Proceedings on Privacy Enhancing Technologies YYYY(X) N. Samarin et al.
REFERENCES
[1]
Yasemin Acar, Michael Backes, Sascha Fahl, Simson Garnkel, Doowon Kim,
Michelle L Mazurek, and Christian Stransky. 2017. Comparing the usability of
cryptographic apis. In 2017 IEEE Symposium on Security and Privacy (SP). IEEE,
154–171.
[2]
Mansour Ahmadi, Battista Biggio, Steven Arzt, Davide Ariu, and Giorgio Gi-
acinto. 2016. Detecting misuse of google cloud messaging in android badware.
In Proceedings of the 6th Workshop on Security and Privacy in Smartphones and
Mobile Devices. 103–112.
[3] AirShip. 2023. Android SDK Setup. https://docs.airship.com/platform/mobile/
setup/sdk/android/. (Accessed on 10/10/2023).
[4] Noura Alomar and Serge Egelman. 2022. Developers say the darnedest things:
Privacy compliance processes followed by developers of child-directed apps.
Proceedings on Privacy Enhancing Technologies 4, 2022 (2022), 24.
[5]
R. Anderson. 2001. Why information security is hard - an economic perspective.
In Seventeenth Annual Computer Security Applications Conference. 358–365. https:
//doi.org/10.1109/ACSAC. 2001.991552
[6]
Benjamin Andow, Samin Yaseer Mahmud, Wenyu Wang, Justin Whitaker,
William Enck, Bradley Reaves, Kapil Singh, and Tao Xie. 2019. PolicyLint:
Investigating Internal Privacy Policy Contradictions on Google Play. In 28th
USENIX security symposium (USENIX security 19). USENIX, Berkeley, CA, USA,
585–602.
[7]
Benjamin Andow, Samin Yaseer Mahmud, Justin Whitaker, William Enck,
Bradley Reaves, Kapil Singh, and Serge Egelman. 2020. Actions Speak Louder
than Words:Entity-Sensitive Privacy Policy and Data Flow Analysis with
PoliCheck. In 29th USENIX Security Symposium (USENIX Security 20). USENIX,
Berkeley, CA, USA, 985–1002.
[8]
Apple. 2023. Notications Overview. Apple Developer. https://
developer.apple.com/notications/.
[9]
Apple. 2023. Push Token Requests. https://www
.
apple
.
com/legal/transparency/
push-token. html. (Accessed on 06/01/2024).
[10]
Apple Inc. 2023. Generating a remote notication . https://developer
.
apple
.
com/
documentation/usernotications/setting
_
up
_
a
_
remote
_
notication
_
server/
generating_a_remote_notication. (Accessed on 10/10/2023).
[11]
Internet Archive. 2023. Wayback Machine. https://archive
.
org/. (Accessed on
10/10/2023).
[12]
Kayce Basques and Matt Gaunt. 2023. Push notications overview. https:
//web.dev/articles/push-notications-overview. (Accessed on 10/10/2023).
[13]
Android Developers Blog. 2018. Project Capillary: End-to-end encryption for
push messaging, simplied. https://android-developers
.
googleblog
.
com/2018/
06/project-capillary-end-to-end-encryption. html. (Accessed on 10/10/2023).
[14]
Duc Bui, Kang G Shin, Jong-Min Choi, and Junbum Shin. 2021. Automated
Extraction and Presentation of Data Practices in Privacy Policies. Proceedings
on Privacy Enhancing Technologies (PoPETs) 2021, 2 (2021), 88–110.
[15]
L. Cavallaro, P. Saxena, and R. Sekar. 2008. On the Limits of Information Flow
Techniques for Malware Analysis and Containment. In Proc. of DIMVA. Springer-
Verlag, 143–163. http://dx.doi.org/10.1007/978-3-540-70542-0_8
[16] Ann Cavoukian. 2009. Privacy by design. (2009).
[17]
Yangyi Chen, Tongxin Li, XiaoFeng Wang, Kai Chen, and Xinhui Han. 2015.
Perplexed messengers from the cloud: Automated security analysis of push-
messaging integrations. In Proceedings of the 22nd ACM SIGSAC Conference on
Computer and Communications Security. 1260–1272.
[18]
U.S. Federal Trade Commission. 2021. Flo Health, Inc. https://www
.
ftc
.
gov/legal-
library/browse/cases-proceedings/192-3133-o-health-inc.
[19]
U.S. Federal Trade Commission. 2024. Avast, Ltd. https://www
.
ftc
.
gov/system/
les/ftc_gov/pdf/Complaint-Avast. pdf.
[20]
Cox, Joseph. 2023. Here’s a Warrant Showing the U.S. Government is Moni-
toring Push Notications. https://www
.
404media
.
co/us-government-warrant-
monitoring-push-notications-apple-google-yahoo/. (Accessed on 06/01/2024).
[21]
Cybersecurity and Infrastructure Security Agency (CISA). 2023. Shift-
ing the Balance of Cybersecurity Risk: Principles and Approaches for Se-
cure by Design Software. https://www
.
cisa
.
gov/sites/default/les/2023-10/
SecureByDesign_1025_508c.pdf. (Accessed on 06/01/2024).
[22]
Samsung Electronics. 2023. Samsung Push Service. https://play
.
google
.
com/
store/apps/details?id=com.sec.spp. push. (Accessed on 06/01/2024).
[23]
W. Enck, P. Gilbert, B. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth.
2010. TaintDroid: An Information-ow Tracking System for Realtime Privacy
Monitoring on Smartphones. In Proc. of the 9th USENIX conference on Operating
systems design and implementation (OSDI). 393–407.
[24]
Ming Fan, Le Yu, Sen Chen, Hao Zhou, Xiapu Luo, Shuyue Li, Yang Liu, Jun Liu,
and Ting Liu. 2020. An empirical evaluation of GDPR compliance violations in
Android mHealth apps. In 2020 IEEE 31st international symposium on software
reliability engineering (ISSRE). IEEE, New York, NY, USA, 253–264.
[25]
Federal Trade Commision (FTC). 2020. FTC Requires Zoom to Enhance
its Security Practices as Part of Settlement. https://www
.
ftc
.
gov/news-
events/news/press-releases/2020/11/ftc-requires-zoom-enhance-its-security-
practices-part-settlement. (Accessed on 01/01/2024).
[26]
A. P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner. 2012. Android
permissions: user attention, comprehension, and behavior. In Proceedings of
the 8th Symposium on Usable Privacy and Security (Washington, D.C.) (SOUPS
’12). ACM, New York, NY, USA, Article 3, 14 pages. https://doi
.
org/10
.
1145/
2335356.2335360
[27]
European Union Agency for Cybersecurity (ENISA). 2023. Engineering Personal
Data Sharing. https://www
.
enisa
.
europa
.
eu/publications/engineering-personal-
data-sharing. (Accessed on 06/01/2024).
[28]
Frederick P. Brooks, Jr. 1975. The Mythical Man-Month: Essays on Software
Engineering. Addison-Wesley.
[29] Frida. 2022. https://frida. re/.
[30]
C. Gibler, J. Crussell, J. Erickson, and H. Chen. 2012. AndroidLeaks: Automati-
cally Detecting Potential Privacy Leaks in Android Applications on a Large Scale.
In Proc. of the 5th international conference on Trust and Trustworthy Computing
(TRUST). Springer-Verlag, 291–307.
[31]
GizChina. 2023. HARMONYOS IS NOW FIRMLY THE THIRD LARGEST
MOBILE PHONE OPERATING SYSTEM. https://www
.
gizchina
.
com/2023/
05/20/harmonyos-is-now-rmly-the-third-largest-mobile-phone-operating-
system/. (Accessed on 01/01/2024).
[32]
Google. 2023. BaseBundle. Android Developers. https://developer
.
android
.
com/
reference/android/os/BaseBundle.
[33]
Google. 2023. Design for Safety. Google Developers. https://
developer.android. com/quality/privacy-and-security.
[34]
Google. 2023. FirebaseMessagingService. https://rebase
.
google
.
com/docs/
reference/android/com/google/rebase/messaging/FirebaseMessagingService.
(Accessed on 06/01/2024).
[35]
Google. 2023. Play Console Help: Provide information for Google Play’s
Data safety section. https://support
.
google
.
com/googleplay/android-developer/
answer/10787469. (Accessed on 06/01/2024).
[36]
Google for Developers. 2024. About FCM messages. Developer documenta-
tion for Firebase. https://rebase
.
google
.
com/docs/cloud-messaging/concept-
options.
[37]
M. I. Gordon, D. Kim, J. Perkins, Gilhamy, N. Nguyenz, and M. Rinard. 2015.
Information-Flow Analysis of Android Applications in DroidSafe. In Proc. of
NDSS Symposium.
[38]
Marit Hansen, Meiko Jensen, and Martin Rost. 2015. Protection goals for privacy
engineering. In 2015 IEEE Security and Privacy Workshops. IEEE, 159–166.
[39]
Hamza Harkous, Kassem Fawaz, Rémi Lebret, Florian Schaub, Kang G Shin,
and Karl Aberer. 2018. Polisis: Automated analysis and presentation of privacy
policies using deep learning. In 27th USENIX Security Symposium (USENIX
Security 18). USENIX, Berkeley, CA, USA, 531–548.
[40]
Harwell, Drew and Schaer, Aaron. 2024. The FBI’s new tactic: Catching
suspects with push alerts. https://www
.
washingtonpost
.
com/technology/2024/
02/29/push-notication-surveillance-fbi/. (Accessed on 06/01/2024).
[41]
Sangwon Hyun, Junsung Cho, Geumhwan Cho, and Hyoungshick Kim. 2018.
Design and analysis of push notication-based malware on android. Security
and Communication Networks 2018 (2018).
[42]
JusTalk. 2023. Is it safe to use JusTalk? https://web
.
archive
.
org/web/
20230407183707/https://justalk
.
com/support/general/g6. (Accessed on
10/10/2023).
[43]
P. G. Kelley, L. F. Cranor, and N. Sadeh. 2013. Privacy as part of the app decision-
making process. In Proceedings of the SIGCHI conference on human factors in
computing systems. 3393–3402.
[44]
J. Kim, Y. Yoon, K. Yi, and J. Shin. 2012. ScanDal: Static Analyzer for Detecting
Privacy Leaks in Android Applications. IEEE Workshop on Mobile Security
Technologies (MoST) (2012).
[45]
Simon Koch, Malte Wessels, Benjamin Altpeter, Madita Olvermann, and Martin
Johns. 2022. Keeping privacy labels honest. Proceedings on Privacy Enhancing
Technologies 4, 486-506 (2022), 2–2.
[46]
Konev, Max. 2022. Statement on the Reuters Story Regarding Push-
woosh. https://blog
.
pushwoosh
.
com/blog/statement-on-the-reuters-story-
regarding-pushwoosh/. (Accessed on 06/01/2024).
[47]
Hayoung Lee, Taeho Kang, Sangho Lee, Jong Kim, and Yoonho Kim. 2014.
Punobot: Mobile botnet using push notication service in android. In Information
Security Applications: 14th International Workshop, WISA 2013, Jeju Island, Korea,
August 19-21, 2013, Revised Selected Papers 14. Springer, 124–137.
[48]
Tongxin Li, Xiaoyong Zhou, Luyi Xing, Yeonjoon Lee, Muhammad Naveed,
XiaoFeng Wang, and Xinhui Han. 2014. Mayhem in the push clouds: Under-
standing and mitigating security hazards in mobile push-messaging services. In
Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communica-
tions Security. 978–989.
[49]
Thomas Linden, Rishabh Khandelwal, Hamza Harkous, and Kassem Fawaz. 2018.
The privacy policy landscape after the GDPR. arXiv preprint arXiv:1809.08396
(2018), 1–18.
[50]
Tianming Liu, Haoyu Wang, Li Li, Guangdong Bai, Yao Guo, and Guoai Xu. 2019.
Dapanda: Detecting aggressive push notications in android apps. In 2019 34th
IEEE/ACM International Conference on Automated Software Engineering (ASE).
IEEE, 66–78.
14