GDPR Compliance Issues - Responsible Disclosure #149
Description
GDPR Compliance Issues - Responsible Disclosure
Responsible Disclosure Notice
We are academic researchers conducting GDPR compliance analysis. Before publishing our research, we are notifying all affected repositories to provide findings and allow time for any desired fixes.
Contact: seventeen17510@gmail.com
Research Repository: https://github.com/Haoyi-Zhang/GDPR-Bench-Android
Summary
Our analysis identified 50 potential GDPR violations in this codebase:
| GDPR Article | Count | Main Issue |
|---|---|---|
| Article 6 | 12 | No lawful basis for data collection |
| Article 32 | 11 | Security deficiencies |
| Article 5 | 10 | Lack of transparency |
| Article 25 | 8 | No privacy-by-design |
| Article 13 | 5 | Missing privacy notices |
| Others | 4 | Various issues |
Key Examples
1. Article 6 - Lawfulness of Processing
File: Multiple locations in service classes
// Location tracking, SMS reading, call log access without consentIssue: Personal data collection without lawful basis.
2. Article 32 - Security of Processing
File: Network communication modules
// HTTP connections without HTTPS
// Plain text data storageIssue: Inadequate security measures for sensitive data.
3. Article 5 - Principles of Processing
File: Permission declarations
<!-- Multiple sensitive permissions without purpose documentation -->Issue: Lack of transparency about data processing purposes.
Recommendations
- Implement consent mechanism before data collection
- Use HTTPS for all communications
- Encrypt sensitive data in storage
- Add privacy documentation
- Implement data minimization
Your Feedback Matters
Contact: seventeen17510@gmail.com
Thank you for your contribution to open-source.