Navigating the Privacy Compliance Maze: Understanding Risks with Privacy-Configurable Mobile SDKs

The rise of privacy laws like GDPR and CCPA has made privacy compliance a requirement for mobile apps. Yet, achieving it is difficult due to the apps' use of third-party SDKs with opaque data practices. Recently, to assist apps in complying with privacy laws, many leading third-party SDKs have started providing privacy APIs for configuring the SDK's data practices. Nevertheless, the extent to which such a paradigm, referred to as privacy-configurable SDKs (or PICO SDKs), truly enhances app privacy compliance remains unclear to the community. This question can only be answered through a systematic measurement study, which is nontrivial and requires in-depth analysis of the implementation of privacy APIs in PICO SDKs, as well as the way they are utilized, sometimes through a "wrapper" SDK that encapsulates other SDKs. To address this challenge, we developed PICOSCAN, a privacy risk analysis framework targeting Android, one of the most common mobile platforms. PICOSCAN automatically analyzes the code of both apps and SDKs to detect practices that potentially invade user privacy. Applying PICOSCAN to 65 most popular PICO SDKs and over 48,000 Google Play apps, we uncovered significant privacy risks in today's Android ecosystem. A large number of them fail to correctly utilize privacy APIs as prescribed, and even when these APIs are used, they often do not align with user privacy preferences. Moreover, our study reveals that many wrapper SDKs do not accurately convey privacy configurations to the SDKs they encapsulate, resulting in compliance risks. Our findings expose systematic failures in the design, implementation, and usage of PICO SDKs, highlighting the urgent need for more effective solutions to enhance the privacy assurance of Android apps. We will open-source the framework and make the data produced by this study publicly available.