Do Privacy Policies Match with the Logs? An Empirical Study of Privacy Disclosure in Android Application Logs

TL;DR

This empirical study analyzes the consistency between privacy policies and actual logging behaviors in Android apps, revealing significant gaps and privacy leakages.

Contribution

It provides a large-scale analysis of privacy policy clarity and log-data alignment in Android applications, highlighting prevalent inconsistencies and privacy risks.

Findings

88.0% of apps have privacy policies, but only 28.5% mention logging.

27.7% of log-related statements are vague or simplistic.

67.6% of apps leak sensitive info not mentioned in policies.

Abstract

Privacy policies are intended to inform users about how software systems collect and handle data, yet they often remain vague or incomplete. This paper presents an empirical study of patterns in log-related statements within privacy policies and their alignment with privacy disclosures observed in Android application logs. We analyzed 1,000 Android apps across multiple categories, generating 86,836,964 log entries. Our findings reveal that while most applications (88.0%) provide privacy policies, only 28.5% explicitly mention logging practices. Among those that reference logging, most clearly describe what information is logged; however, 27.7% of log-related statements remain overly simplistic or vague, offering limited insight into actual data collection. We further observed widespread privacy leakages in application logs, with 67.6% of apps leaking sensitive information not mentioned in their policies. Alarmingly, only 0.4% of applications demonstrated consistent alignment between declared policy contents and actual logged data. These findings highlight that current privacy policies provide incomplete or ambiguous descriptions of logging practices, which frequently do not align with actual logging behaviors.