This new tool for developers can help preserve app users’ privacy

Daniel Tkacik

Oct 4, 2019

When you open a newly-installed app on your phone and it says to you, “This app would like to use your location data,” what do you do? Depending on the app, you might be thinking, Why does it need my location? Wouldn’t it be great if it just told you why?

“When app developers are coding these types of data requests, privacy is oftentimes an afterthought,” says CyLab’s Jason Hong, a professor in the Human Computer Interaction Institute (HCII). “We wanted to create something that would bring privacy to the forefront of their thinking when developing these apps.”

When app developers are coding these types of data requests, privacy is oftentimes an afterthought.

Jason Hong, Professor, Human Computer Interaction Institute

Hong teamed up with HCII Ph.D. student Tianshi Li and Institute for Software Research (ISR) professor Yuvraj Agarwal to create an integrated development environment (IDE) plugin that nudges developers to think a bit harder about user privacy when coding data requests.

Li presented the IDE plugin, which they dubbed “Coconut,” at last month’s ACM International Joint Conference on Pervasive and Ubiquitous Computing (Ubicomp) in London.

“Coconuts are versatile fruits, and we wanted our plugin to be versatile in its ability to provide multiple types of benefits for privacy,” says Li.

When writing the code for an app using Coconut, the plugin’s heuristics automatically detect when a request for user data is made, triggering a popup reminder to the developer to write an annotation explaining the reasons behind their request. Rather than requiring them to write one from scratch, developers have the option of choosing one from a list of pre-written annotations explaining the reason behind the request, such as, “Data collection for advertising,” “Location-based game,” or “Maps and navigation,” among others.

Animation showing how Coconut works

Source: Carnegie Mellon University's College of Engineering

A “PrivacyChecker” window within Coconut aggregates all of the data practices coded into the app, paired with the annotations that explain why they’re there.

“Having the data practices organized in this way makes it easier for the developer to write a good, informative privacy policy,” says Agarwal. “This can be really beneficial to the end-user.”

This can be really beneficial to the end-user.

Yuvraj Agarwal, Professor, Institute for Software Research

The researchers evaluated their plugin by asking 18 Android developers, including eight professional developers, to use it. They found that apps developed with Coconut dealt with privacy concerns better, and the developers themselves had a better understanding of the apps’ data practices, which resulted in them writing better privacy policies.

Coconut is available for download on GitHub. The current version only works for Android developers.

The HCII and ISR are both housed in Carnegie Mellon’s School of Computer Science.