Longitudinal Compliance Analysis of Android Applications with Privacy Policies

Hashmi, SS; Waheed, N; Tangari, G; Ikram, M; Smith, S

Longitudinal Compliance Analysis of Android Applications with Privacy Policies

Hashmi, SS Waheed, N

Tangari, G Ikram, M Smith, S

Permalink

Publisher:: Springer
Publication Type:: Conference Proceeding
Citation:: Mobile and Ubiquitous Systems: Computing, Networking and Services, 2022, 419 LNICST, pp. 280-305
Issue Date:: 2022-01-01

Closed Access

	Filename	Description	Size
	978-3-030-94822-1_16.pdf	Published version	592.34 kB	Adobe PDF	View/Open

Copyright Clearance Process

Recently Added
In Progress
Closed Access

This item is closed access and not available.

Full metadata record

Field	Value	Language
dc.contributor.author	Hashmi, SS
dc.contributor.author	Waheed, N https://orcid.org/0000-0001-5679-5365
dc.contributor.author	Tangari, G
dc.contributor.author	Ikram, M
dc.contributor.author	Smith, S
dc.date	2021-11-08
dc.date.accessioned	2023-07-01T01:30:08Z
dc.date.available	2023-07-01T01:30:08Z
dc.date.issued	2022-01-01
dc.identifier.citation	Mobile and Ubiquitous Systems: Computing, Networking and Services, 2022, 419 LNICST, pp. 280-305
dc.identifier.isbn	9783030948214
dc.identifier.issn	1867-8211
dc.identifier.issn	1867-822X
dc.identifier.uri	http://hdl.handle.net/10453/171062
dc.description.abstract	Contemporary mobile applications (apps) are designed to track, use, and share users’ data, often without their consent, which results in potential privacy and transparency issues. To investigate whether mobile apps have always been (non-)transparent regarding how they collect information about users, we perform a longitudinal analysis of the historical versions of 268 Android apps. These apps comprise 5,240 app releases or versions between 2008 and 2016. We detect inconsistencies between apps’ behaviors and the stated use of data collection in privacy policies to reveal compliance issues. We utilize machine learning techniques to classify the privacy policy text and identify the purported practices that collect and/or share users’ personal information, such as phone numbers and email addresses. We then uncover the data leaks of an app through static and dynamic analysis. Over time, our results show a steady increase in the number of apps’ data collection practices that are undisclosed in the privacy policies. This behavior is particularly troubling since privacy policy is the primary tool for describing the app’s privacy protection practices. We find that newer versions of the apps are likely to be more non-compliant than their preceding versions. The discrepancies between the purported and the actual data practices show that privacy policies are often incoherent with the apps’ behaviors, thus defying the ‘notice and choice’ principle when users install apps.
dc.language	en
dc.publisher	Springer
dc.relation.ispartof	Mobile and Ubiquitous Systems: Computing, Networking and Services
dc.relation.ispartof	EAI International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services
dc.relation.ispartofseries	Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
dc.relation.isbasedon	10.1007/978-3-030-94822-1_16
dc.rights	info:eu-repo/semantics/closedAccess
dc.title	Longitudinal Compliance Analysis of Android Applications with Privacy Policies
dc.type	Conference Proceeding
utslib.citation.volume	419 LNICST
utslib.location.activity	Virtual Event
pubs.organisational-group	/University of Technology Sydney
pubs.organisational-group	/University of Technology Sydney/DVC (International)
utslib.copyright.status	closed_access	*
pubs.consider-herdc	false
dc.date.updated	2023-07-01T01:30:08Z
pubs.finish-date	2021-11-11
pubs.place-of-publication	Switzerland
pubs.publication-status	Published
pubs.start-date	2021-11-08
pubs.volume	419 LNICST
dc.location	Switzerland

Abstract:

Contemporary mobile applications (apps) are designed to track, use, and share users’ data, often without their consent, which results in potential privacy and transparency issues. To investigate whether mobile apps have always been (non-)transparent regarding how they collect information about users, we perform a longitudinal analysis of the historical versions of 268 Android apps. These apps comprise 5,240 app releases or versions between 2008 and 2016. We detect inconsistencies between apps’ behaviors and the stated use of data collection in privacy policies to reveal compliance issues. We utilize machine learning techniques to classify the privacy policy text and identify the purported practices that collect and/or share users’ personal information, such as phone numbers and email addresses. We then uncover the data leaks of an app through static and dynamic analysis. Over time, our results show a steady increase in the number of apps’ data collection practices that are undisclosed in the privacy policies. This behavior is particularly troubling since privacy policy is the primary tool for describing the app’s privacy protection practices. We find that newer versions of the apps are likely to be more non-compliant than their preceding versions. The discrepancies between the purported and the actual data practices show that privacy policies are often incoherent with the apps’ behaviors, thus defying the ‘notice and choice’ principle when users install apps.

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/171062