Skip to content

GDPR Compliance Issues - Responsible Disclosure #23

New issue
New issue
Closed
Closed
GDPR Compliance Issues - Responsible Disclosure#23
Labels
no-issue-activity
@HuaijinRan

Description

@HuaijinRan
HuaijinRan
opened on Oct 29, 2025

GDPR Compliance Issues - Responsible Disclosure

Responsible Disclosure Notice

We are academic researchers conducting GDPR compliance analysis. Before publishing our research, we are notifying all affected repositories to provide findings and allow time for any desired fixes.

Contact: seventeen17510@gmail.com
Research Repository: https://github.com/Haoyi-Zhang/GDPR-Bench-Android

Summary

Our analysis identified 109 potential GDPR violations in this codebase:

GDPR Article Count Main Issue
Article 6 25 No lawful basis for data collection
Article 5 23 Lack of transparency
Article 32 21 Security deficiencies
Article 25 18 No privacy-by-design
Article 13 12 Missing privacy notices
Others 10 Various issues

Key Examples

1. Article 6 - Lawfulness of Processing

File: app/src/main/java/com/browser/rat/Service/MainService.java:145

String imei = telephonyManager.getDeviceId();

Issue: Device IMEI collected without lawful basis.

2. Article 32 - Security of Processing

File: app/src/main/java/com/browser/rat/Utils/AppTools.java:234

SharedPreferences sp = context.getSharedPreferences("config", Context.MODE_PRIVATE);
sp.edit().putString("server_url", url).apply();

Issue: Server URL stored without encryption.

3. Article 5 - Principles of Processing

File: app/src/main/java/com/browser/rat/Service/ContactService.java:67

ContentResolver cr = getContentResolver();
Cursor cur = cr.query(ContactsContract.Contacts.CONTENT_URI, null, null, null, null);

Issue: All contacts accessed without purpose specification.

4. Article 25 - Privacy by Design

File: app/src/main/java/com/browser/rat/Network/ApiClient.java:89

OkHttpClient client = new OkHttpClient();
Request request = new Request.Builder().url(url).build();

Issue: Network client without certificate pinning or security configuration.

5. Article 13 - Information to be Provided

File: app/src/main/AndroidManifest.xml:5-12

<uses-permission android:name="android.permission.READ_CONTACTS" />
<uses-permission android:name="android.permission.READ_SMS" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />

Issue: Multiple sensitive permissions without privacy notice.

Recommendations

  1. Implement consent management for sensitive permissions
  2. Add encryption for stored credentials and configuration
  3. Use HTTPS with certificate pinning for network communications
  4. Create privacy documentation explaining data usage
  5. Implement purpose limitation for data access
  6. Add user control mechanisms for data deletion

Your Feedback Matters

We understand this is a security research tool. Feel free to:

  • Disagree with findings
  • Request removal from our dataset
  • Ask questions about specific violations

Contact: seventeen17510@gmail.com

Thank you for your contribution to open-source.

Metadata

Metadata

Assignees

No one assigned

    Labels

    no-issue-activity

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions