大规模安卓第三方 SDK 隐私评估

Mark Huasong Meng, Chuan Yan, Yun Hao, Qing Zhang, Zeyu Wang, Kailong Wang, Sin Gee Teo, Guangdong Bai, Jin Song Dong
{"title":"大规模安卓第三方 SDK 隐私评估","authors":"Mark Huasong Meng, Chuan Yan, Yun Hao, Qing Zhang, Zeyu Wang, Kailong Wang, Sin Gee Teo, Guangdong Bai, Jin Song Dong","doi":"arxiv-2409.10411","DOIUrl":null,"url":null,"abstract":"Third-party Software Development Kits (SDKs) are widely adopted in Android\napp development, to effortlessly accelerate development pipelines and enhance\napp functionality. However, this convenience raises substantial concerns about\nunauthorized access to users' privacy-sensitive information, which could be\nfurther abused for illegitimate purposes like user tracking or monetization.\nOur study offers a targeted analysis of user privacy protection among Android\nthird-party SDKs, filling a critical gap in the Android software supply chain.\nIt focuses on two aspects of their privacy practices, including data\nexfiltration and behavior-policy compliance (or privacy compliance), utilizing\ntechniques of taint analysis and large language models. It covers 158\nwidely-used SDKs from two key SDK release platforms, the official one and a\nlarge alternative one. From them, we identified 338 instances of privacy data\nexfiltration. On the privacy compliance, our study reveals that more than 30%\nof the examined SDKs fail to provide a privacy policy to disclose their data\nhandling practices. Among those that provide privacy policies, 37% of them\nover-collect user data, and 88% falsely claim access to sensitive data. We\nrevisit the latest versions of the SDKs after 12 months. Our analysis\ndemonstrates a persistent lack of improvement in these concerning trends. Based\non our findings, we propose three actionable recommendations to mitigate the\nprivacy leakage risks and enhance privacy protection for Android users. Our\nresearch not only serves as an urgent call for industry attention but also\nprovides crucial insights for future regulatory interventions.","PeriodicalId":501278,"journal":{"name":"arXiv - CS - Software Engineering","volume":"20 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-09-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"A Large-Scale Privacy Assessment of Android Third-Party SDKs\",\"authors\":\"Mark Huasong Meng, Chuan Yan, Yun Hao, Qing Zhang, Zeyu Wang, Kailong Wang, Sin Gee Teo, Guangdong Bai, Jin Song Dong\",\"doi\":\"arxiv-2409.10411\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Third-party Software Development Kits (SDKs) are widely adopted in Android\\napp development, to effortlessly accelerate development pipelines and enhance\\napp functionality. However, this convenience raises substantial concerns about\\nunauthorized access to users' privacy-sensitive information, which could be\\nfurther abused for illegitimate purposes like user tracking or monetization.\\nOur study offers a targeted analysis of user privacy protection among Android\\nthird-party SDKs, filling a critical gap in the Android software supply chain.\\nIt focuses on two aspects of their privacy practices, including data\\nexfiltration and behavior-policy compliance (or privacy compliance), utilizing\\ntechniques of taint analysis and large language models. It covers 158\\nwidely-used SDKs from two key SDK release platforms, the official one and a\\nlarge alternative one. From them, we identified 338 instances of privacy data\\nexfiltration. On the privacy compliance, our study reveals that more than 30%\\nof the examined SDKs fail to provide a privacy policy to disclose their data\\nhandling practices. Among those that provide privacy policies, 37% of them\\nover-collect user data, and 88% falsely claim access to sensitive data. We\\nrevisit the latest versions of the SDKs after 12 months. Our analysis\\ndemonstrates a persistent lack of improvement in these concerning trends. Based\\non our findings, we propose three actionable recommendations to mitigate the\\nprivacy leakage risks and enhance privacy protection for Android users. Our\\nresearch not only serves as an urgent call for industry attention but also\\nprovides crucial insights for future regulatory interventions.\",\"PeriodicalId\":501278,\"journal\":{\"name\":\"arXiv - CS - Software Engineering\",\"volume\":\"20 1\",\"pages\":\"\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2024-09-16\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"arXiv - CS - Software Engineering\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/arxiv-2409.10411\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Software Engineering","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2409.10411","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

摘要

第三方软件开发工具包(SDK)在 Android 应用开发中被广泛采用,可轻松加速开发流程并增强应用功能。我们的研究利用污点分析技术和大型语言模型,对 Android 第三方 SDK 的用户隐私保护情况进行了有针对性的分析,填补了 Android 软件供应链中的一个重要空白,重点关注其隐私保护实践的两个方面,包括数据过滤和行为政策合规性(或隐私合规性)。它涵盖了来自两个主要 SDK 发布平台(官方平台和大型替代平台)的 158 个广泛使用的 SDK。我们从中发现了 338 个隐私数据过滤实例。在隐私合规性方面,我们的研究显示,超过 30% 的受检 SDK 没有提供隐私政策,以披露其数据处理做法。在提供隐私政策的 SDK 中,37% 过度收集用户数据,88% 谎称可以访问敏感数据。我们在 12 个月后访问了最新版本的 SDK。我们的分析表明,这些令人担忧的趋势始终没有得到改善。基于我们的研究结果,我们提出了三项可行的建议,以降低隐私泄露风险并加强对 Android 用户的隐私保护。我们的研究不仅是对行业关注的紧急呼吁,也为未来的监管干预提供了重要的见解。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
A Large-Scale Privacy Assessment of Android Third-Party SDKs
Third-party Software Development Kits (SDKs) are widely adopted in Android app development, to effortlessly accelerate development pipelines and enhance app functionality. However, this convenience raises substantial concerns about unauthorized access to users' privacy-sensitive information, which could be further abused for illegitimate purposes like user tracking or monetization. Our study offers a targeted analysis of user privacy protection among Android third-party SDKs, filling a critical gap in the Android software supply chain. It focuses on two aspects of their privacy practices, including data exfiltration and behavior-policy compliance (or privacy compliance), utilizing techniques of taint analysis and large language models. It covers 158 widely-used SDKs from two key SDK release platforms, the official one and a large alternative one. From them, we identified 338 instances of privacy data exfiltration. On the privacy compliance, our study reveals that more than 30% of the examined SDKs fail to provide a privacy policy to disclose their data handling practices. Among those that provide privacy policies, 37% of them over-collect user data, and 88% falsely claim access to sensitive data. We revisit the latest versions of the SDKs after 12 months. Our analysis demonstrates a persistent lack of improvement in these concerning trends. Based on our findings, we propose three actionable recommendations to mitigate the privacy leakage risks and enhance privacy protection for Android users. Our research not only serves as an urgent call for industry attention but also provides crucial insights for future regulatory interventions.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信