Understanding Worldwide Private Information Collection on Android

TL;DR

This study analyzes private information collection on Android devices, revealing extensive data sharing with third parties, regional differences in data types collected, and implications for data regulation and privacy policies.

Contribution

It provides the largest empirical analysis of Android private information flows, highlighting regional variations and the scale of data sharing across millions of devices.

Findings

87.2% of devices send private info to at least five domains

Different regions collect different types of private data

US and China dominate private information collection

Abstract

Mobile phones enable the collection of a wealth of private information, from unique identifiers (e.g., email addresses), to a user's location, to their text messages. This information can be harvested by apps and sent to third parties, which can use it for a variety of purposes. In this paper we perform the largest study of private information collection (PIC) on Android to date. Leveraging an anonymized dataset collected from the customers of a popular mobile security product, we analyze the flows of sensitive information generated by 2.1M unique apps installed by 17.3M users over a period of 21 months between 2018 and 2019. We find that 87.2% of all devices send private information to at least five different domains, and that actors active in different regions (e.g., Asia compared to Europe) are interested in collecting different types of information. The United States (62% of the total) and China (7% of total flows) are the countries that collect most private information. Our findings raise issues regarding data regulation, and would encourage policymakers to further regulate how private information is used by and shared among the companies and how accountability can be truly guaranteed.