Demystifying Privacy Policy of Third-Party Libraries in Mobile Apps

The privacy of personal information has received significant attention in mobile software. Although researchers have designed methods to identify the conflict between app behavior and privacy policies, little is known about the privacy compliance issues relevant to third-party libraries (TPLs). The regulators enacted articles to regulate the usage of personal information for TPLs (e.g., the CCPA requires businesses clearly notify consumers if they share consumers' data with third parties or not). However, it remains challenging to investigate the privacy compliance issues of TPLs due to three reasons: 1) Difficulties in collecting TPLs' privacy policies. In contrast to Android apps, which are distributed through markets like Google Play and must provide privacy policies, there is no unique platform for collecting privacy policies of TPLs. 2) Difficulties in analyzing TPL's user privacy access behaviors. TPLs are mainly provided in binary files, such as jar or aar, and their whole functionalities usually cannot be executed independently without host apps. 3) Difficulties in identifying consistency between TPL's functionalities and privacy policies, and host app's privacy policy and data sharing with TPLs. This requires analyzing not only the privacy policies of TPLs and host apps but also their functionalities. In this paper, we propose an automated system named ATPChecker to analyze whether Android TPLs comply with the privacy-related regulations. We construct a data set that contains a list of 458 TPLs, 247 TPL's privacy policies, 187 TPL's binary files and 641 host apps and their privacy policies. Then, we analyze the bytecode of TPLs and host apps, design natural language processing systems to analyze privacy policies, and implement an expert system to identify TPL usage-related regulation compliance. The experimental results show that 23% TPLs violate regulation requirements for providing privacy policies. Over 47% TPLs miss disclosing data usage in their privacy policies. Over 65% host apps share user data with TPLs while 65% of them miss disclosing interactions with TPLs. Our findings remind developers to be mindful of TPL usage when developing apps or writing privacy policies to avoid violating regulations.