Do Android App Developers Accurately Report Collection of Privacy-Related Data?
Mugdha Khedkar, Ambuj Kumar Mondal, Eric Bodden
TL;DR
The paper tackles the problem of how accurately Android apps report privacy-related data under GDPR, acknowledging that third-party libraries and abstract reporting frameworks complicate ground truth. It introduces a GDPR-focused, multi-layer taxonomy of privacy-related data and builds two datasets (UI keyword data and system API data) to support static analysis. A semi-automated tool, PRICe, is developed to detect and label privacy-related data collection, and it is used in a two-stage evaluation: a manual audit of 70 apps (RQ1) and a targeted comparison on 20 apps between reported data safety sections and static-analysis results (RQ2). The findings reveal both over- and under-reporting in practice, with substantial discrepancies for data categories like location and calendar, highlighting gaps in the data safety form design and tool support. The work provides actionable insights and artifacts to improve transparency and accuracy in data reporting, and suggests directions such as new data categories and closer alignment with app code and permissions to enhance GDPR compliance in Android apps.
Abstract
Many Android applications collect data from users. The European Union's General Data Protection Regulation (GDPR) requires vendors to faithfully disclose which data their apps collect. This task is complicated because many apps use third-party code for which the same information is not readily available. Hence we ask: how accurately do current Android apps fulfill these requirements? In this work, we first expose a multi-layered definition of privacy-related data to correctly report data collection in Android apps. We further create a dataset of privacy-sensitive data classes that may be used as input by an Android app. This dataset takes into account data collected both through the user interface and system APIs. We manually examine the data safety sections of 70 Android apps to observe how data collection is reported, identifying instances of over- and under-reporting. Additionally, we develop a prototype to statically extract and label privacy-related data collected via app source code, user interfaces, and permissions. Comparing the prototype's results with the data safety sections of 20 apps reveals reporting discrepancies. Using the results from two Messaging and Social Media apps (Signal and Instagram), we discuss how app developers under-report and over-report data collection, respectively, and identify inaccurately reported data categories. Our results show that app developers struggle to accurately report data collection, either due to Google's abstract definition of collected data or insufficient existing tool support.