[{"type":"journal_article","status":"public","_id":"63834","user_id":"88024","department":[{"_id":"76"}],"article_number":"45","file_date_updated":"2026-02-11T18:32:52Z","publication_status":"published","has_accepted_license":"1","publication_identifier":{"issn":["0928-8910","1573-7535"]},"citation":{"ama":"Khedkar M, Kumar Mondal A, Bodden E. A study of privacy-related data collected by Android apps. Automated Software Engineering. 2026;33(2). doi:10.1007/s10515-025-00589-3","ieee":"M. Khedkar, A. Kumar Mondal, and E. Bodden, “A study of privacy-related data collected by Android apps,” Automated Software Engineering, vol. 33, no. 2, Art. no. 45, 2026, doi: 10.1007/s10515-025-00589-3.","chicago":"Khedkar, Mugdha, Ambuj Kumar Mondal, and Eric Bodden. “A Study of Privacy-Related Data Collected by Android Apps.” Automated Software Engineering 33, no. 2 (2026). https://doi.org/10.1007/s10515-025-00589-3.","mla":"Khedkar, Mugdha, et al. “A Study of Privacy-Related Data Collected by Android Apps.” Automated Software Engineering, vol. 33, no. 2, 45, Springer Science and Business Media LLC, 2026, doi:10.1007/s10515-025-00589-3.","short":"M. Khedkar, A. Kumar Mondal, E. Bodden, Automated Software Engineering 33 (2026).","bibtex":"@article{Khedkar_Kumar Mondal_Bodden_2026, title={A study of privacy-related data collected by Android apps}, volume={33}, DOI={10.1007/s10515-025-00589-3}, number={245}, journal={Automated Software Engineering}, publisher={Springer Science and Business Media LLC}, author={Khedkar, Mugdha and Kumar Mondal, Ambuj and Bodden, Eric}, year={2026} }","apa":"Khedkar, M., Kumar Mondal, A., & Bodden, E. (2026). A study of privacy-related data collected by Android apps. Automated Software Engineering, 33(2), Article 45. https://doi.org/10.1007/s10515-025-00589-3"},"intvolume":" 33","date_updated":"2026-02-11T18:33:12Z","author":[{"first_name":"Mugdha","id":"88024","full_name":"Khedkar, Mugdha","last_name":"Khedkar"},{"full_name":"Kumar Mondal, Ambuj","last_name":"Kumar Mondal","first_name":"Ambuj"},{"first_name":"Eric","full_name":"Bodden, Eric","id":"59256","orcid":"0000-0003-3470-3647","last_name":"Bodden"}],"volume":33,"doi":"10.1007/s10515-025-00589-3","publication":"Automated Software Engineering","abstract":[{"lang":"eng","text":"Abstract\r\n \r\n Many Android apps collect data from users, and the European Union’s General Data Protection Regulation (GDPR) mandates clear disclosures of such data collection. However, apps often use third-party code, complicating accurate disclosures. This paper investigates how accurately current Android apps fulfill these requirements. In this work, we present a multi-layered definition of privacy-related data to correctly report data collection in Android apps. We further create a dataset of privacy-sensitive data classes that may be used as input by an Android app. This dataset takes into account data collected both through the user interface and system APIs. Based on this, we implement a semi-automated prototype that detects and labels privacy-related data collected by a given Android app. We manually examine the data safety sections of 70 Android apps to observe how data collection is reported, identifying instances of over- and under-reporting. We compare our prototype’s results with the data safety sections of 20 apps revealing reporting discrepancies. Using the results from two Messaging and Social Media apps (Signal and Instagram), we discuss how app developers under-report and over-report data collection, respectively, and identify inaccurately reported data categories. A broader study of 7,500 Android apps reveals that apps most frequently collect data that can\r\n partially identify\r\n users. Although system APIs consistently collect large amounts of privacy-related data, user interfaces exhibit some more diverse data collection patterns. A more focused study on various domains of apps reveals that the largest fraction of apps collecting personal data belong to the domain of\r\n Messaging and Social Media\r\n . Our findings show that location is collected frequently by apps, specially from the\r\n E-commerce and Shopping\r\n domain. However, it is often under-reported in app data safety sections. Our results highlight the need for greater consistency in privacy-aware app development and reporting practices.\r\n "}],"file":[{"content_type":"application/pdf","success":1,"relation":"main_file","date_updated":"2026-02-11T18:32:52Z","date_created":"2026-02-11T18:32:52Z","creator":"khedkarm","file_size":3363479,"access_level":"closed","file_name":"s10515-025-00589-3-1.pdf","file_id":"64127"}],"ddc":["006"],"language":[{"iso":"eng"}],"issue":"2","year":"2026","publisher":"Springer Science and Business Media LLC","date_created":"2026-02-02T12:36:22Z","title":"A study of privacy-related data collected by Android apps"},{"publication":"Automated Software Engineering","abstract":[{"text":"AbstractMany critical codebases are written in C, and most of them use preprocessor directives to encode variability, effectively encoding software product lines. These preprocessor directives, however, challenge any static code analysis. SPLlift, a previously presented approach for analyzing software product lines, is limited to Java programs that use a rather simple feature encoding and to analysis problems with a finite and ideally small domain. Other approaches that allow the analysis of real-world C software product lines use special-purpose analyses, preventing the reuse of existing analysis infrastructures and ignoring the progress made by the static analysis community. This work presents VarAlyzer, a novel static analysis approach for software product lines. VarAlyzer first transforms preprocessor constructs to plain C while preserving their variability and semantics. It then solves any given distributive analysis problem on transformed product lines in a variability-aware manner. VarAlyzer ’s analysis results are annotated with feature constraints that encode in which configurations each result holds. Our experiments with 95 compilation units of OpenSSL show that applying VarAlyzer enables one to conduct inter-procedural, flow-, field- and context-sensitive data-flow analyses on entire product lines for the first time, outperforming the product-based approach for highly-configurable systems.","lang":"eng"}],"keyword":["inter-procedural static analysis","software product lines","preprocessor","LLVM","C/C++"],"language":[{"iso":"eng"}],"issue":"1","year":"2022","publisher":"Springer Science and Business Media LLC","date_created":"2022-03-25T07:41:26Z","title":"Static data-flow analysis for software product lines in C","type":"journal_article","status":"public","project":[{"name":"SFB 901 - B4: SFB 901 - Subproject B4","_id":"12"},{"_id":"3","name":"SFB 901 - B: SFB 901 - Project Area B"},{"name":"SFB 901: SFB 901","_id":"1"}],"_id":"30511","user_id":"15249","department":[{"_id":"76"}],"article_type":"original","article_number":"35","alternative_title":["Revoking the preprocessor’s special role"],"publication_status":"published","publication_identifier":{"issn":["0928-8910","1573-7535"]},"citation":{"ama":"Schubert P, Gazzillo P, Patterson Z, et al. Static data-flow analysis for software product lines in C. Automated Software Engineering. 2022;29(1). doi:10.1007/s10515-022-00333-1","chicago":"Schubert, Philipp, Paul Gazzillo, Zach Patterson, Julian Braha, Fabian Benedikt Schiebel, Ben Hermann, Shiyi Wei, and Eric Bodden. “Static Data-Flow Analysis for Software Product Lines in C.” Automated Software Engineering 29, no. 1 (2022). https://doi.org/10.1007/s10515-022-00333-1.","ieee":"P. Schubert et al., “Static data-flow analysis for software product lines in C,” Automated Software Engineering, vol. 29, no. 1, Art. no. 35, 2022, doi: 10.1007/s10515-022-00333-1.","apa":"Schubert, P., Gazzillo, P., Patterson, Z., Braha, J., Schiebel, F. B., Hermann, B., Wei, S., & Bodden, E. (2022). Static data-flow analysis for software product lines in C. Automated Software Engineering, 29(1), Article 35. https://doi.org/10.1007/s10515-022-00333-1","bibtex":"@article{Schubert_Gazzillo_Patterson_Braha_Schiebel_Hermann_Wei_Bodden_2022, title={Static data-flow analysis for software product lines in C}, volume={29}, DOI={10.1007/s10515-022-00333-1}, number={135}, journal={Automated Software Engineering}, publisher={Springer Science and Business Media LLC}, author={Schubert, Philipp and Gazzillo, Paul and Patterson, Zach and Braha, Julian and Schiebel, Fabian Benedikt and Hermann, Ben and Wei, Shiyi and Bodden, Eric}, year={2022} }","short":"P. Schubert, P. Gazzillo, Z. Patterson, J. Braha, F.B. Schiebel, B. Hermann, S. Wei, E. Bodden, Automated Software Engineering 29 (2022).","mla":"Schubert, Philipp, et al. “Static Data-Flow Analysis for Software Product Lines in C.” Automated Software Engineering, vol. 29, no. 1, 35, Springer Science and Business Media LLC, 2022, doi:10.1007/s10515-022-00333-1."},"intvolume":" 29","oa":"1","date_updated":"2025-12-04T10:42:38Z","author":[{"first_name":"Philipp","id":"60543","full_name":"Schubert, Philipp","last_name":"Schubert","orcid":"0000-0002-8674-1859"},{"last_name":"Gazzillo","full_name":"Gazzillo, Paul","first_name":"Paul"},{"full_name":"Patterson, Zach","last_name":"Patterson","first_name":"Zach"},{"first_name":"Julian","last_name":"Braha","full_name":"Braha, Julian"},{"first_name":"Fabian Benedikt","id":"55745","full_name":"Schiebel, Fabian Benedikt","orcid":"0009-0008-6867-9802","last_name":"Schiebel"},{"first_name":"Ben","last_name":"Hermann","orcid":"0000-0001-9848-2017","id":"66173","full_name":"Hermann, Ben"},{"first_name":"Shiyi","full_name":"Wei, Shiyi","last_name":"Wei"},{"first_name":"Eric","id":"59256","full_name":"Bodden, Eric","orcid":"0000-0003-3470-3647","last_name":"Bodden"}],"volume":29,"main_file_link":[{"url":"https://link.springer.com/article/10.1007/s10515-022-00333-1","open_access":"1"}],"doi":"10.1007/s10515-022-00333-1"}]