shotdroid icon indicating copy to clipboard operation
shotdroid copied to clipboard
verified publisher icon kp300

GDPR Compliance Issues - Responsible Disclosure

Open HuaijinRan opened this issue 2 months ago • 0 comments

GDPR Compliance Issues - Responsible Disclosure

Responsible Disclosure Notice

We are academic researchers conducting GDPR compliance analysis. Before publishing our research, we are notifying all affected repositories to provide findings and allow time for any desired fixes.

Contact: [email protected]
Research Repository: https://github.com/Haoyi-Zhang/GDPR-Bench-Android

Summary

Our analysis identified 87 potential GDPR violations in this codebase:

GDPR Article Count Main Issue
Article 6 20 No lawful basis for data collection
Article 32 18 Security deficiencies
Article 5 17 Lack of transparency
Article 25 14 No privacy-by-design
Article 13 10 Missing privacy notices
Others 8 Various issues

Key Examples

1. Article 6 - Lawfulness of Processing

File: app/src/main/java/com/shotdroid/CameraService.java:123

Camera camera = Camera.open();
camera.startPreview();

Issue: Camera accessed without user consent or lawful basis.

2. Article 32 - Security of Processing

File: app/src/main/java/com/shotdroid/UploadService.java:156

HttpPost httpPost = new HttpPost("http://server.com/upload");
httpClient.execute(httpPost);

Issue: HTTP used for uploading potentially sensitive media files.

3. Article 5 - Principles of Processing

File: app/src/main/java/com/shotdroid/AudioRecorder.java:78

MediaRecorder recorder = new MediaRecorder();
recorder.setAudioSource(MediaRecorder.AudioSource.MIC);
recorder.start();

Issue: Audio recording without purpose limitation or transparency.

4. Article 25 - Privacy by Design

File: app/src/main/java/com/shotdroid/StorageManager.java:234

FileOutputStream fos = new FileOutputStream(new File(path, filename));
fos.write(imageData);

Issue: Media files stored without encryption.

5. Article 13 - Information to be Provided

File: app/src/main/AndroidManifest.xml:7-11

<uses-permission android:name="android.permission.CAMERA" />
<uses-permission android:name="android.permission.RECORD_AUDIO" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />

Issue: Camera and audio permissions without privacy notice.

Recommendations

  1. Implement consent dialogs before camera/microphone access
  2. Switch to HTTPS for all uploads
  3. Encrypt media files before storage
  4. Add privacy policy explaining camera/audio usage
  5. Implement user controls for data deletion
  6. Add purpose specification for media capture

Your Feedback Matters

We understand this is a security research tool. Feel free to:

  • Disagree with findings
  • Request removal from our dataset
  • Ask questions about specific violations

Contact: [email protected]

Thank you for your contribution to open-source.

HuaijinRan avatar Oct 29 '25 14:10 HuaijinRan