Android applications collecting data from users must protect it according to the current legal frameworks. Such data protection has become even more important since the European Union rolled out the General Data Protection Regulation (GDPR). Since app developers are not legal experts, they find it difficult to write privacy-aware source code. Moreover, they have limited tool support to reason about data protection throughout their app development process. This paper motivates the need for a static analysis approach to diagnose and explain data protection in Android apps. The analysis will recognize personal data sources in the source code, and aims to further examine the data flow originating from these sources. App developers can then address key questions about data manipulation, derived data, and the presence of technical measures. Despite challenges, we explore to what extent one can realize this analysis through static taint analysis, a common method for identifying security vulnerabilities. This is a first step towards designing a tool-based approach that aids app developers and assessors in ensuring data protection in Android apps, based on automated static program analysis.

翻译：从用户收集数据的Android应用程序必须根据现行法律框架对其进行保护。自欧盟推出《通用数据保护条例》（GDPR）以来，此类数据保护变得尤为重要。由于应用开发者并非法律专家，他们难以编写具有隐私意识的源代码。此外，在整个应用开发过程中，他们缺乏足够的工具支持来推理数据保护问题。本文论证了采用静态分析方法诊断和解释Android应用中数据保护需求的必要性。该分析将识别源代码中的个人数据源，并旨在进一步检查源自这些源的数据流。应用开发者随后可解决关于数据操作、衍生数据以及技术措施存在性的关键问题。尽管存在挑战，我们探索了通过静态污点分析（一种常见的安全漏洞识别方法）在多大程度上可实现该分析。这是迈向设计基于自动化静态程序分析、帮助应用开发者与评估者确保Android应用数据保护的工具导向方法的第一步。