Do Android App Developers Accurately Report Collection of Privacy-Related Data?

TL;DR

This study investigates the accuracy of Android app developers' data collection disclosures, revealing prevalent under- and over-reporting issues due to ambiguous definitions and limited tool support.

Contribution

The paper introduces a multi-layered privacy data definition, creates a dataset of privacy-sensitive data, and develops a prototype for static analysis to detect reporting discrepancies.

Findings

Developers often misreport data collection, either under- or over-reporting.

Discrepancies are linked to ambiguous definitions and limited tool support.

Analysis of popular apps shows significant reporting inaccuracies.

Abstract

Many Android applications collect data from users. The European Union's General Data Protection Regulation (GDPR) requires vendors to faithfully disclose which data their apps collect. This task is complicated because many apps use third-party code for which the same information is not readily available. Hence we ask: how accurately do current Android apps fulfill these requirements? In this work, we first expose a multi-layered definition of privacy-related data to correctly report data collection in Android apps. We further create a dataset of privacy-sensitive data classes that may be used as input by an Android app. This dataset takes into account data collected both through the user interface and system APIs. We manually examine the data safety sections of 70 Android apps to observe how data collection is reported, identifying instances of over- and under-reporting. Additionally, we develop a prototype to statically extract and label privacy-related data collected via app source code, user interfaces, and permissions. Comparing the prototype's results with the data safety sections of 20 apps reveals reporting discrepancies. Using the results from two Messaging and Social Media apps (Signal and Instagram), we discuss how app developers under-report and over-report data collection, respectively, and identify inaccurately reported data categories. Our results show that app developers struggle to accurately report data collection, either due to Google's abstract definition of collected data or insufficient existing tool support.