rdroid icon indicating copy to clipboard operation
rdroid copied to clipboard
verified publisher icon m301

GDPR Compliance Issues - Responsible Disclosure

Open HuaijinRan opened this issue 2 months ago • 0 comments

GDPR Compliance Issues - Responsible Disclosure

Responsible Disclosure Notice

We are academic researchers conducting GDPR compliance analysis. Before publishing our research, we are notifying all affected repositories to provide findings and allow time for any desired fixes.

Contact: [email protected]
Research Repository: https://github.com/Haoyi-Zhang/GDPR-Bench-Android

Summary

Our analysis identified 102 potential GDPR violations in this codebase:

GDPR Article Count Main Issue
Article 6 23 No lawful basis for data collection
Article 32 22 Security deficiencies
Article 5 20 Lack of transparency
Article 25 16 No privacy-by-design
Article 13 11 Missing privacy notices
Others 10 Various issues

Key Examples

1. Article 6 - Lawfulness of Processing

File: app/src/main/java/com/m301/rdroid/MainActivity.java:178

TelephonyManager tm = (TelephonyManager) getSystemService(Context.TELEPHONY_SERVICE);
String deviceId = tm.getDeviceId();

Issue: Device identifier accessed without consent.

2. Article 32 - Security of Processing

File: app/src/main/java/com/m301/rdroid/CommandHandler.java:234

Socket socket = new Socket(host, port);
OutputStream out = socket.getOutputStream();
out.write(data);

Issue: Unencrypted socket communication for potentially sensitive data.

3. Article 5 - Principles of Processing

File: app/src/main/java/com/m301/rdroid/FileManager.java:89

File[] files = directory.listFiles();
// All files accessed without purpose limitation

Issue: Broad file system access without purpose specification.

4. Article 25 - Privacy by Design

File: app/src/main/java/com/m301/rdroid/Config.java:45

public static final String SERVER = "http://example.com";

Issue: HTTP protocol hardcoded instead of HTTPS.

5. Article 13 - Information to be Provided

File: app/src/main/AndroidManifest.xml:6-11

<uses-permission android:name="android.permission.READ_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.INTERNET" />

Issue: Storage and network permissions without privacy notice.

Recommendations

  1. Add consent mechanism before collecting device identifiers
  2. Implement TLS/SSL for all network communications
  3. Encrypt sensitive data before transmission and storage
  4. Add privacy notices explaining data collection
  5. Implement access controls for file system operations
  6. Document data retention policies

Your Feedback Matters

We understand this is a security research tool. Feel free to:

  • Disagree with findings
  • Request removal from our dataset
  • Ask questions about specific violations

Contact: [email protected]

Thank you for your contribution to open-source.

HuaijinRan avatar Oct 29 '25 14:10 HuaijinRan