This invention relates generally to networked applications, and particularly to detecting improper use of sensitive data.
Application deployment systems provide web pages and other resources to client devices for providing an application to the client device. An application represents functions and features provided by the application deployment system in one or more pages generated by the application deployment system for a client device. The application may include various pages such as a homepage for the application, a login page, a create account page, among others. In many pages, the user may provide sensitive user data to the application deployment system. In addition, the application pages may include references to content of third-party code providers. The third-party code may be incorporated to perform various features for the application, but may not have been developed or analyzed by the application development system to determine its behavior. In providing the third-party services, third-party code may be implemented or executed on the client device, or services of the third-party code may be called by the client device.
As one example, the client device retrieves third-party code from the reference provided by the application page and executes the code of the third-party as a part of the application page. When the user enters sensitive data to the application intended for the application deployment system, the sensitive data may be accessible to third-party code and may be improperly transmitted or leaked by the execution of the third-party code to another system. Alternatively, the requested services from a third-party system may be called with a function call that includes sensitive data.