A Big Step Forward? A User-Centric Examination of iOS App Privacy Report and Enhancements

TL;DR

This study critically evaluates Apple's iOS App Privacy Report, revealing limited real-world impact due to user misunderstandings, and proposes targeted technical enhancements to improve privacy transparency and user understanding.

Contribution

The paper offers a systematic assessment of the App Privacy Report's effectiveness and introduces novel purpose inference and domain clarification methods to enhance privacy transparency.

Findings

Users find the privacy report lacks clarity on data access purposes.

Proposed enhancements improve user understanding and trust.

The privacy report has limited practical impact without targeted improvements.

Abstract

The prevalent engagement with mobile apps underscores the importance of understanding their data practices. Transparency plays a crucial role in this context, ensuring users to be informed and give consent before any data access occurs. Apple introduced a new feature since iOS 15.2, App Privacy Report, to inform users about detailed insights into apps' data access and sharing. This feature continues Apple's trend of privacy-focused innovations (following Privacy Nutrition Labels), and has been marketed as a big step forward in user privacy. However, its real-world impacts on user privacy and control remain unexamined. We thus proposed an end-to-end study involving systematic assessment of the App Privacy Report's real-world benefits and limitations, LLM-enabled and multi-technique synthesized enhancements, and comprehensive evaluation from both system and user perspectives. Through a structured focus group study with twelve everyday iOS users, we explored their experiences, understanding, and perceptions of the feature, suggesting its limited practical impact resulting from missing important details. We identified two primary user concerns: the clarity of data access purpose and domain description. In response, we proposed enhancements including a purpose inference framework and domain clarification pipeline. We demonstrated the effectiveness and benefits of such enhancements for mobile app users. This work provides practical insights that could help enhance user privacy transparency and discusses areas for future research.