Mark Huasong Meng, Chuan Yan, Yun Hao, Qing Zhang, Zeyu Wang, Kailong Wang, Sin Gee Teo, Guangdong Bai, Jin Song Dong
{"title":"大规模安卓第三方 SDK 隐私评估","authors":"Mark Huasong Meng, Chuan Yan, Yun Hao, Qing Zhang, Zeyu Wang, Kailong Wang, Sin Gee Teo, Guangdong Bai, Jin Song Dong","doi":"arxiv-2409.10411","DOIUrl":null,"url":null,"abstract":"Third-party Software Development Kits (SDKs) are widely adopted in Android\napp development, to effortlessly accelerate development pipelines and enhance\napp functionality. However, this convenience raises substantial concerns about\nunauthorized access to users' privacy-sensitive information, which could be\nfurther abused for illegitimate purposes like user tracking or monetization.\nOur study offers a targeted analysis of user privacy protection among Android\nthird-party SDKs, filling a critical gap in the Android software supply chain.\nIt focuses on two aspects of their privacy practices, including data\nexfiltration and behavior-policy compliance (or privacy compliance), utilizing\ntechniques of taint analysis and large language models. It covers 158\nwidely-used SDKs from two key SDK release platforms, the official one and a\nlarge alternative one. From them, we identified 338 instances of privacy data\nexfiltration. On the privacy compliance, our study reveals that more than 30%\nof the examined SDKs fail to provide a privacy policy to disclose their data\nhandling practices. Among those that provide privacy policies, 37% of them\nover-collect user data, and 88% falsely claim access to sensitive data. We\nrevisit the latest versions of the SDKs after 12 months. Our analysis\ndemonstrates a persistent lack of improvement in these concerning trends. Based\non our findings, we propose three actionable recommendations to mitigate the\nprivacy leakage risks and enhance privacy protection for Android users. Our\nresearch not only serves as an urgent call for industry attention but also\nprovides crucial insights for future regulatory interventions.","PeriodicalId":501278,"journal":{"name":"arXiv - CS - Software Engineering","volume":"20 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-09-16","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"A Large-Scale Privacy Assessment of Android Third-Party SDKs\",\"authors\":\"Mark Huasong Meng, Chuan Yan, Yun Hao, Qing Zhang, Zeyu Wang, Kailong Wang, Sin Gee Teo, Guangdong Bai, Jin Song Dong\",\"doi\":\"arxiv-2409.10411\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Third-party Software Development Kits (SDKs) are widely adopted in Android\\napp development, to effortlessly accelerate development pipelines and enhance\\napp functionality. However, this convenience raises substantial concerns about\\nunauthorized access to users' privacy-sensitive information, which could be\\nfurther abused for illegitimate purposes like user tracking or monetization.\\nOur study offers a targeted analysis of user privacy protection among Android\\nthird-party SDKs, filling a critical gap in the Android software supply chain.\\nIt focuses on two aspects of their privacy practices, including data\\nexfiltration and behavior-policy compliance (or privacy compliance), utilizing\\ntechniques of taint analysis and large language models. It covers 158\\nwidely-used SDKs from two key SDK release platforms, the official one and a\\nlarge alternative one. From them, we identified 338 instances of privacy data\\nexfiltration. On the privacy compliance, our study reveals that more than 30%\\nof the examined SDKs fail to provide a privacy policy to disclose their data\\nhandling practices. Among those that provide privacy policies, 37% of them\\nover-collect user data, and 88% falsely claim access to sensitive data. We\\nrevisit the latest versions of the SDKs after 12 months. Our analysis\\ndemonstrates a persistent lack of improvement in these concerning trends. Based\\non our findings, we propose three actionable recommendations to mitigate the\\nprivacy leakage risks and enhance privacy protection for Android users. Our\\nresearch not only serves as an urgent call for industry attention but also\\nprovides crucial insights for future regulatory interventions.\",\"PeriodicalId\":501278,\"journal\":{\"name\":\"arXiv - CS - Software Engineering\",\"volume\":\"20 1\",\"pages\":\"\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2024-09-16\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"arXiv - CS - Software Engineering\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/arxiv-2409.10411\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Software Engineering","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2409.10411","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
A Large-Scale Privacy Assessment of Android Third-Party SDKs
Third-party Software Development Kits (SDKs) are widely adopted in Android
app development, to effortlessly accelerate development pipelines and enhance
app functionality. However, this convenience raises substantial concerns about
unauthorized access to users' privacy-sensitive information, which could be
further abused for illegitimate purposes like user tracking or monetization.
Our study offers a targeted analysis of user privacy protection among Android
third-party SDKs, filling a critical gap in the Android software supply chain.
It focuses on two aspects of their privacy practices, including data
exfiltration and behavior-policy compliance (or privacy compliance), utilizing
techniques of taint analysis and large language models. It covers 158
widely-used SDKs from two key SDK release platforms, the official one and a
large alternative one. From them, we identified 338 instances of privacy data
exfiltration. On the privacy compliance, our study reveals that more than 30%
of the examined SDKs fail to provide a privacy policy to disclose their data
handling practices. Among those that provide privacy policies, 37% of them
over-collect user data, and 88% falsely claim access to sensitive data. We
revisit the latest versions of the SDKs after 12 months. Our analysis
demonstrates a persistent lack of improvement in these concerning trends. Based
on our findings, we propose three actionable recommendations to mitigate the
privacy leakage risks and enhance privacy protection for Android users. Our
research not only serves as an urgent call for industry attention but also
provides crucial insights for future regulatory interventions.