Demystifying Privacy Policy of Third-Party Libraries in Mobile Apps

• URL: http://arxiv.org/abs/2301.12348v9
• Date: Sat, 9 Sep 2023 09:47:06 GMT
• Title: Demystifying Privacy Policy of Third-Party Libraries in Mobile Apps
• Authors: Kaifa Zhao and Xian Zhan and Le Yu and Shiyao Zhou and Hao Zhou and Xiapu Luo and Haoyu Wang and Yepang Liu
• Abstract summary: We propose an automated system named ATPChecker to analyze whether the Android TPLs meet privacy-related regulations. Our findings remind developers to be mindful of TPL usage when developing apps or writing privacy policies.
• Score: 37.9973848341402
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: The privacy of personal information has received significant attention in mobile software. Although previous researchers have designed some methods to identify the conflict between app behavior and privacy policies, little is known about investigating regulation requirements for third-party libraries (TPLs). The regulators enacted multiple regulations to regulate the usage of personal information for TPLs (e.g., the "California Consumer Privacy Act" requires businesses clearly notify consumers if they share consumers' data with third parties or not). However, it remains challenging to analyze the legality of TPLs due to three reasons: 1) TPLs are mainly published on public repositoriesinstead of app market (e.g., Google play). The public repositories do not perform privacy compliance analysis for each TPL. 2) TPLs only provide independent functions or function sequences. They cannot run independently, which limits the application of performing dynamic analysis. 3) Since not all the functions of TPLs are related to user privacy, we must locate the functions of TPLs that access/process personal information before performing privacy compliance analysis. To overcome the above challenges, in this paper, we propose an automated system named ATPChecker to analyze whether the Android TPLs meet privacy-related regulations or not. Our findings remind developers to be mindful of TPL usage when developing apps or writing privacy policies to avoid violating regulations.

Related papers

• Layered, Overlapping, and Inconsistent: A Large-Scale Analysis of the Multiple Privacy Policies and Controls of U.S. Banks [11.112906646827454]
  Banks now operate websites, mobile apps, and other services that involve complex data sharing practices.<n>We collected privacy policies for the 2,067 largest U.S. banks, 45.3% of which provided multiple policies.<n>This multiplicity of policies, with the inconsistencies it causes, may create consumer confusion and undermine the transparency goals of the very laws that require them.
  arXiv  Detail & Related papers  (2025-07-07T18:55:48Z)
• Privacy Law Enforcement Under Centralized Governance: A Qualitative Analysis of Four Years' Special Privacy Rectification Campaigns [8.568810204115938]
  China has launched a series of privacy enforcement campaigns known as Special Privacy Rectification Campaigns (SPRCs) SPRCs are characterized by large-scale privacy reviews and strict sanctions. We conducted 18 semi-structured interviews with app-related engineers involved in SPRCs to better understand the campaign-style privacy enforcement.
  arXiv  Detail & Related papers  (2025-03-11T15:56:09Z)
• PrivacyLens: Evaluating Privacy Norm Awareness of Language Models in Action [54.11479432110771]
  PrivacyLens is a novel framework designed to extend privacy-sensitive seeds into expressive vignettes and further into agent trajectories. We instantiate PrivacyLens with a collection of privacy norms grounded in privacy literature and crowdsourced seeds. State-of-the-art LMs, like GPT-4 and Llama-3-70B, leak sensitive information in 25.68% and 38.69% of cases, even when prompted with privacy-enhancing instructions.
  arXiv  Detail & Related papers  (2024-08-29T17:58:38Z)
• IDPFilter: Mitigating Interdependent Privacy Issues in Third-Party Apps [0.30693357740321775]
  Third-party apps have increased concerns about interdependent privacy (IDP) This paper provides a comprehensive investigation into the previously underinvestigated IDP issues of third-party apps. We propose IDPFilter, a platform-agnostic API that enables application providers to minimize collateral information collection.
  arXiv  Detail & Related papers  (2024-05-02T16:02:13Z)
• ATLAS: Automatically Detecting Discrepancies Between Privacy Policies and Privacy Labels [2.457872341625575]
  We introduce the Automated Privacy Label Analysis System (ATLAS) ATLAS identifies possible discrepancies between mobile app privacy policies and their privacy labels. We find that, on average, apps have 5.32 such potential compliance issues.
  arXiv  Detail & Related papers  (2023-05-24T05:27:22Z)
• Is It a Trap? A Large-scale Empirical Study And Comprehensive Assessment of Online Automated Privacy Policy Generators for Mobile Apps [15.181098379077344]
  Automated Privacy Policy Generators can create privacy policies for mobile apps. Nearly 20.1% of privacy policies could be generated by existing APPGs. App developers must carefully select and use the appropriate APPGs to avoid potential pitfalls.
  arXiv  Detail & Related papers  (2023-05-05T04:08:18Z)
• Analysis of Longitudinal Changes in Privacy Behavior of Android Applications [79.71330613821037]
  In this paper, we examine the trends in how Android apps have changed over time with respect to privacy. We examine the adoption of HTTPS, whether apps scan the device for other installed apps, the use of permissions for privacy-sensitive data, and the use of unique identifiers. We find that privacy-related behavior has improved with time as apps continue to receive updates, and that the third-party libraries used by apps are responsible for more issues with privacy.
  arXiv  Detail & Related papers  (2021-12-28T16:21:31Z)
• A Fait Accompli? An Empirical Study into the Absence of Consent to Third-Party Tracking in Android Apps [27.58278290929534]
  Third-party tracking allows companies to collect users' behavioural data and track their activity across digital devices. This can put deep insights into users' private lives into the hands of strangers, and often happens without users' awareness or explicit consent. This paper investigates whether and to what extent consent is implemented in mobile apps.
  arXiv  Detail & Related papers  (2021-06-17T11:44:49Z)
• Location Data and COVID-19 Contact Tracing: How Data Privacy Regulations and Cell Service Providers Work In Tandem [1.1470070927586016]
  Cellphone Service Providers (CSPs) enable the spatial and temporal real-time user tracking. Three of the regulations analyzed analyzed defined mobile location data as private information. Two of the five CSPs that were analyzed did not comply with the COPPA regulation.
  arXiv  Detail & Related papers  (2021-03-25T22:13:50Z)
• Second layer data governance for permissioned blockchains: the privacy management challenge [58.720142291102135]
  In pandemic situations, such as the COVID-19 and Ebola outbreak, the action related to sharing health data is crucial to avoid the massive infection and decrease the number of deaths. In this sense, permissioned blockchain technology emerges to empower users to get their rights providing data ownership, transparency, and security through an immutable, unified, and distributed database ruled by smart contracts.
  arXiv  Detail & Related papers  (2020-10-22T13:19:38Z)
• A vision for global privacy bridges: Technical and legal measures for international data markets [77.34726150561087]
  Despite data protection laws and an acknowledged right to privacy, trading personal information has become a business equated with "trading oil" An open conflict is arising between business demands for data and a desire for privacy. We propose and test a vision of a personal information market with privacy.
  arXiv  Detail & Related papers  (2020-05-13T13:55:50Z)
• PGLP: Customizable and Rigorous Location Privacy through Policy Graph [68.3736286350014]
  We propose a new location privacy notion called PGLP, which provides a rich interface to release private locations with customizable and rigorous privacy guarantee. Specifically, we formalize a user's location privacy requirements using a textitlocation policy graph, which is expressive and customizable. Third, we design a private location trace release framework that pipelines the detection of location exposure, policy graph repair, and private trajectory release with customizable and rigorous location privacy.
  arXiv  Detail & Related papers  (2020-05-04T04:25:59Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.