Thesis: Master Thesis

Description:

One of the main applications of static analysis is tracking sensitive data in an application. A static program slicer like Jicer can be used to focus on the parts of an application that are affected by sensitive data. Examining the data and control flows in a program slice can help developers understand how sensitive data is propagated through an application: where it is manipulated, copied, transferred to another procedure or even deleted. However, this representation is very technical and cannot be understood by non-technical experts like auditors, data protection officers or even users.

The aim of this thesis is to bridge the knowledge gap between technical and non-technical experts. To do this, we recover the architecture of the application using different clustering algorithms. ARCADE provides an implementation to prominent algorithms, which we can use to cluster the app with respect to different features (e.g., names of classes, dependencies between classes). Next, you will label various nodes of the program slice according to these clusters and explore to what extent this labeling assists non-developers in understanding privacy issues. You will evaluate the usability of this prototype by conducting user studies with non-programmers.

Requirements:

• Good understanding of the Java language is required.

• Ability to work with large existing code bases is required.

• Prior knowledge of static analysis is helpful.

• Prior knowledge of software architecture is helpful.

Tasks:

• Use ARCADE to cluster an Android app with respect to various features.

• Annotate the nodes in Jicer’s program slices with these clusters.

• Conduct user studies to assess if such labeling assists non-developers in understanding privacy-relevance of program slices.

Language:

The thesis will be written in English.

Learning Outcomes:

• Assimilate and apply knowledge from relevant literature.

• Hands-on experience of working with architecture recovery techniques and static analysis.