A. Contribution

  1. Problem addressed by the paper

Finding missing prompt and placing it properly before an application require sensitive information.

  1. Solution proposed in the paper. Why is it better than previous work?

Automatic static analysis approach that considers four important conditions: safe, visible, frugal, not-repetitive. Previous works do not consider all those four conditions.

  1. The major results

The experiment successfully places the prompt in 95% unique 150 cases from 100 applications tested.

B. Basic idea and approach. How does the solution work?

The authors implement a graph-based algorithm to track control-flow of appropriate prompt before an application can use sensitive information. Then it will place missing prompt via dominator-based with backward analysis as failover. Then they tested it on 100 selected applications.


C. Strengths

  1. The research done by a vendor (Microsoft). The result should benefit all users of Microsoft Windows Mobile platform.
  2. The authors solution is scalable to all applications.

D. Weaknesses

  1. Providing a prompt does not guarantee that the applications do not violate users’ privacy. The applications can still misuse the sensitive information they receive.
  2. The implementation has 3 recursive passes. This should require expensive performance penalty.
  3. The 100 applications only selected by those require location and network permission. They should also consider other sensitive sensor like camera and microphone. They should also consider selecting popular applications since it will give more impact to users. Randomly selecting applications can end up with some junk applications that no one uses.
  4. They have high false positives that could incur double prompting.
  5. They only tested with 100 common advertisement libraries. Applications can use other library.

E. Future work, Open issues, possible improvements

  1. Future improvements should also target obfuscated applications. And since Microsoft as vendor capable of doing source code analysis, they should incorporate those in the applications submission process.