Toward Automatically Generating Privacy Policy for Smart Home Apps

Modern Smart Home platforms offer various applications, which should follow the platform privacy policies so that end users and regulators are informed of Sensitive Personal Information (SPI) related operations. However, the generalized privacy policies by Smart Home platforms fail to explain specific SPI related operations for individual applications. Meanwhile, according to previous works, potential SPI leaks may occur due to insufficient surveillance. In this paper, we propose the first system to automatically generate fine-grained privacy policies for individual applications through static code analysis and natural language techniques. First, from the code we extract the control flow graph and the SPI data flows. Then, we use a Naive Bayes model to transfer the data flows into verb-object phrases. Finally, we populate a pre-prepared privacy policy template with the previously generated phrases. We evaluate our system on Samsung SmartThings platform. The experimental results show that: 1) Our system can accurately extract SPI related operations from Smart Home applications; 2) The privacy policies created by our system are fine-grained and easily understandable; 3) We demonstrate the efficacy of the proposed system on a real world data-set of almost 250 apps.