AppBDS: LLM-Powered Description Synthesis for Sensitive Behaviors in Mobile Apps

As mobile applications (i.e., apps) increasingly manage a wide variety of user needs, their access to sensitive data intensifies privacy concerns among users. While app markets employ permissions to regulate private data access, the lack of explanation for permission usage renders this mechanism less effective. Existing techniques that extract explanatory sentences from app descriptions to inform users about sensitive behaviors are also limited. Many app behaviors remain unexplained in app descriptions. To address these issues, we propose AppBDS, a novel approach that integrates program analysis with Large Language Models (LLMs) to process code semantics and UI contexts, further complemented by privacy policies and information from similar apps, in order to generate detailed explanations for apps’ sensitive behaviors. Specifically, AppBDS integrates code semantics with UI contexts to build a UI-Fused Call Graph (UCG) for each app. Additionally, AppBDS summarizes permission-related propositions from privacy policies and utilizes similar apps’ information from a knowledge base (PP-KB) to improve LLMs’ domain knowledge in explaining permission usage. Our evaluation on 270 real-world apps demonstrates that AppBDS significantly outperforms state-of-the-art approaches in richness, specificity, and semantic relatedness, while also proving highly robust against common code obfuscation.