Study Reveals Widening Gap in Mobile App Privacy Policies

A Study Reveals Discrepancies Between Logging Practices and Privacy Policies in Android Apps

A recent examination of 1,000 Android applications across various categories uncovered significant discrepancies between logging practices and the corresponding privacy policies.

The Investigation

The research, conducted by a team of experts from multiple universities, aimed to investigate the extent to which logging practices align with the data collection policies stated in the apps’ privacy policies.

The Findings

• Only four out of the 1,000 apps examined had privacy policies that accurately reflected the sensitive data found in their logs.
• IP addresses were frequently leaked without being disclosed in the corresponding privacy policy.
• Device manufacturer and model identifiers were almost never mentioned in the policies.

The Implications

The study highlights a significant issue related to the division of labor within organizations. Debugging and maintenance purposes are often cited as the primary justification for logging, but diagnostic data is infrequently enumerated in policy statements.

Mitigating Risks

• Audit log output: Conduct regular audits of log output at the Continuous Integration (CI) stage to identify potential leaks.
• Logging in privacy impact assessments: Include logging in privacy impact assessments to ensure that all data flows, including log pipelines, are considered.
• Inventory third-party SDKs: Keep an inventory of third-party SDKs used in the app and document the categories of information transmitted and confirmed in the privacy policy.
• Apply retention limits and redact logs: Set retention limits and implement automated scrubbing at the collection layer to reduce compliance exposure and incident response scope.
• Review and refine logging frameworks: Regularly review and refine logging frameworks to ensure they accurately capture relevant data and adhere to organizational policies.

About Author

Vaibhav

See author's posts