Property-Based Testing for Validating User Privacy-Related Functionalities in Social Media Apps

Social media apps implement many user privacy-related functionalities. For example, TikTok allows users to upload videos that record their daily activities and specify which users can view these videos. Ensuring the correctness of these functionalities is thus crucial. Otherwise, it may threaten the users' privacy or disrupt user experience. Due to the lack of appropriate automated testing techniques, manual testing remains the primary practice for validating these functionalities, which is cumbersome, error-prone, and inadequate. To this end, we adapt property-based testing to validate such functionalities against the properties described by the given privacy specifications. Our key idea is that privacy specifications can be transformed into the Buchi automata, which can (1) determine whether the app has reached unexpected states, and (2) guide the testing process. To support the application of our approach, we implemented an automated GUI testing tool, PDTDROID, which can detect the app behaviors that are inconsistent with the privacy specifications. Our evaluation on TikTok, involving 125 real privacy specifications, shows that PDTDROID can efficiently validate privacy-related functionality and reduce manual effort by an average of 95.2% before each app release. Our further experiments on six popular social media apps show the generability and applicability of PDTDROID. PDTDROID has found 22 previously unknown inconsistencies issues in these extensively tested apps (including four user privacy leakage bugs, nine user privacy-related functional bugs, and nine specification issues).