[en] Android apps extensively collect sensitive personal data from our devices daily. Despite stringent regulations like the European Union's General Data Protection Regulation (GDPR), many applications (apps) fail to comply with these legal requirements. While previous studies have focused on the compliance of privacy policies, checking how these policies are implemented in the actual code has not yet been extensively investigated. Moreover, previous efforts have often been limited in scope.
This paper explores the potential of Large Language Models (LLMs) to address the challenge of verifying privacy regulation compliance in Android apps. Specifically, we address scenarios where source code is unavailable by investigating whether LLM can work with Smali code—a human-readable representation of Android bytecode extracted from APK files. Through this exploratory investigation, we aim to uncover if LLMs can bridge the gap between legal privacy requirements and their technical implementation in mobile apps. Through initial experiments, we assess the feasibility and effectiveness of a straightforward LLM-driven method for identifying compliance issues and provide directions for our future research efforts to improve our approach and perform large-scale experiments.
Centre de recherche :
Interdisciplinary Centre for Security, Reliability and Trust (SnT) > TruX - Trustworthy Software Engineering Interdisciplinary Centre for Security, Reliability and Trust (SnT) > SVV - Software Verification and Validation NCER-FT - FinTech National Centre of Excellence in Research
Disciplines :
Sciences informatiques
Auteur, co-auteur :
ALECCI, Marco ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX
SANNIER, Nicolas ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV
CECI, Marcello ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV
ABUALHAIJA, Sallam ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV
SAMHI, Jordan ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX
BIANCULLI, Domenico ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV
KLEIN, Jacques ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > TruX
Co-auteurs externes :
no
Langue du document :
Anglais
Titre :
Toward LLM-Driven GDPR Compliance Checking for Android Apps
Date de publication/diffusion :
28 juillet 2025
Nom de la manifestation :
33rd ACM International Conference on the Foundations of Software Engineering (FSE Companion '25)
Organisateur de la manifestation :
ACM
Lieu de la manifestation :
Trondheim, Norvège
Date de la manifestation :
23-27 June 2025
Manifestation à portée :
International
Titre de l'ouvrage principal :
Proceedings of the 33rd ACM International Conference on the Foundations of Software Engineering (FSE Companion '25)
Maison d'édition :
ACM - Association for Computing Machinery
Pagination :
606-610
Peer reviewed :
Peer reviewed
Projet FnR :
FNR16344458 - REPROCESS - Pre And Post Processing For Comprehensive And Practical Android App Static Analysis, 2021 (01/07/2022-30/06/2025) - Jacques Klein FNR16570468 - NCER-FT - 2021 (01/03/2023-28/02/2025) - Gilbert Fridgen
Organisme subsidiant :
FNR - Luxembourg National Research Fund
N° du Fonds :
NCER22/IS/16 570468/NCER-FT; C21/IS/16344458
Subventionnement (détails) :
This research was funded in whole, or in part, by the Luxembourg National Research Fund (FNR), grant reference NCER22/IS/16570468/NCER-FT and REPROCESS grant reference C21/IS/16344458.
For the purpose of open access, and in fulfillment of the obligations arising from the grant agreement, the author has applied a Creative Commons Attribution 4.0 International (CC BY 4.0) license to any Author Accepted Manuscript version arising from this submission.
L. Zhou, C. Wei, T. Zhu, G. Chen, X. Zhang, S. Du, H. Cao, and H. Zhu, “{POLICYCOMP}: Counterpart comparison of privacy policies uncovers overbroad personal data collection practices,” in 32nd USENIX Security Symposium (USENIX Security 23), 2023, pp. 1073-1090.
J. Reardon, Á. Feal, P. Wijesekera, A. E. B. On, N. Vallina-Rodriguez, and S. Egelman, “50 ways to leak your data: An exploration of apps’ circumvention of the android permissions system,” in 28th USENIX Security Symposium (USENIX Security 19). Santa Clara, CA: USENIX Association, Aug. 2019, pp. 603-620. [Online]. Available: https://www.usenix.org/conference/usenixsecurity19/presentation/reardon
L. Verderame, D. Caputo, A. Romdhana, and A. Merlo, “On the (un) reliability of privacy policies in android apps,” in 2020 international joint conference on neural networks (IJCNN). IEEE, 2020, pp. 1-9.
European Parliament and Council of the European Union, “Regulation (EU) 2016/679 of the European Parliament and of the Council,” 2016. [Online]. Available: https://data.europa.eu/eli/reg/2016/679/oj
A. Xiang, W. Pei, and C. Yue, “Policychecker: Analyzing the gdpr completeness of mobile apps’ privacy policies,” in Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, 2023, pp. 3373-3387.
S. Liu, B. Zhao, R. Guo, G. Meng, F. Zhang, and M. Zhang, “Have you been properly notified? automatic compliance analysis of privacy policy text with gdpr article 13,” in Proceedings of the Web Conference 2021, 2021, pp. 2154-2164.
O. Amaral Cejas, S. Abualhaija, and L. Briand, “Compai: A tool for gdpr completeness checking of privacy policies using artificial intelligence,” in IEEE/ACM International Conference on Automated Software Engineering. Association for Computing Machinery, 2024.
O. Amaral, S. Abualhaija, D. Torre, M. Sabetzadeh, and L. C. Briand, “Ai-enabled automation for completeness checking of privacy policies,” IEEE Trans. Software Eng., vol. 48, no. 11, pp. 4647-4674, 2022.
R. E. Hamdani, M. Mustapha, D. R. Amariles, A. Troussel, S. Meeùs, and K. Krasnashchok, “A combined rule-based and machine learning approach for automated gdpr compliance checking,” in Proceedings of the Eighteenth International Conference on Artificial Intelligence and Law, 2021, pp. 40-49.
S. Hassani, M. Sabetzadeh, D. Amyot, and J. Liao, “Rethinking legal compliance automation: Opportunities with large language models,” arXiv preprint arXiv:2404.14356, 2024.
D. Rodriguez, I. Yang, J. M. Del Alamo, and N. Sadeh, “Large language models: a new approach for privacy policy analysis at scale,” Computing, pp. 1-25, 2024.
A. Hooda, R. Khandelwal, P. Chalasani, K. Fawaz, and S. Jha, “Policylr: A logic representation for privacy policies,” arXiv preprint arXiv:2408.14830, 2024.
A. Goknil, F. B. Gelderblom, S. Tverdal, S. Tokas, and H. Song, “Privacy policy analysis through prompt engineering for LLMs,” arXiv preprint arXiv:2409.14879, 2024.
R. Slavin, X. Wang, M. B. Hosseini, J. Hester, R. Krishnan, J. Bhatia, T. D. Breaux, and J. Niu, “Toward a framework for detecting privacy policy violations in android application code,” in Proceedings of the 38th International conference on software engineering, 2016, pp. 25-36.
X. Zhang, J. Heaps, R. Slavin, J. Niu, T. Breaux, and X. Wang, “Daisy: Dynamic-analysis-induced source discovery for sensitive data,” ACM Trans. Softw. Eng. Methodol., vol. 32, no. 4, 2023. [Online]. Available: https://doi.org/10.1145/3569936
D. S. Guamán, J. M. Del Alamo, and J. C. Caiza, “Gdpr compliance assessment for cross-border personal data transfers in android apps,” IEEE Access, vol. 9, pp. 15 961-15 982, 2021.
M. Fan, L. Yu, S. Chen, H. Zhou, X. Luo, S. Li, Y. Liu, J. Liu, and T. Liu, “An empirical evaluation of gdpr compliance violations in android mhealth apps,” in 2020 IEEE 31st international symposium on software reliability engineering (ISSRE). IEEE, 2020, pp. 253-264.
S. Feng and C. Chen, “Prompting is all you need: Automated android bug replay with large language models,” in Proceedings of the 46th IEEE/ACM International Conference on Software Engineering, 2024, pp. 1-13.
Z. Liu, C. Chen, J. Wang, M. Chen, B. Wu, X. Che, D. Wang, and Q. Wang, “Make LLM a testing expert: Bringing human-like interaction to mobile gui testing via functionality-aware decisions,” in Proceedings of the IEEE/ACM 46th International Conference on Software Engineering, 2024, pp. 1-13.
Y. Huang, J. Wang, Z. Liu, Y. Wang, S. Wang, C. Chen, Y. Hu, and Q. Wang, “Crashtranslator: Automatically reproducing mobile application crashes directly from stack trace,” in Proceedings of the 46th IEEE/ACM International Conference on Software Engineering, 2024, pp. 1-13.
W. Zhao, J. Wu, and Z. Meng, “Apppoet: Large language model based android malware detection via multi-view prompt engineering,” arXiv preprint arXiv:2404.18816, 2024.
H. Li, Y. Hao, Y. Zhai, and Z. Qian, “Enhancing static analysis for practical bug detection: An LLM-integrated approach,” Proceedings of the ACM on Programming Languages, vol. 8, no. OOPSLA1, pp. 474-499, 2024.
Y. Sun, D. Wu, Y. Xue, H. Liu, H. Wang, Z. Xu, X. Xie, and Y. Liu, “Gptscan: Detecting logic vulnerabilities in smart contracts by combining gpt with program analysis,” in Proceedings of the IEEE/ACM 46th International Conference on Software Engineering, 2024, pp. 1-13.
A. Khare, S. Dutta, Z. Li, A. Solko-Breslin, R. Alur, and M. Naik, “Understanding the effectiveness of large language models in detecting security vulnerabilities,” arXiv preprint arXiv:2311.16169, 2023.
K. Pei, D. Bieber, K. Shi, C. Sutton, and P. Yin, “Can large language models reason about program invariants?” in International Conference on Machine Learning. PMLR, 2023, pp. 27 496-27 520.
W. Ma, S. Liu, Z. Lin, W. Wang, Q. Hu, Y. Liu, C. Zhang, L. Nie, L. Li, and Y. Liu, “Lms: Understanding code syntax and semantics for code analysis,” arXiv preprint arXiv:2305.12138, 2023.
W. Sun, C. Fang, Y. You, Y. Miao, Y. Liu, Y. Li, G. Deng, S. Huang, Y. Chen, Q. Zhang et al., “Automatic code summarization via chatgpt: How far are we?” arXiv preprint arXiv:2305.12865, 2023.
A. P. S. Venkatesh, S. Sabu, A. M. Mir, S. Reis, and E. Bodden, “The emergence of large language models in static analysis: A first look through micro-benchmarks,” in Proceedings of the 2024 IEEE/ACM First International Conference on AI Foundation Models and Software Engineering, 2024, pp. 35-39.
J. Samhi, T. F. Bissyandé, and J. Klein, “Androlibzoo: A reliable dataset of libraries based on software dependency analysis,” in 2024 IEEE/ACM 21st International Conference on Mining Software Repositories (MSR). IEEE, 2024, pp. 32-36.
Ollama, “Ollama: A command-line interface for ai models,” https://github.com/ollama/ollama, accessed: 2024-10-04.
M. AI, “Llama 3.1 8b,” https://huggingface.co/meta-llama/Llama-3.1-8B, 2024, accessed: 2024-10-10.
NVIDIA, “Dgx station system architecture whitepaper,” 2024, accessed: 2024-10-10. [Online]. Available: https://www.nvidia.com/en-gb/data-center/resources/dgxstation-system-architecture-whitepaper/
C. Negri-Ribalta and M. L.-P. C. Salinesi, “Understanding the gdpr from a requirements engineering perspective - a systematic mapping study on regulatory data protection requirements,” Requir. Eng., pp. 1-27, 2024.
A. Q. Jiang, A. Sablayrolles, A. Mensch, C. Bamford, D. S. Chaplot, D. de las Casas, F. Bressand, G. Lengyel, G. Lample, L. Saulnier, L. R. Lavaud, M.-A. Lachaux, P. Stock, T. L. Scao, T. Lavril, T. Wang, T. Lacroix, and W. E. Sayed, “Mistral 7b,” 2023. [Online]. Available: https://arxiv.org/abs/2310.06825
“Gpt-4o system card,” 2024. [Online]. Available: https://arxiv.org/abs/2410.21276
J. Gao, L. Li, T. F. Bissyandé, and J. Klein, “On the evolution of mobile app complexity,” in 2019 24th international conference on engineering of complex computer systems (ICECCS). IEEE, 2019, pp. 200-209.
C. Patsakis, F. Casino, and N. Lykousas, “Assessing LLMs in malicious code deobfuscation of real-world malware campaigns,” 2024. [Online]. Available: https://arxiv.org/abs/2404.19715
A. Swindle, D. McNealy, G. Krishnan, and R. Ramyaa, “Evaluation of large language models on code obfuscation (student abstract),” in Proceedings of the AAAI Conference on Artificial Intelligence, vol. 38, no. 21, 2024, pp. 23 664-23 666.
