Yifan Zhang, Indiana University Bloomington; Zhaojie Hu and Xueqiang Wang, University of Central Florida; Yuhui Hong, Indiana University Bloomington; Yuhong Nan, Sun Yat-sen University; XiaoFeng Wang, Indiana University Bloomington; Jiatao Cheng, Sun Yat-sen University; Luyi Xing, Indiana University Bloomington
The rise of privacy laws like GDPR and CCPA has made privacy compliance a requirement for mobile apps. Yet, achieving it is difficult due to the apps' use of third-party SDKs with opaque data practices. Recently, to assist apps in complying with privacy laws, many leading third-party SDKs have started providing privacy APIs for configuring the SDK's data practices. Nevertheless, the extent to which such a paradigm, referred to as privacy-configurable SDKs (or PICO SDKs), truly enhances app privacy compliance remains unclear to the community.
This question can only be answered through a systematic measurement study, which is nontrivial and requires in-depth analysis of the implementation of privacy APIs in PICO SDKs, as well as the way they are utilized, sometimes through a "wrapper" SDK that encapsulates other SDKs. To address this challenge, we developed PICOSCAN, a privacy risk analysis framework targeting Android, one of the most common mobile platforms. PICOSCAN automatically analyzes the code of both apps and SDKs to detect practices that potentially invade user privacy. Applying PICOSCAN to 65 most popular PICO SDKs and over 48,000 Google Play apps, we uncovered significant privacy risks in today's Android ecosystem. A large number of them fail to correctly utilize privacy APIs as prescribed, and even when these APIs are used, they often do not align with user privacy preferences. Moreover, our study reveals that many wrapper SDKs do not accurately convey privacy configurations to the SDKs they encapsulate, resulting in compliance risks. Our findings expose systematic failures in the design, implementation, and usage of PICO SDKs, highlighting the urgent need for more effective solutions to enhance the privacy assurance of Android apps. We will open-source the framework and make the data produced by this study publicly available.
Open Access Media
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
author = {Yifan Zhang and Zhaojie Hu and Xueqiang Wang and Yuhui Hong and Yuhong Nan and XiaoFeng Wang and Jiatao Cheng and Luyi Xing},
title = {Navigating the Privacy Compliance Maze: Understanding Risks with {Privacy-Configurable} Mobile {SDKs}},
booktitle = {33rd USENIX Security Symposium (USENIX Security 24)},
year = {2024},
isbn = {978-1-939133-44-1},
address = {Philadelphia, PA},
pages = {6543--6560},
url = {https://www.usenix.org/conference/usenixsecurity24/presentation/zhang-yifan},
publisher = {USENIX Association},
month = aug
}