography

L. Zhou, C. Wei, T. Zhu, G. Chen, X. Zhang, S. Du, H. Cao, and H. Zhu, “{POLICYCOMP}: Counterpart comparison of privacy policies uncovers overbroad personal data collection practices,” in 32nd USENIX Security Symposium (USENIX Security 23), 2023, pp. 1073-1090.
J. Reardon, Á. Feal, P. Wijesekera, A. E. B. On, N. Vallina-Rodriguez, and S. Egelman, “50 ways to leak your data: An exploration of apps’ circumvention of the android permissions system,” in 28th USENIX Security Symposium (USENIX Security 19). Santa Clara, CA: USENIX Association, Aug. 2019, pp. 603-620. [Online]. Available: https://www.usenix.org/conference/usenixsecurity19/presentation/reardon
L. Verderame, D. Caputo, A. Romdhana, and A. Merlo, “On the (un) reliability of privacy policies in android apps,” in 2020 international joint conference on neural networks (IJCNN). IEEE, 2020, pp. 1-9.
European Parliament and Council of the European Union, “Regulation (EU) 2016/679 of the European Parliament and of the Council,” 2016. [Online]. Available: https://data.europa.eu/eli/reg/2016/679/oj
A. Xiang, W. Pei, and C. Yue, “Policychecker: Analyzing the gdpr completeness of mobile apps’ privacy policies,” in Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, 2023, pp. 3373-3387.
S. Liu, B. Zhao, R. Guo, G. Meng, F. Zhang, and M. Zhang, “Have you been properly notified? automatic compliance analysis of privacy policy text with gdpr article 13,” in Proceedings of the Web Conference 2021, 2021, pp. 2154-2164.
O. Amaral Cejas, S. Abualhaija, and L. Briand, “Compai: A tool for gdpr completeness checking of privacy policies using artificial intelligence,” in IEEE/ACM International Conference on Automated Software Engineering. Association for Computing Machinery, 2024.
O. Amaral, S. Abualhaija, D. Torre, M. Sabetzadeh, and L. C. Briand, “Ai-enabled automation for completeness checking of privacy policies,” IEEE Trans. Software Eng., vol. 48, no. 11, pp. 4647-4674, 2022.
R. E. Hamdani, M. Mustapha, D. R. Amariles, A. Troussel, S. Meeùs, and K. Krasnashchok, “A combined rule-based and machine learning approach for automated gdpr compliance checking,” in Proceedings of the Eighteenth International Conference on Artificial Intelligence and Law, 2021, pp. 40-49.
S. Hassani, M. Sabetzadeh, D. Amyot, and J. Liao, “Rethinking legal compliance automation: Opportunities with large language models,” arXiv preprint arXiv:2404.14356, 2024.
D. Rodriguez, I. Yang, J. M. Del Alamo, and N. Sadeh, “Large language models: a new approach for privacy policy analysis at scale,” Computing, pp. 1-25, 2024.
A. Hooda, R. Khandelwal, P. Chalasani, K. Fawaz, and S. Jha, “Policylr: A logic representation for privacy policies,” arXiv preprint arXiv:2408.14830, 2024.
A. Goknil, F. B. Gelderblom, S. Tverdal, S. Tokas, and H. Song, “Privacy policy analysis through prompt engineering for LLMs,” arXiv preprint arXiv:2409.14879, 2024.
R. Slavin, X. Wang, M. B. Hosseini, J. Hester, R. Krishnan, J. Bhatia, T. D. Breaux, and J. Niu, “Toward a framework for detecting privacy policy violations in android application code,” in Proceedings of the 38th International conference on software engineering, 2016, pp. 25-36.
X. Zhang, J. Heaps, R. Slavin, J. Niu, T. Breaux, and X. Wang, “Daisy: Dynamic-analysis-induced source discovery for sensitive data,” ACM Trans. Softw. Eng. Methodol., vol. 32, no. 4, 2023. [Online]. Available: https://doi.org/10.1145/3569936
D. S. Guamán, J. M. Del Alamo, and J. C. Caiza, “Gdpr compliance assessment for cross-border personal data transfers in android apps,” IEEE Access, vol. 9, pp. 15 961-15 982, 2021.
M. Fan, L. Yu, S. Chen, H. Zhou, X. Luo, S. Li, Y. Liu, J. Liu, and T. Liu, “An empirical evaluation of gdpr compliance violations in android mhealth apps,” in 2020 IEEE 31st international symposium on software reliability engineering (ISSRE). IEEE, 2020, pp. 253-264.
S. Feng and C. Chen, “Prompting is all you need: Automated android bug replay with large language models,” in Proceedings of the 46th IEEE/ACM International Conference on Software Engineering, 2024, pp. 1-13.
Z. Liu, C. Chen, J. Wang, M. Chen, B. Wu, X. Che, D. Wang, and Q. Wang, “Make LLM a testing expert: Bringing human-like interaction to mobile gui testing via functionality-aware decisions,” in Proceedings of the IEEE/ACM 46th International Conference on Software Engineering, 2024, pp. 1-13.
Y. Huang, J. Wang, Z. Liu, Y. Wang, S. Wang, C. Chen, Y. Hu, and Q. Wang, “Crashtranslator: Automatically reproducing mobile application crashes directly from stack trace,” in Proceedings of the 46th IEEE/ACM International Conference on Software Engineering, 2024, pp. 1-13.
W. Zhao, J. Wu, and Z. Meng, “Apppoet: Large language model based android malware detection via multi-view prompt engineering,” arXiv preprint arXiv:2404.18816, 2024.
H. Li, Y. Hao, Y. Zhai, and Z. Qian, “Enhancing static analysis for practical bug detection: An LLM-integrated approach,” Proceedings of the ACM on Programming Languages, vol. 8, no. OOPSLA1, pp. 474-499, 2024.
Y. Sun, D. Wu, Y. Xue, H. Liu, H. Wang, Z. Xu, X. Xie, and Y. Liu, “Gptscan: Detecting logic vulnerabilities in smart contracts by combining gpt with program analysis,” in Proceedings of the IEEE/ACM 46th International Conference on Software Engineering, 2024, pp. 1-13.
A. Khare, S. Dutta, Z. Li, A. Solko-Breslin, R. Alur, and M. Naik, “Understanding the effectiveness of large language models in detecting security vulnerabilities,” arXiv preprint arXiv:2311.16169, 2023.
K. Pei, D. Bieber, K. Shi, C. Sutton, and P. Yin, “Can large language models reason about program invariants?” in International Conference on Machine Learning. PMLR, 2023, pp. 27 496-27 520.
W. Ma, S. Liu, Z. Lin, W. Wang, Q. Hu, Y. Liu, C. Zhang, L. Nie, L. Li, and Y. Liu, “Lms: Understanding code syntax and semantics for code analysis,” arXiv preprint arXiv:2305.12138, 2023.
W. Sun, C. Fang, Y. You, Y. Miao, Y. Liu, Y. Li, G. Deng, S. Huang, Y. Chen, Q. Zhang et al., “Automatic code summarization via chatgpt: How far are we?” arXiv preprint arXiv:2305.12865, 2023.
A. P. S. Venkatesh, S. Sabu, A. M. Mir, S. Reis, and E. Bodden, “The emergence of large language models in static analysis: A first look through micro-benchmarks,” in Proceedings of the 2024 IEEE/ACM First International Conference on AI Foundation Models and Software Engineering, 2024, pp. 35-39.
Google, “Dalvik bytecode forma,” 2024. [Online]. Available: https://source.android.com/docs/core/runtime/dalvik-bytecode
M. Alecci, “App compliance llm (github repository).” [Online]. Available: https://github.com/Trustworthy-Software/AppComplianceLLM
M. Alecci, “App compliance llm (zenodo resource).” [Online]. Available: https://zenodo.org/records/15168296
“Apktool,” https://apktool.org/, accessed: 2024-10-04.
J. Samhi, T. F. Bissyandé, and J. Klein, “Androlibzoo: A reliable dataset of libraries based on software dependency analysis,” in 2024 IEEE/ACM 21st International Conference on Mining Software Repositories (MSR). IEEE, 2024, pp. 32-36.
“Ollama,” https://ollama.com/, accessed: 2024-10-04.
Ollama, “Ollama: A command-line interface for ai models,” https://github.com/ollama/ollama, accessed: 2024-10-04.
M. AI, “Llama 3.1 8b,” https://huggingface.co/meta-llama/Llama-3.1-8B, 2024, accessed: 2024-10-10.
NVIDIA, “Dgx station system architecture whitepaper,” 2024, accessed: 2024-10-10. [Online]. Available: https://www.nvidia.com/en-gb/data-center/resources/dgxstation-system-architecture-whitepaper/
C. Negri-Ribalta and M. L.-P. C. Salinesi, “Understanding the gdpr from a requirements engineering perspective - a systematic mapping study on regulatory data protection requirements,” Requir. Eng., pp. 1-27, 2024.
Google, “Firebase,” 2024, accessed: 2024-11-12. [Online]. Available: https://firebase.google.com/
A. Q. Jiang, A. Sablayrolles, A. Mensch, C. Bamford, D. S. Chaplot, D. de las Casas, F. Bressand, G. Lengyel, G. Lample, L. Saulnier, L. R. Lavaud, M.-A. Lachaux, P. Stock, T. L. Scao, T. Lavril, T. Wang, T. Lacroix, and W. E. Sayed, “Mistral 7b,” 2023. [Online]. Available: https://arxiv.org/abs/2310.06825
OpenAI, “Gpt-4 technical report,” 2024. [Online]. Available: https://arxiv.org/abs/2303.08774
“Gpt-4o system card,” 2024. [Online]. Available: https://arxiv.org/abs/2410.21276
J. Gao, L. Li, T. F. Bissyandé, and J. Klein, “On the evolution of mobile app complexity,” in 2019 24th international conference on engineering of complex computer systems (ICECCS). IEEE, 2019, pp. 200-209.
C. Patsakis, F. Casino, and N. Lykousas, “Assessing LLMs in malicious code deobfuscation of real-world malware campaigns,” 2024. [Online]. Available: https://arxiv.org/abs/2404.19715
A. Swindle, D. McNealy, G. Krishnan, and R. Ramyaa, “Evaluation of large language models on code obfuscation (student abstract),” in Proceedings of the AAAI Conference on Artificial Intelligence, vol. 38, no. 21, 2024, pp. 23 664-23 666.