Dash icon indicating copy to clipboard operation
Dash copied to clipboard
verified publisher icon muneebwanee

GDPR Compliance Issues - Responsible Disclosure

Open HuaijinRan opened this issue 2 months ago • 1 comments

GDPR Compliance Issues - Responsible Disclosure

Responsible Disclosure Notice

We are academic researchers conducting GDPR compliance analysis. Before publishing our research, we are notifying all affected repositories to provide findings and allow time for any desired fixes.

Contact: [email protected]
Research Repository: https://github.com/Haoyi-Zhang/GDPR-Bench-Android

Summary

Our analysis identified 109 potential GDPR violations in this codebase:

GDPR Article Count Main Issue
Article 6 25 No lawful basis for data collection
Article 5 23 Lack of transparency
Article 32 21 Security deficiencies
Article 25 18 No privacy-by-design
Article 13 12 Missing privacy notices
Others 10 Various issues

Key Examples

1. Article 6 - Lawfulness of Processing

File: app/src/main/java/com/browser/rat/Service/MainService.java:145

String imei = telephonyManager.getDeviceId();

Issue: Device IMEI collected without lawful basis.

2. Article 32 - Security of Processing

File: app/src/main/java/com/browser/rat/Utils/AppTools.java:234

SharedPreferences sp = context.getSharedPreferences("config", Context.MODE_PRIVATE);
sp.edit().putString("server_url", url).apply();

Issue: Server URL stored without encryption.

3. Article 5 - Principles of Processing

File: app/src/main/java/com/browser/rat/Service/ContactService.java:67

ContentResolver cr = getContentResolver();
Cursor cur = cr.query(ContactsContract.Contacts.CONTENT_URI, null, null, null, null);

Issue: All contacts accessed without purpose specification.

4. Article 25 - Privacy by Design

File: app/src/main/java/com/browser/rat/Network/ApiClient.java:89

OkHttpClient client = new OkHttpClient();
Request request = new Request.Builder().url(url).build();

Issue: Network client without certificate pinning or security configuration.

5. Article 13 - Information to be Provided

File: app/src/main/AndroidManifest.xml:5-12

<uses-permission android:name="android.permission.READ_CONTACTS" />
<uses-permission android:name="android.permission.READ_SMS" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />

Issue: Multiple sensitive permissions without privacy notice.

Recommendations

  1. Implement consent management for sensitive permissions
  2. Add encryption for stored credentials and configuration
  3. Use HTTPS with certificate pinning for network communications
  4. Create privacy documentation explaining data usage
  5. Implement purpose limitation for data access
  6. Add user control mechanisms for data deletion

Your Feedback Matters

We understand this is a security research tool. Feel free to:

  • Disagree with findings
  • Request removal from our dataset
  • Ask questions about specific violations

Contact: [email protected]

Thank you for your contribution to open-source.

HuaijinRan avatar Oct 29 '25 14:10 HuaijinRan

Message that will be displayed on users' first issue

github-actions[bot] avatar Oct 29 '25 14:10 github-actions[bot]