Sharing is Not Always Caring: Delving Into Personal Data Transfer Compliance in Android Apps

Abstract

In an era marked by ubiquitous reliance on mobile applications for nearly every need, the opacity of apps' behavior poses significant threats to their users' privacy. Although major data protection regulations require apps to disclose their data practices transparently, previous studies have pointed out difficulties in doing so. To further delve into this issue, this article describes an automated method to capture data-sharing practices in Android apps and assess their proper disclosure according to the EU General Data Protection Regulation. We applied the method to 9,000 random Android apps, unveiling an uncomfortable reality: over 80% of Android applications that transfer personal data off device potentially fail to meet GDPR transparency requirements. We further investigate the role of third-party libraries, shedding light on the source of this problem and pointing towards measures to address it.