Challenges in Android Data Disclosure: An Empirical Study

TL;DR

This empirical study investigates Android developers' experiences and challenges with accurately reporting app data collection in the Google Play Store's Data Safety Section, highlighting the need for clearer guidance and better tools.

Contribution

The paper provides a comprehensive analysis of developer challenges in data disclosure, combining surveys and online discussion analysis to identify key difficulties and areas for improvement.

Findings

Developers often manually classify privacy data or omit categories.

Developers rely heavily on online resources for completing the DSS form.

Challenges include identifying privacy data, understanding the form, and fears of app rejection.

Abstract

Current legal frameworks enforce that Android developers accurately report the data their apps collect. However, large codebases can make this reporting challenging. This paper employs an empirical approach to understand developers' experience with Google Play Store's Data Safety Section (DSS) form. We first survey 41 Android developers to understand how they categorize privacy-related data into DSS categories and how confident they feel when completing the DSS form. To gain a broader and more detailed view of the challenges developers encounter during the process, we complement the survey with an analysis of 172 online developer discussions, capturing the perspectives of 642 additional developers. Together, these two data sources represent insights from 683 developers. Our findings reveal that developers often manually classify the privacy-related data their apps collect into the data categories defined by Google-or, in some cases, omit classification entirely-and rely heavily on existing online resources when completing the form. Moreover, developers are generally confident in recognizing the data their apps collect, yet they lack confidence in translating this knowledge into DSS-compliant disclosures. Key challenges include issues in identifying privacy-relevant data to complete the form, limited understanding of the form, and concerns about app rejection due to discrepancies with Google's privacy requirements. These results underscore the need for clearer guidance and more accessible tooling to support developers in meeting privacy-aware reporting obligations.