AIセキュリティポータル K Program
A Large-Scale Privacy Assessment of Android Third-Party SDKs
Share
Source
https://arxiv.org/abs/2409.10411
PDF
https://arxiv.org/pdf/2409.10411
Abstract
Third-party Software Development Kits (SDKs) are widely adopted in Android app development, to effortlessly accelerate development pipelines and enhance app functionality. However, this convenience raises substantial concerns about unauthorized access to users' privacy-sensitive information, which could be further abused for illegitimate purposes like user tracking or monetization. Our study offers a targeted analysis of user privacy protection among Android third-party SDKs, filling a critical gap in the Android software supply chain. It focuses on two aspects of their privacy practices, including data exfiltration and behavior-policy compliance (or privacy compliance), utilizing techniques of taint analysis and large language models. It covers 158 widely-used SDKs from two key SDK release platforms, the official one and a large alternative one. From them, we identified 338 instances of privacy data exfiltration. On the privacy compliance, our study reveals that more than 30% of the examined SDKs fail to provide a privacy policy to disclose their data handling practices. Among those that provide privacy policies, 37% of them over-collect user data, and 88% falsely claim access to sensitive data. We revisit the latest versions of the SDKs after 12 months. Our analysis demonstrates a persistent lack of improvement in these concerning trends. Based on our findings, we propose three actionable recommendations to mitigate the privacy leakage risks and enhance privacy protection for Android users. Our research not only serves as an urgent call for industry attention but also provides crucial insights for future regulatory interventions.
Do Developers Update Third-Party Libraries in Mobile Apps?
P. Salza, F. Palomba, D. Di Nucci, C. D’Uva, A. De Lucia, F. Ferrucci
Published: 2018
Detecting third-party libraries in Android applications with high precision and recall
Yuan Zhang, Jiarun Dai, Xiaohan Zhang, Sirong Huang, Zhemin Yang, Min Yang, Hao Chen
Published: 2018
Sharing is not always caring: Delving into personal data transfer compliance in android apps
D. Rodriguez, J. M. Del Alamo, C. Fernández-Aller, N. Sadeh
Published: 2024
Information leakage through mobile analytics services
T. Chen, I. Ullah, M. A. Kaafar, R. Boreli
Published: 2014
Should you use the app for that? comparing the privacy implications of app-and web-based online services
C. Leung, J. Ren, D. Choffnes, C. Wilson
Published: 2016
The long-standing privacy debate: Mobile websites vs mobile apps
E. P. Papadopoulos, M. Diamantaris, P. Papadopoulos, T. Petsas, S. Ioannidis, E. P. Markatos
Published: 2017
A longitudinal study of pii leaks across android app versions
J. Ren, M. Lindorfer, D. J. Dubois, A. Rao, D. Choffnes, N. Vallina-Rodriguez
Published: 2018
Recon: Revealing and controlling pii leaks in mobile network traffic
J. Ren, A. Rao, M. Lindorfer, A. Legout, D. Choffnes
Published: 2016
Understanding malicious cross-library data harvesting on android
J. Wang, Y. Xiao, X. Wang, Y. Nan, L. Xing, X. Liao, J. Dong, N. Serrano, H. Lu, X. Wang
Published: 2021
Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones
W. Enck, P. Gilbert, S. Han, V. Tendulkar, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, A. N. Sheth
Published: 2014
Androidleaks: automatically detecting potential privacy leaks in android applications on a large scale
C. Gibler, J. Crussell, J. Erickson, H. Chen
Published: 2012
Apptrace: Dynamic trace on android devices
L. Qiu, Z. Zhang, Z. Shen, G. Sun
Published: 2015
Taintart: A practical multi-level information-flow tracking system for android runtime
M. Sun, T. Wei, J. C. Lui
Published: 2016
Actions speak louder than words: Entity-Sensitive privacy policy and data flow analysis with PoliCheck
B. Andow, S. Y. Mahmud, J. Whitaker, W. Enck, B. Reaves, K. Singh, S. Egelman
Published: 2020
Consistency analysis of data-usage purposes in mobile apps
D. Bui, Y. Yao, K. G. Shin, J.-M. Choi, J. Shin
Published: 2021
PolicyLint: investigating internal privacy policy contradictions on google play
B. Andow, S. Y. Mahmud, W. Wang, J. Whitaker, W. Enck, B. Reaves, K. Singh, T. Xie
Published: 2019
Scrutinizing privacy policy compliance of virtual personal assistant apps
F. Xie, Y. Zhang, C. Yan, S. Li, L. Bu, K. Chen, Z. Huang, G. Bai
Published: 2022
Can we trust the privacy policies of android apps?
L. Yu, X. Luo, X. Liu, T. Zhang
Published: 2016
Automated analysis of privacy requirements for mobile apps
S. Zimmeck, Z. Wang, L. Zou, R. Iyengar, B. Liu, F. Schaub, S. Wilson, N. Sadeh, S. Bellovin, J. Reidenberg
Published: 2016
Hark: A deep learning system for navigating privacy feedback at scale
H. Harkous, S. T. Peddinti, R. Khandelwal, A. Srivastava, N. Taft
Published: 2022
A machine-learning approach for classifying and categorizing android sources and sinks
S. Rasthofer, S. Arzt, E. Bodden
Published: 2014
Post-gdpr threat hunting on android phones: dissecting os-level safeguards of user-unresettable identifiers
M. H. Meng, Q. Zhang, G. Xia, Y. Zheng, Y. Zhang, G. Bai, Z. Liu, S. G. Teo, J. S. Dong
Published: 2023
FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps
Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, Patrick McDaniel
Published: 2014
Understanding worldwide private information collection on android
Y. Shen, P.-A. Vervier, G. Stringhini
Published: 2021
Exploring the eastern frontier: A first look at mobile app tracking in china
Z. Wang, Z. Li, M. Xue, G. Tyson
Published: 2020
50 ways to leak your data: An exploration of apps’ circumvention of the android permissions system
J. Reardon, Á. Feal, P. Wijesekera, A. E. B. On, N. Vallina-Rodriguez, S. Egelman
Published: 2019
Detection of inconsistencies in privacy practices of browser extensions
D. Bui, B. Tang, K. G. Shin
Published: 2023
Checking app behavior against app descriptions
Alessandra Gorla, Ilaria Tavecchia, Florian Gross, Andreas Zeller
Published: 2014
A large-scale empirical study on android runtime-permission rationale messages
X. Liu, Y. Leng, W. Yang, W. Wang, C. Zhai, T. Xie
Published: 2018
WHYPER: Towards automating risk assessment of mobile applications
R. Pandita, X. Xiao, W. Yang, W. Enck, T. Xie
Published: 2013
Autocog: Measuring the description-to-permission fidelity in android applications
Z. Qu, V. Rastogi, X. Zhang, Y. C. Chen, T. Z. Zhu, Z. Chen
Published: 2014
Toward a framework for detecting privacy policy violations in android application code
R. Slavin, X. Wang, M. B. Hosseini, J. Hester, R. Krishnan, J. Bhatia, T. D. Breaux, J. Niu
Published: 2016
Guileak: Tracing privacy policy claims on user input data for android applications
X. Wang, X. Qin, M. B. Hosseini, R. Slavin, T. D. Breaux, J. Niu
Published: 2018
POLICYCOMP: Counterpart comparison of privacy policies uncovers overbroad personal data collection practices
L. Zhou, C. Wei, T. Zhu, G. Chen, X. Zhang, S. Du, H. Cap, H. Zhu
Published: 2022
Share first, ask later (or never?) studying violations of {GDPR’s} explicit consent in android apps
T. T. Nguyen, M. Backes, N. Marnau, B. Stock
Published: 2021
How does misconfiguration of analytic services compromise mobile privacy?
X. Zhang, X. Wang, R. Slavin, T. Breaux, J. Niu
Published: 2020
Ppchecker: Towards accessing the trustworthiness of android apps’ privacy policies
L. Yu, X. Luo, J. Chen, H. Zhou, T. Zhang, H. Chang, H. K. Leung
Published: 2018
Is it a trap? a large-scale empirical study and comprehensive assessment of online automated privacy policy generators for mobile apps
S. Pan, D. Zhang, M. Staples, Z. Xing, J. Chen, X. Xu, T. Hoang
Published: 2024
Demystifying privacy policy of third-party libraries in mobile apps
K. Zhao, X. Zhan, L. Yu, S. Zhou, H. Zhou, X. Luo, H. Wang, Y. Liu
Published: 2023
Measuring compliance implications of third-party libraries’ privacy label disclosure guidelines
Y. Xiao, C. Zhang, Y. Qin, F. F. S. Alharbi, L. Xing, X. Liao
Published: 2024
Peeping tom in the neighborhood: Keystroke eavesdropping on multi-user systems
K. Zhang, X. Wang
Published: 2009
Identity, location, disease and more: Inferring your secrets from android public resources
X. Zhou, S. Demetriou, D. He, M. Naveed, X. Pan, X. Wang, C. A. Gunter, K. Nahrstedt
Published: 2013
Dynamic privacy leakage analysis of android third-party libraries
Y. He, B. Hu, Z. Han
Published: 2018
Identifying barriers to better privacy in children’s apps from developers’ perspectives
A. Ekambaranathan, J. Zhao, M. Van Kleek
Published: 2021
Privacy risk analysis and mitigation of analytics libraries in the android ecosystem
X. Liu, J. Liu, S. Zhu, W. Wang, X. Zhang
Published: 2019
Apps, trackers, privacy, and regulators: A global study of the mobile tracking ecosystem
A. Razaghpanah, R. Nithyanand, N. Vallina-Rodriguez, S. Sundaresan, M. Allman, C. Kreibich, P. Gill
Published: 2018
Share