{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,10]],"date-time":"2025-12-10T09:11:05Z","timestamp":1765357865292,"version":"3.41.2"},"reference-count":28,"publisher":"Association for Computing Machinery (ACM)","issue":"8","funder":[{"name":"Department of Defense-Science of Security Lablet","award":["H98230-17-D-0080"],"award-info":[{"award-number":["H98230-17-D-0080"]}]},{"DOI":"10.13039\/501100000266","name":"EPSRC","doi-asserted-by":"crossref","award":["EP\/W025361\/1"],"award-info":[{"award-number":["EP\/W025361\/1"]}],"id":[{"id":"10.13039\/501100000266","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Commun. ACM"],"published-print":{"date-parts":[[2025,8]]},"abstract":"\n Problem:<\/jats:italic>\n We address the challenge in responsible computing where an\n exploitable<\/jats:italic>\n mobile app is misused by one app user (an\n abuser<\/jats:italic>\n ) against another user or bystander (\n victim<\/jats:italic>\n ). We introduce the idea of a\n misuse audit<\/jats:italic>\n of apps as a way of determining if they are exploitable without access to their implementation.\n Method:<\/jats:italic>\n We leverage app reviews to identify exploitable apps and their functionalities that enable misuse. First, we build a computational model to identify alarming reviews (which report misuse). Second, using the model, we identify exploitable apps and their functionalities. Third, we validate them through manual inspection of reviews.\n Findings:<\/jats:italic>\n Stories by abusers and victims mostly focus on past misuses, whereas stories by third parties mostly identify stories indicating the potential for misuse. Surprisingly, positive reviews by abusers, which exhibit language with high dominance, also reveal misuses. In total, we confirmed 156 exploitable apps facilitating the misuse. Based on our qualitative analysis, we found exploitable apps exhibiting four types of exploitable functionalities.\n Implications:<\/jats:italic>\n Our method can help identify exploitable apps and their functionalities, facilitating misuse audits of a large pool of apps.\n <\/jats:p>","DOI":"10.1145\/3685528","type":"journal-article","created":{"date-parts":[[2025,7,24]],"date-time":"2025-07-24T20:41:57Z","timestamp":1753389717000},"page":"62-71","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":2,"title":["Understanding Mobile App Reviews to Guide Misuse Audits"],"prefix":"10.1145","volume":"68","author":[{"ORCID":"https:\/\/orcid.org\/0009-0007-4917-2515","authenticated-orcid":false,"given":"Vaibhav","family":"Garg","sequence":"first","affiliation":[{"name":"North Carolina State University, Social AI Lab, Raleigh, North Carolina, United States"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Hui","family":"Guo","sequence":"additional","affiliation":[{"name":"Quora, California, California, United States"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Nirav","family":"Ajmeri","sequence":"additional","affiliation":[{"name":"University of Bristol, Bristol, Bristol, United Kingdom"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Saikath","family":"Bhattacharya","sequence":"additional","affiliation":[{"name":"Milwaukee School of Engineering, Milwaukee, Wisconsin, United States"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Munindar P.","family":"Singh","sequence":"additional","affiliation":[{"name":"North Carolina State University, Social AI Lab, Raleigh, North Carolina, United States"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,7,25]]},"reference":[{"key":"e_1_3_1_2_2","doi-asserted-by":"publisher","DOI":"10.4018\/IJISP.2020100105"},{"key":"e_1_3_1_3_2","doi-asserted-by":"crossref","unstructured":"Block K. Narain S. and Noubir G. An autonomic and permissionless Android covert channel. In Proceedings of the 10th ACM Conf. on Security and Privacy in Wireless and Mobile Networks (2017) 184\u2013194.","DOI":"10.1145\/3098243.3098250"},{"key":"e_1_3_1_4_2","doi-asserted-by":"publisher","DOI":"10.1002\/widm.1157"},{"key":"e_1_3_1_5_2","unstructured":"Cer D. et al. Universal sentence encoder. CoRR abs\/1803.11175 (2018) 1\u20137."},{"key":"e_1_3_1_6_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00061"},{"key":"e_1_3_1_7_2","doi-asserted-by":"publisher","DOI":"10.1145\/2568225.2568263"},{"key":"e_1_3_1_8_2","doi-asserted-by":"publisher","DOI":"10.1109\/REW53955.2021.00020"},{"key":"e_1_3_1_9_2","doi-asserted-by":"publisher","DOI":"10.1109\/RE.2018.00026"},{"issue":"202","key":"e_1_3_1_10_2","article-title":"Is my phone hacked? Analyzing clinical computer security interventions with survivors of intimate partner violence","volume":"3","author":"Freed D.","year":"2019","unstructured":"Freed, D. et al. Is my phone hacked? Analyzing clinical computer security interventions with survivors of intimate partner violence. Proceedings of the 17th ACM Conf. on Human-Computer Interaction 3\u00a0(2019),\u00a0Article 202.","journal-title":"Proceedings of the 17th ACM Conf. on Human-Computer Interaction"},{"key":"e_1_3_1_11_2","first-page":"1","volume-title":"Proceedings of the CHI Conf. on Human Factors in Computing Systems","author":"Freed D.","year":"2018","unstructured":"Freed, D. et al. \u201cA stalker\u2019s paradise\u201d: How intimate partner abusers exploit technology. In Proceedings of the CHI Conf. on Human Factors in Computing Systems. ACM (2018), 1\u201313."},{"key":"e_1_3_1_12_2","first-page":"283","volume-title":"Proceedings of 43rd IEEE Intern. Conf. on Software Engineering: Software Engineering Education and Training (ICSE-SEET)","author":"Garc\u00eda C.","year":"2021","unstructured":"Garc\u00eda, C. et al. Bluejay: A crosstooling audit framework for agile software teams. In Proceedings of 43rd IEEE Intern. Conf. on Software Engineering: Software Engineering Education and Training (ICSE-SEET). IEEE (2021), 283\u2013288."},{"key":"e_1_3_1_13_2","doi-asserted-by":"publisher","unstructured":"Garg V. et al. MissAuditor dataset and software. Zenodo Public Repository (2024); 10.5281\/zenodo.12736144","DOI":"10.5281\/zenodo.12736144"},{"key":"e_1_3_1_14_2","doi-asserted-by":"publisher","DOI":"10.1145\/3377811.3380924"},{"key":"e_1_3_1_15_2","doi-asserted-by":"publisher","DOI":"10.18653\/v1\/2022.acl-short.13"},{"key":"e_1_3_1_16_2","doi-asserted-by":"publisher","DOI":"10.5555\/3361338.3361347"},{"key":"e_1_3_1_17_2","doi-asserted-by":"publisher","DOI":"10.1109\/RE.2017.86"},{"key":"e_1_3_1_18_2","doi-asserted-by":"publisher","DOI":"10.1145\/2420950.2420958"},{"key":"e_1_3_1_19_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00012"},{"key":"e_1_3_1_20_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2020.3025443"},{"key":"e_1_3_1_21_2","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813604"},{"key":"e_1_3_1_22_2","first-page":"603","volume-title":"Proceedings of the 28th USENIX Security Symp.","author":"Reardon J.","year":"2019","unstructured":"Reardon, J. et al. 50 ways to leak your data: An exploration of apps\u2019 circumvention of the Android permissions system. In Proceedings of the 28th USENIX Security Symp.\u00a0USENIX (2019), 603\u2013620."},{"key":"e_1_3_1_23_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP40000.2020.00069"},{"key":"e_1_3_1_24_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v36i11.21494"},{"key":"e_1_3_1_25_2","first-page":"1893","volume-title":"Proceedings of the 29th USENIX Security Symp.","author":"Tseng E.","year":"2020","unstructured":"Tseng, E. et al. The tools and tactics used in intimate partner surveillance: An analysis of online infidelity forums. In Proceedings of the 29th USENIX Security Symp.. USENIX (2020), 1893\u20131909."},{"key":"e_1_3_1_26_2","doi-asserted-by":"publisher","DOI":"10.1145\/3411764.3445589"},{"key":"e_1_3_1_27_2","doi-asserted-by":"publisher","DOI":"10.1145\/2757290.2757291"},{"key":"e_1_3_1_28_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.60"},{"key":"e_1_3_1_29_2","first-page":"429","volume-title":"Proceedings of the 30th USENIX Security Symp.","author":"Zou Y.","year":"2021","unstructured":"Zou, Y. et al. The role of computer security customer support in helping survivors of intimate partner violence. In Proceedings of the 30th USENIX Security Symp.\u00a0USENIX (2021), 429\u2013446."}],"container-title":["Communications of the ACM"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3685528","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,25]],"date-time":"2025-07-25T14:17:28Z","timestamp":1753453048000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3685528"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,7,25]]},"references-count":28,"journal-issue":{"issue":"8","published-print":{"date-parts":[[2025,8]]}},"alternative-id":["10.1145\/3685528"],"URL":"https:\/\/doi.org\/10.1145\/3685528","relation":{},"ISSN":["0001-0782","1557-7317"],"issn-type":[{"type":"print","value":"0001-0782"},{"type":"electronic","value":"1557-7317"}],"subject":[],"published":{"date-parts":[[2025,7,25]]},"assertion":[{"value":"2023-12-30","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-07-25","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}