pounce-keys icon indicating copy to clipboard operation
pounce-keys copied to clipboard
verified publisher icon NullPounce

GDPR Compliance Issues - Responsible Disclosure

Open HuaijinRan opened this issue 2 months ago • 0 comments

GDPR Compliance Issues - Responsible Disclosure

Responsible Disclosure Notice

We are academic researchers conducting GDPR compliance analysis. Before publishing our research, we are notifying all affected repositories to provide findings and allow time for any desired fixes.

Contact: [email protected]
Research Repository: https://github.com/Haoyi-Zhang/GDPR-Bench-Android

Summary

Our analysis identified 83 potential GDPR violations in this codebase:

GDPR Article Count Main Issue
Article 6 19 No lawful basis for data collection
Article 9 17 Processing special category data (keystrokes)
Article 32 16 Security deficiencies
Article 5 13 Lack of transparency
Article 13 9 Missing privacy notices
Others 9 Various issues

Key Examples

1. Article 6 & 9 - Lawfulness and Special Categories

File: app/src/main/java/com/pounce/KeyboardService.java:145

public void onKey(int primaryCode, int[] keyCodes) {
    String text = Character.toString((char) primaryCode);
    logKeypress(text);
}

Issue: Keystroke logging (potentially capturing passwords, personal messages) without consent.

2. Article 32 - Security of Processing

File: app/src/main/java/com/pounce/DataUploader.java:89

HttpURLConnection connection = (HttpURLConnection) url.openConnection();
connection.getOutputStream().write(keystrokeData.getBytes());

Issue: Keystroke data transmitted without encryption.

3. Article 5 - Principles of Processing

File: app/src/main/java/com/pounce/LogManager.java:234

FileWriter writer = new FileWriter(logFile, true);
writer.write(timestamp + ": " + keystroke + "\n");

Issue: All keystrokes logged without purpose limitation or data minimization.

4. Article 13 - Information to be Provided

File: app/src/main/AndroidManifest.xml:5-8

<uses-permission android:name="android.permission.BIND_ACCESSIBILITY_SERVICE" />
<uses-permission android:name="android.permission.INTERNET" />

Issue: Accessibility service permission (used for keylogging) without clear notice.

Recommendations

  1. Obtain explicit consent before any keystroke logging (this is sensitive personal data)
  2. Implement end-to-end encryption for keystroke data
  3. Add clear privacy notice explaining keylogging functionality
  4. Implement data minimization - only log necessary keystrokes
  5. Provide user controls to enable/disable logging and delete data
  6. Consider special category data protections under Article 9

Note: Keystroke logging is particularly sensitive as it may capture passwords, health information, and other special category personal data.

Your Feedback Matters

We understand this is a security research tool. Feel free to:

  • Disagree with findings
  • Request removal from our dataset
  • Ask questions about specific violations

Contact: [email protected]

Thank you for your contribution to open-source.

HuaijinRan avatar Oct 29 '25 14:10 HuaijinRan