[{"title":"A study of privacy-related data collected by Android apps","publisher":"Springer Science and Business Media LLC","date_created":"2026-02-02T12:36:22Z","year":"2026","issue":"2","ddc":["006"],"language":[{"iso":"eng"}],"abstract":[{"text":"<jats:title>Abstract</jats:title>\r\n                  <jats:p>\r\n                    Many Android apps collect data from users, and the European Union’s General Data Protection Regulation (GDPR) mandates clear disclosures of such data collection. However, apps often use third-party code, complicating accurate disclosures. This paper investigates how accurately current Android apps fulfill these requirements. In this work, we present a multi-layered definition of privacy-related data to correctly report data collection in Android apps. We further create a dataset of privacy-sensitive data classes that may be used as input by an Android app. This dataset takes into account data collected both through the user interface and system APIs. Based on this, we implement a semi-automated prototype that detects and labels privacy-related data collected by a given Android app. We manually examine the data safety sections of 70 Android apps to observe how data collection is reported, identifying instances of over- and under-reporting. We compare our prototype’s results with the data safety sections of 20 apps revealing reporting discrepancies. Using the results from two Messaging and Social Media apps (Signal and Instagram), we discuss how app developers under-report and over-report data collection, respectively, and identify inaccurately reported data categories. A broader study of 7,500 Android apps reveals that apps most frequently collect data that can\r\n                    <jats:italic>partially identify</jats:italic>\r\n                    users. Although system APIs consistently collect large amounts of privacy-related data, user interfaces exhibit some more diverse data collection patterns. A more focused study on various domains of apps reveals that the largest fraction of apps collecting personal data belong to the domain of\r\n                    <jats:italic>Messaging and Social Media</jats:italic>\r\n                    . Our findings show that location is collected frequently by apps, specially from the\r\n                    <jats:italic>E-commerce and Shopping</jats:italic>\r\n                    domain. However, it is often under-reported in app data safety sections. Our results highlight the need for greater consistency in privacy-aware app development and reporting practices.\r\n                  </jats:p>","lang":"eng"}],"file":[{"content_type":"application/pdf","success":1,"relation":"main_file","date_updated":"2026-02-11T18:32:52Z","date_created":"2026-02-11T18:32:52Z","creator":"khedkarm","file_size":3363479,"file_name":"s10515-025-00589-3-1.pdf","file_id":"64127","access_level":"closed"}],"publication":"Automated Software Engineering","doi":"10.1007/s10515-025-00589-3","date_updated":"2026-02-11T18:33:12Z","volume":33,"author":[{"first_name":"Mugdha","last_name":"Khedkar","id":"88024","full_name":"Khedkar, Mugdha"},{"first_name":"Ambuj","full_name":"Kumar Mondal, Ambuj","last_name":"Kumar Mondal"},{"first_name":"Eric","orcid":"0000-0003-3470-3647","last_name":"Bodden","id":"59256","full_name":"Bodden, Eric"}],"intvolume":"        33","citation":{"ieee":"M. Khedkar, A. Kumar Mondal, and E. Bodden, “A study of privacy-related data collected by Android apps,” <i>Automated Software Engineering</i>, vol. 33, no. 2, Art. no. 45, 2026, doi: <a href=\"https://doi.org/10.1007/s10515-025-00589-3\">10.1007/s10515-025-00589-3</a>.","chicago":"Khedkar, Mugdha, Ambuj Kumar Mondal, and Eric Bodden. “A Study of Privacy-Related Data Collected by Android Apps.” <i>Automated Software Engineering</i> 33, no. 2 (2026). <a href=\"https://doi.org/10.1007/s10515-025-00589-3\">https://doi.org/10.1007/s10515-025-00589-3</a>.","ama":"Khedkar M, Kumar Mondal A, Bodden E. A study of privacy-related data collected by Android apps. <i>Automated Software Engineering</i>. 2026;33(2). doi:<a href=\"https://doi.org/10.1007/s10515-025-00589-3\">10.1007/s10515-025-00589-3</a>","apa":"Khedkar, M., Kumar Mondal, A., &#38; Bodden, E. (2026). A study of privacy-related data collected by Android apps. <i>Automated Software Engineering</i>, <i>33</i>(2), Article 45. <a href=\"https://doi.org/10.1007/s10515-025-00589-3\">https://doi.org/10.1007/s10515-025-00589-3</a>","short":"M. Khedkar, A. Kumar Mondal, E. Bodden, Automated Software Engineering 33 (2026).","mla":"Khedkar, Mugdha, et al. “A Study of Privacy-Related Data Collected by Android Apps.” <i>Automated Software Engineering</i>, vol. 33, no. 2, 45, Springer Science and Business Media LLC, 2026, doi:<a href=\"https://doi.org/10.1007/s10515-025-00589-3\">10.1007/s10515-025-00589-3</a>.","bibtex":"@article{Khedkar_Kumar Mondal_Bodden_2026, title={A study of privacy-related data collected by Android apps}, volume={33}, DOI={<a href=\"https://doi.org/10.1007/s10515-025-00589-3\">10.1007/s10515-025-00589-3</a>}, number={245}, journal={Automated Software Engineering}, publisher={Springer Science and Business Media LLC}, author={Khedkar, Mugdha and Kumar Mondal, Ambuj and Bodden, Eric}, year={2026} }"},"has_accepted_license":"1","publication_identifier":{"issn":["0928-8910","1573-7535"]},"publication_status":"published","article_number":"45","file_date_updated":"2026-02-11T18:32:52Z","_id":"63834","department":[{"_id":"76"}],"user_id":"88024","status":"public","type":"journal_article"},{"publication":"Proceedings of the IEEE/ACM 13th International Conference on Mobile Software Engineering and Systems (MOBILESoft '26). Association for Computing Machinery, New York, NY, USA, 65–68.","type":"conference","status":"public","abstract":[{"text":"Current legal frameworks enforce that Android developers accurately report the data their apps collect. However, large codebases can make this reporting challenging. This paper employs an empirical approach to understand developers' experience with Google Play Store's Data Safety Section (DSS) form.\r\n\r\nWe first survey 41 Android developers to understand how they categorize privacy-related data into DSS categories and how confident they feel when completing the DSS form. To gain a broader and more detailed view of the challenges developers encounter during the process, we complement the survey with an analysis of 172 online developer discussions, capturing the perspectives of 642 additional developers. Together, these two data sources represent insights from 683 developers.\r\n\r\nOur findings reveal that developers often manually classify the privacy-related data their apps collect into the data categories defined by Google-or, in some cases, omit classification entirely-and rely heavily on existing online resources when completing the form. Moreover, developers are generally confident in recognizing the data their apps collect, yet they lack confidence in translating this knowledge into DSS-compliant disclosures. Key challenges include issues in identifying privacy-relevant data to complete the form, limited understanding of the form, and concerns about app rejection due to discrepancies with Google's privacy requirements.\r\nThese results underscore the need for clearer guidance and more accessible tooling to support developers in meeting privacy-aware reporting obligations. ","lang":"eng"}],"department":[{"_id":"76"}],"user_id":"88024","_id":"64823","external_id":{"arxiv":["2601.20459"]},"language":[{"iso":"eng"}],"keyword":["static analysis","data collection","data protection","privacy-aware reporting"],"citation":{"ama":"Khedkar M, Schlichtig M, Soliman MAM, Bodden E. Challenges in Android Data Disclosure: An Empirical Study. In: <i>Proceedings of the IEEE/ACM 13th International Conference on Mobile Software Engineering and Systems (MOBILESoft ’26). Association for Computing Machinery, New York, NY, USA, 65–68.</i> ; 2026.","ieee":"M. Khedkar, M. Schlichtig, M. A. M. Soliman, and E. Bodden, “Challenges in Android Data Disclosure: An Empirical Study.,” presented at the 13th International Conference on Mobile Software Engineering and Systems 2024, Rio de Janeiro, Brazil, 2026.","chicago":"Khedkar, Mugdha, Michael Schlichtig, Mohamed Aboubakr Mohamed Soliman, and Eric Bodden. “Challenges in Android Data Disclosure: An Empirical Study.” In <i>Proceedings of the IEEE/ACM 13th International Conference on Mobile Software Engineering and Systems (MOBILESoft ’26). Association for Computing Machinery, New York, NY, USA, 65–68.</i>, 2026.","apa":"Khedkar, M., Schlichtig, M., Soliman, M. A. M., &#38; Bodden, E. (2026). Challenges in Android Data Disclosure: An Empirical Study. <i>Proceedings of the IEEE/ACM 13th International Conference on Mobile Software Engineering and Systems (MOBILESoft ’26). Association for Computing Machinery, New York, NY, USA, 65–68.</i> 13th International Conference on Mobile Software Engineering and Systems 2024, Rio de Janeiro, Brazil.","bibtex":"@inproceedings{Khedkar_Schlichtig_Soliman_Bodden_2026, title={Challenges in Android Data Disclosure: An Empirical Study.}, booktitle={Proceedings of the IEEE/ACM 13th International Conference on Mobile Software Engineering and Systems (MOBILESoft ’26). Association for Computing Machinery, New York, NY, USA, 65–68.}, author={Khedkar, Mugdha and Schlichtig, Michael and Soliman, Mohamed Aboubakr Mohamed and Bodden, Eric}, year={2026} }","short":"M. Khedkar, M. Schlichtig, M.A.M. Soliman, E. Bodden, in: Proceedings of the IEEE/ACM 13th International Conference on Mobile Software Engineering and Systems (MOBILESoft ’26). Association for Computing Machinery, New York, NY, USA, 65–68., 2026.","mla":"Khedkar, Mugdha, et al. “Challenges in Android Data Disclosure: An Empirical Study.” <i>Proceedings of the IEEE/ACM 13th International Conference on Mobile Software Engineering and Systems (MOBILESoft ’26). Association for Computing Machinery, New York, NY, USA, 65–68.</i>, 2026."},"year":"2026","author":[{"first_name":"Mugdha","last_name":"Khedkar","id":"88024","full_name":"Khedkar, Mugdha"},{"first_name":"Michael","full_name":"Schlichtig, Michael","id":"32312","last_name":"Schlichtig","orcid":"0000-0001-6600-6171"},{"first_name":"Mohamed Aboubakr Mohamed","full_name":"Soliman, Mohamed Aboubakr Mohamed","id":"102489","last_name":"Soliman"},{"first_name":"Eric","orcid":"0000-0003-3470-3647","last_name":"Bodden","full_name":"Bodden, Eric","id":"59256"}],"date_created":"2026-03-04T08:10:43Z","date_updated":"2026-03-13T12:10:10Z","conference":{"end_date":"2026-04-18","location":"Rio de Janeiro, Brazil","name":"13th International Conference on Mobile Software Engineering and Systems 2024","start_date":"2026-04-12"},"title":"Challenges in Android Data Disclosure: An Empirical Study."},{"year":"2026","citation":{"apa":"Khedkar, M., Schlichtig, M., Atakishiyev, N., &#38; Bodden, E. (2026). Between Law and Code: Challenges and Opportunities for Automating Privacy Assessments. <i>Automated Software Engineering </i>, <i>33</i>(2), Article 56. <a href=\"https://doi.org/10.1007/s10515-026-00601-4\">https://doi.org/10.1007/s10515-026-00601-4</a>","bibtex":"@article{Khedkar_Schlichtig_Atakishiyev_Bodden_2026, title={Between Law and Code: Challenges and Opportunities for Automating Privacy Assessments}, volume={33}, DOI={<a href=\"https://doi.org/10.1007/s10515-026-00601-4\">10.1007/s10515-026-00601-4</a>}, number={256}, journal={Automated Software Engineering }, publisher={Springer US}, author={Khedkar, Mugdha and Schlichtig, Michael and Atakishiyev, Nihad and Bodden, Eric}, year={2026} }","mla":"Khedkar, Mugdha, et al. “Between Law and Code: Challenges and Opportunities for Automating Privacy Assessments.” <i>Automated Software Engineering </i>, vol. 33, no. 2, 56, Springer US, 2026, doi:<a href=\"https://doi.org/10.1007/s10515-026-00601-4\">10.1007/s10515-026-00601-4</a>.","short":"M. Khedkar, M. Schlichtig, N. Atakishiyev, E. Bodden, Automated Software Engineering  33 (2026).","ama":"Khedkar M, Schlichtig M, Atakishiyev N, Bodden E. Between Law and Code: Challenges and Opportunities for Automating Privacy Assessments. <i>Automated Software Engineering </i>. 2026;33(2). doi:<a href=\"https://doi.org/10.1007/s10515-026-00601-4\">10.1007/s10515-026-00601-4</a>","ieee":"M. Khedkar, M. Schlichtig, N. Atakishiyev, and E. Bodden, “Between Law and Code: Challenges and Opportunities for Automating Privacy Assessments,” <i>Automated Software Engineering </i>, vol. 33, no. 2, Art. no. 56, 2026, doi: <a href=\"https://doi.org/10.1007/s10515-026-00601-4\">10.1007/s10515-026-00601-4</a>.","chicago":"Khedkar, Mugdha, Michael Schlichtig, Nihad Atakishiyev, and Eric Bodden. “Between Law and Code: Challenges and Opportunities for Automating Privacy Assessments.” <i>Automated Software Engineering </i> 33, no. 2 (2026). <a href=\"https://doi.org/10.1007/s10515-026-00601-4\">https://doi.org/10.1007/s10515-026-00601-4</a>."},"intvolume":"        33","publication_identifier":{"unknown":["1573-7535"]},"issue":"2","title":"Between Law and Code: Challenges and Opportunities for Automating Privacy Assessments","doi":"10.1007/s10515-026-00601-4","publisher":"Springer US","date_updated":"2026-03-13T12:10:38Z","date_created":"2026-03-04T08:03:14Z","author":[{"last_name":"Khedkar","id":"88024","full_name":"Khedkar, Mugdha","first_name":"Mugdha"},{"id":"32312","full_name":"Schlichtig, Michael","orcid":"0000-0001-6600-6171","last_name":"Schlichtig","first_name":"Michael"},{"first_name":"Nihad","full_name":"Atakishiyev, Nihad","last_name":"Atakishiyev"},{"first_name":"Eric","full_name":"Bodden, Eric","id":"59256","orcid":"0000-0003-3470-3647","last_name":"Bodden"}],"volume":33,"status":"public","type":"journal_article","publication":"Automated Software Engineering ","article_number":"56","language":[{"iso":"eng"}],"_id":"64821","user_id":"88024","department":[{"_id":"76"}]},{"main_file_link":[{"url":"https://mugdhak30.github.io/assets/Preprints/RoPA_SANER2026.pdf"}],"language":[{"iso":"eng"}],"title":"Source Code-Driven GDPR Documentation: Supporting RoPA with Assessor View","user_id":"88024","author":[{"first_name":"Mugdha","last_name":"Khedkar","full_name":"Khedkar, Mugdha","id":"88024"},{"first_name":"Michael","last_name":"Schlichtig","orcid":"0000-0001-6600-6171","id":"32312","full_name":"Schlichtig, Michael"},{"first_name":"Eric","last_name":"Bodden","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","id":"59256"}],"date_created":"2026-03-13T12:16:09Z","department":[{"_id":"76"}],"date_updated":"2026-03-13T12:17:01Z","_id":"64909","citation":{"apa":"Khedkar, M., Schlichtig, M., &#38; Bodden, E. (2026). Source Code-Driven GDPR Documentation: Supporting RoPA with Assessor View. <i>IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER 2026)</i>.","short":"M. Khedkar, M. Schlichtig, E. Bodden, in: IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER 2026), 2026.","mla":"Khedkar, Mugdha, et al. “Source Code-Driven GDPR Documentation: Supporting RoPA with Assessor View.” <i>IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER 2026)</i>, 2026.","bibtex":"@inproceedings{Khedkar_Schlichtig_Bodden_2026, title={Source Code-Driven GDPR Documentation: Supporting RoPA with Assessor View}, booktitle={IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER 2026)}, author={Khedkar, Mugdha and Schlichtig, Michael and Bodden, Eric}, year={2026} }","chicago":"Khedkar, Mugdha, Michael Schlichtig, and Eric Bodden. “Source Code-Driven GDPR Documentation: Supporting RoPA with Assessor View.” In <i>IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER 2026)</i>, 2026.","ieee":"M. Khedkar, M. Schlichtig, and E. Bodden, “Source Code-Driven GDPR Documentation: Supporting RoPA with Assessor View,” 2026.","ama":"Khedkar M, Schlichtig M, Bodden E. Source Code-Driven GDPR Documentation: Supporting RoPA with Assessor View. In: <i>IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER 2026)</i>. ; 2026."},"status":"public","year":"2026","type":"conference","publication":"IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER 2026)"},{"year":"2025","citation":{"apa":"Khedkar, M., Schlichtig, M., Mohan, S., &#38; Bodden, E. (2025). Visualizing Privacy-Relevant Data Flows in Android Applications. In <i>arXiv:2503.16640</i>.","mla":"Khedkar, Mugdha, et al. “Visualizing Privacy-Relevant Data Flows in Android Applications.” <i>ArXiv:2503.16640</i>, 2025.","bibtex":"@article{Khedkar_Schlichtig_Mohan_Bodden_2025, title={Visualizing Privacy-Relevant Data Flows in Android Applications}, journal={arXiv:2503.16640}, author={Khedkar, Mugdha and Schlichtig, Michael and Mohan, Santhosh and Bodden, Eric}, year={2025} }","short":"M. Khedkar, M. Schlichtig, S. Mohan, E. Bodden, ArXiv:2503.16640 (2025).","chicago":"Khedkar, Mugdha, Michael Schlichtig, Santhosh Mohan, and Eric Bodden. “Visualizing Privacy-Relevant Data Flows in Android Applications.” <i>ArXiv:2503.16640</i>, 2025.","ieee":"M. Khedkar, M. Schlichtig, S. Mohan, and E. Bodden, “Visualizing Privacy-Relevant Data Flows in Android Applications,” <i>arXiv:2503.16640</i>. 2025.","ama":"Khedkar M, Schlichtig M, Mohan S, Bodden E. Visualizing Privacy-Relevant Data Flows in Android Applications. <i>arXiv:250316640</i>. Published online 2025."},"date_updated":"2026-03-16T17:40:56Z","date_created":"2026-03-16T17:39:12Z","author":[{"last_name":"Khedkar","id":"88024","full_name":"Khedkar, Mugdha","first_name":"Mugdha"},{"orcid":"0000-0001-6600-6171","last_name":"Schlichtig","id":"32312","full_name":"Schlichtig, Michael","first_name":"Michael"},{"first_name":"Santhosh","full_name":"Mohan, Santhosh","last_name":"Mohan"},{"last_name":"Bodden","orcid":"0000-0003-3470-3647","full_name":"Bodden, Eric","id":"59256","first_name":"Eric"}],"title":"Visualizing Privacy-Relevant Data Flows in Android Applications","publication":"arXiv:2503.16640","type":"preprint","abstract":[{"lang":"eng","text":"Android applications collecting data from users must protect it according to the current legal frameworks. Such data protection has become even more important since in 2018 the European Union rolled out the General Data Protection Regulation (GDPR). Since app developers are not legal experts, they find it difficult to integrate privacy-aware practices into source code development. Despite these legal obligations, developers have limited tool support to reason about data protection throughout their app development process.\r\n  This paper explores the use of static program slicing and software visualization to analyze privacy-relevant data flows in Android apps. We introduce SliceViz, a web tool that analyzes an Android app by slicing all privacy-relevant data sources detected in the source code on the back-end. It then helps developers by visualizing these privacy-relevant program slices.\r\n  We conducted a user study with 12 participants demonstrating that SliceViz effectively aids developers in identifying privacy-relevant properties in Android apps.\r\n  Our findings indicate that program slicing can be employed to identify and reason about privacy-relevant data flows in Android applications. With further usability improvements, developers can be better equipped to handle privacy-sensitive information."}],"status":"public","external_id":{"arxiv":["2503.16640"]},"_id":"65018","department":[{"_id":"76"}],"user_id":"32312","language":[{"iso":"eng"}]},{"file":[{"success":1,"relation":"main_file","content_type":"application/pdf","file_size":530812,"file_id":"52236","access_level":"closed","file_name":"2402.07889v1.pdf","date_updated":"2024-03-03T14:39:08Z","creator":"khedkarm","date_created":"2024-03-03T14:39:08Z"}],"abstract":[{"lang":"eng","text":"Android applications collecting data from users must protect it according to the current legal frameworks. Such data protection has become even more important since the European Union rolled out the General Data Protection Regulation (GDPR). Since app developers are not legal experts, they find it difficult to write privacy-aware source code. Moreover, they have limited tool support to reason about data protection throughout their app development process.\r\nThis paper motivates the need for a static analysis approach to diagnose and explain data protection in Android apps. The analysis will recognize personal data sources in the source code, and aims to further examine the data flow originating from these sources. App developers can then address key questions about data manipulation, derived data, and the presence of technical measures. Despite challenges, we explore to what extent one can realize this analysis through static taint analysis, a common method for identifying security vulnerabilities. This is a first step towards designing a tool-based approach that aids app developers and assessors in ensuring data protection in Android apps, based on automated static program analysis. "}],"publication":"Proceedings of the IEEE/ACM 11th International Conference on Mobile Software Engineering and Systems (MOBILESoft '24). Association for Computing Machinery, New York, NY, USA, 65–68.","language":[{"iso":"eng"}],"keyword":["static program analysis","data protection and privacy","GDPR compliance"],"ddc":["006"],"external_id":{"arxiv":["2402.07889"]},"year":"2024","title":"Toward an Android Static Analysis Approach for Data Protection","date_created":"2024-03-03T14:37:53Z","status":"public","type":"conference","file_date_updated":"2024-03-03T14:39:08Z","department":[{"_id":"76"}],"user_id":"88024","_id":"52235","citation":{"chicago":"Khedkar, Mugdha, and Eric Bodden. “Toward an Android Static Analysis Approach for Data Protection.” In <i>Proceedings of the IEEE/ACM 11th International Conference on Mobile Software Engineering and Systems (MOBILESoft ’24). Association for Computing Machinery, New York, NY, USA, 65–68.</i>, 2024. <a href=\"https://doi.org/10.1145/3647632.3651389\">https://doi.org/10.1145/3647632.3651389</a>.","ieee":"M. Khedkar and E. Bodden, “Toward an Android Static Analysis Approach for Data Protection,” presented at the 11th International Conference on Mobile Software Engineering and Systems 2024, Lisbon, Portugal, 2024, doi: <a href=\"https://doi.org/10.1145/3647632.3651389\">10.1145/3647632.3651389</a>.","ama":"Khedkar M, Bodden E. Toward an Android Static Analysis Approach for Data Protection. In: <i>Proceedings of the IEEE/ACM 11th International Conference on Mobile Software Engineering and Systems (MOBILESoft ’24). Association for Computing Machinery, New York, NY, USA, 65–68.</i> ; 2024. doi:<a href=\"https://doi.org/10.1145/3647632.3651389\">10.1145/3647632.3651389</a>","bibtex":"@inproceedings{Khedkar_Bodden_2024, title={Toward an Android Static Analysis Approach for Data Protection}, DOI={<a href=\"https://doi.org/10.1145/3647632.3651389\">10.1145/3647632.3651389</a>}, booktitle={Proceedings of the IEEE/ACM 11th International Conference on Mobile Software Engineering and Systems (MOBILESoft ’24). Association for Computing Machinery, New York, NY, USA, 65–68.}, author={Khedkar, Mugdha and Bodden, Eric}, year={2024} }","mla":"Khedkar, Mugdha, and Eric Bodden. “Toward an Android Static Analysis Approach for Data Protection.” <i>Proceedings of the IEEE/ACM 11th International Conference on Mobile Software Engineering and Systems (MOBILESoft ’24). Association for Computing Machinery, New York, NY, USA, 65–68.</i>, 2024, doi:<a href=\"https://doi.org/10.1145/3647632.3651389\">10.1145/3647632.3651389</a>.","short":"M. Khedkar, E. Bodden, in: Proceedings of the IEEE/ACM 11th International Conference on Mobile Software Engineering and Systems (MOBILESoft ’24). Association for Computing Machinery, New York, NY, USA, 65–68., 2024.","apa":"Khedkar, M., &#38; Bodden, E. (2024). Toward an Android Static Analysis Approach for Data Protection. <i>Proceedings of the IEEE/ACM 11th International Conference on Mobile Software Engineering and Systems (MOBILESoft ’24). Association for Computing Machinery, New York, NY, USA, 65–68.</i> 11th International Conference on Mobile Software Engineering and Systems 2024, Lisbon, Portugal. <a href=\"https://doi.org/10.1145/3647632.3651389\">https://doi.org/10.1145/3647632.3651389</a>"},"has_accepted_license":"1","conference":{"end_date":"2024-04-15","location":"Lisbon, Portugal","name":"11th International Conference on Mobile Software Engineering and Systems 2024","start_date":"2024-04-14"},"doi":"10.1145/3647632.3651389","author":[{"full_name":"Khedkar, Mugdha","id":"88024","last_name":"Khedkar","first_name":"Mugdha"},{"id":"59256","full_name":"Bodden, Eric","last_name":"Bodden","orcid":"0000-0003-3470-3647","first_name":"Eric"}],"date_updated":"2026-03-04T08:11:48Z"},{"has_accepted_license":"1","citation":{"apa":"Khedkar, M., Mondal, A. K., &#38; Bodden, E. (2024). Do Android App Developers Accurately Report Collection of Privacy-Related Data? <i>In Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops (ASEW ’24)</i>. 39th IEEE/ACM International Conference on Automated Software Engineering (ASE 2024), Sacramento, California. <a href=\"https://doi.org/10.1145/3691621.3694949\">https://doi.org/10.1145/3691621.3694949</a>","short":"M. Khedkar, A.K. Mondal, E. Bodden, in: In Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops (ASEW ’24), 2024.","bibtex":"@inproceedings{Khedkar_Mondal_Bodden_2024, title={Do Android App Developers Accurately Report Collection of Privacy-Related Data?}, DOI={<a href=\"https://doi.org/10.1145/3691621.3694949\">10.1145/3691621.3694949</a>}, booktitle={In Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops (ASEW ’24)}, author={Khedkar, Mugdha and Mondal, Ambuj Kumar and Bodden, Eric}, year={2024} }","mla":"Khedkar, Mugdha, et al. “Do Android App Developers Accurately Report Collection of Privacy-Related Data?” <i>In Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops (ASEW ’24)</i>, 2024, doi:<a href=\"https://doi.org/10.1145/3691621.3694949\">10.1145/3691621.3694949</a>.","ama":"Khedkar M, Mondal AK, Bodden E. Do Android App Developers Accurately Report Collection of Privacy-Related Data? In: <i>In Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops (ASEW ’24)</i>. ; 2024. doi:<a href=\"https://doi.org/10.1145/3691621.3694949\">10.1145/3691621.3694949</a>","ieee":"M. Khedkar, A. K. Mondal, and E. Bodden, “Do Android App Developers Accurately Report Collection of Privacy-Related Data?,” presented at the 39th IEEE/ACM International Conference on Automated Software Engineering (ASE 2024), Sacramento, California, 2024, doi: <a href=\"https://doi.org/10.1145/3691621.3694949\">10.1145/3691621.3694949</a>.","chicago":"Khedkar, Mugdha, Ambuj Kumar Mondal, and Eric Bodden. “Do Android App Developers Accurately Report Collection of Privacy-Related Data?” In <i>In Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops (ASEW ’24)</i>, 2024. <a href=\"https://doi.org/10.1145/3691621.3694949\">https://doi.org/10.1145/3691621.3694949</a>."},"author":[{"first_name":"Mugdha","full_name":"Khedkar, Mugdha","id":"88024","last_name":"Khedkar"},{"full_name":"Mondal, Ambuj Kumar","last_name":"Mondal","first_name":"Ambuj Kumar"},{"orcid":"0000-0003-3470-3647","last_name":"Bodden","id":"59256","full_name":"Bodden, Eric","first_name":"Eric"}],"date_updated":"2024-11-18T13:19:51Z","doi":"10.1145/3691621.3694949","conference":{"name":"39th IEEE/ACM International Conference on Automated Software Engineering (ASE 2024)","start_date":"2024-10-27","end_date":"2024-11-01","location":"Sacramento, California"},"type":"conference","status":"public","user_id":"88024","department":[{"_id":"76"}],"_id":"56137","file_date_updated":"2024-09-16T08:49:42Z","year":"2024","date_created":"2024-09-16T08:50:54Z","title":"Do Android App Developers Accurately Report Collection of Privacy-Related Data?","publication":"In Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops (ASEW ’24)","file":[{"success":1,"relation":"main_file","content_type":"application/pdf","file_size":1270058,"file_name":"2409.04167v1.pdf","access_level":"closed","file_id":"56138","date_updated":"2024-09-16T08:49:42Z","creator":"khedkarm","date_created":"2024-09-16T08:49:42Z"}],"abstract":[{"lang":"eng","text":"Many Android applications collect data from users. The European Union's General Data Protection Regulation (GDPR) requires vendors to faithfully disclose which data their apps collect. This task is complicated because many apps use third-party code for which the same information is not readily available. Hence we ask: how accurately do current Android apps fulfill these requirements?\r\nIn this work, we first expose a multi-layered definition of privacy-related data to correctly report data collection in Android apps. We further create a dataset of privacy-sensitive data classes that may be used as input by an Android app. This dataset takes into account data collected both through the user interface and system APIs.\r\nWe manually examine the data safety sections of 70 Android apps to observe how data collection is reported, identifying instances of over- and under-reporting. Additionally, we develop a prototype to statically extract and label privacy-related data collected via app source code, user interfaces, and permissions. Comparing the prototype's results with the data safety sections of 20 apps reveals reporting discrepancies. Using the results from two Messaging and Social Media apps (Signal and Instagram), we discuss how app developers under-report and over-report data collection, respectively, and identify inaccurately reported data categories.\r\nOur results show that app developers struggle to accurately report data collection, either due to Google's abstract definition of collected data or insufficient existing tool support. "}],"external_id":{"arxiv":["2409.04167"]},"language":[{"iso":"eng"}],"ddc":["000"]},{"title":"Advancing Android Privacy Assessments with Automation","date_created":"2024-09-16T08:55:34Z","year":"2024","ddc":["000"],"language":[{"iso":"eng"}],"external_id":{"arxiv":["2409.06564"]},"abstract":[{"lang":"eng","text":"    Android apps collecting data from users must comply with legal frameworks to ensure data protection. This requirement has become even more important since the implementation of the General Data Protection Regulation (GDPR) by the European Union in 2018. Moreover, with the proposed Cyber Resilience Act on the horizon, stakeholders will soon need to assess software against even more stringent security and privacy standards. Effective privacy assessments require collaboration among groups with diverse expertise to function effectively as a cohesive unit.\r\n    This paper motivates the need for an automated approach that enhances understanding of data protection in Android apps and improves communication between the various parties involved in privacy assessments. We propose the Assessor View, a tool designed to bridge the knowledge gap between these parties, facilitating more effective privacy assessments of Android applications. "}],"file":[{"file_name":"2409.06564v1.pdf","file_id":"56141","access_level":"closed","file_size":1207856,"creator":"khedkarm","date_created":"2024-09-16T08:55:23Z","date_updated":"2024-09-16T08:55:23Z","relation":"main_file","success":1,"content_type":"application/pdf"}],"publication":"In Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops (ASEW ’24)","conference":{"name":"39th IEEE/ACM International Conference on Automated Software Engineering (ASE 2024)","start_date":"2024-10-27","end_date":"2024-11-01","location":"Sacramento, California"},"doi":"10.1145/3691621.3694953","date_updated":"2026-03-13T12:12:45Z","author":[{"first_name":"Mugdha","last_name":"Khedkar","id":"88024","full_name":"Khedkar, Mugdha"},{"first_name":"Michael","orcid":"0000-0001-6600-6171","last_name":"Schlichtig","id":"32312","full_name":"Schlichtig, Michael"},{"id":"59256","full_name":"Bodden, Eric","orcid":"0000-0003-3470-3647","last_name":"Bodden","first_name":"Eric"}],"citation":{"chicago":"Khedkar, Mugdha, Michael Schlichtig, and Eric Bodden. “Advancing Android Privacy Assessments with Automation.” In <i>In Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops (ASEW ’24)</i>, 2024. <a href=\"https://doi.org/10.1145/3691621.3694953\">https://doi.org/10.1145/3691621.3694953</a>.","ieee":"M. Khedkar, M. Schlichtig, and E. Bodden, “Advancing Android Privacy Assessments with Automation,” presented at the 39th IEEE/ACM International Conference on Automated Software Engineering (ASE 2024), Sacramento, California, 2024, doi: <a href=\"https://doi.org/10.1145/3691621.3694953\">10.1145/3691621.3694953</a>.","ama":"Khedkar M, Schlichtig M, Bodden E. Advancing Android Privacy Assessments with Automation. In: <i>In Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops (ASEW ’24)</i>. ; 2024. doi:<a href=\"https://doi.org/10.1145/3691621.3694953\">10.1145/3691621.3694953</a>","apa":"Khedkar, M., Schlichtig, M., &#38; Bodden, E. (2024). Advancing Android Privacy Assessments with Automation. <i>In Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops (ASEW ’24)</i>. 39th IEEE/ACM International Conference on Automated Software Engineering (ASE 2024), Sacramento, California. <a href=\"https://doi.org/10.1145/3691621.3694953\">https://doi.org/10.1145/3691621.3694953</a>","short":"M. Khedkar, M. Schlichtig, E. Bodden, in: In Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops (ASEW ’24), 2024.","bibtex":"@inproceedings{Khedkar_Schlichtig_Bodden_2024, title={Advancing Android Privacy Assessments with Automation}, DOI={<a href=\"https://doi.org/10.1145/3691621.3694953\">10.1145/3691621.3694953</a>}, booktitle={In Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops (ASEW ’24)}, author={Khedkar, Mugdha and Schlichtig, Michael and Bodden, Eric}, year={2024} }","mla":"Khedkar, Mugdha, et al. “Advancing Android Privacy Assessments with Automation.” <i>In Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops (ASEW ’24)</i>, 2024, doi:<a href=\"https://doi.org/10.1145/3691621.3694953\">10.1145/3691621.3694953</a>."},"has_accepted_license":"1","file_date_updated":"2024-09-16T08:55:23Z","_id":"56140","department":[{"_id":"76"}],"user_id":"32312","status":"public","type":"conference"},{"date_updated":"2024-09-16T08:46:25Z","author":[{"full_name":"Khedkar, Mugdha","id":"88024","last_name":"Khedkar","first_name":"Mugdha"}],"doi":"10.1109/ICSE-Companion58688.2023.00054","has_accepted_license":"1","publication_status":"accepted","citation":{"apa":"Khedkar, M. (n.d.). Static Analysis for Android GDPR Compliance Assurance. <i>2023 IEEE/ACM 45th International Conference on Software Engineering: Companion Proceedings (ICSE-Companion), Melbourne, Australia, 2023, Pp. 197-199</i>. <a href=\"https://doi.org/10.1109/ICSE-Companion58688.2023.00054\">https://doi.org/10.1109/ICSE-Companion58688.2023.00054</a>","mla":"Khedkar, Mugdha. “Static Analysis for Android GDPR Compliance Assurance.” <i>2023 IEEE/ACM 45th International Conference on Software Engineering: Companion Proceedings (ICSE-Companion), Melbourne, Australia, 2023, Pp. 197-199</i>, doi:<a href=\"https://doi.org/10.1109/ICSE-Companion58688.2023.00054\">10.1109/ICSE-Companion58688.2023.00054</a>.","bibtex":"@inproceedings{Khedkar, title={Static Analysis for Android GDPR Compliance Assurance}, DOI={<a href=\"https://doi.org/10.1109/ICSE-Companion58688.2023.00054\">10.1109/ICSE-Companion58688.2023.00054</a>}, booktitle={2023 IEEE/ACM 45th International Conference on Software Engineering: Companion Proceedings (ICSE-Companion), Melbourne, Australia, 2023, pp. 197-199}, author={Khedkar, Mugdha} }","short":"M. Khedkar, in: 2023 IEEE/ACM 45th International Conference on Software Engineering: Companion Proceedings (ICSE-Companion), Melbourne, Australia, 2023, Pp. 197-199, n.d.","ieee":"M. Khedkar, “Static Analysis for Android GDPR Compliance Assurance,” doi: <a href=\"https://doi.org/10.1109/ICSE-Companion58688.2023.00054\">10.1109/ICSE-Companion58688.2023.00054</a>.","chicago":"Khedkar, Mugdha. “Static Analysis for Android GDPR Compliance Assurance.” In <i>2023 IEEE/ACM 45th International Conference on Software Engineering: Companion Proceedings (ICSE-Companion), Melbourne, Australia, 2023, Pp. 197-199</i>, n.d. <a href=\"https://doi.org/10.1109/ICSE-Companion58688.2023.00054\">https://doi.org/10.1109/ICSE-Companion58688.2023.00054</a>.","ama":"Khedkar M. Static Analysis for Android GDPR Compliance Assurance. In: <i>2023 IEEE/ACM 45th International Conference on Software Engineering: Companion Proceedings (ICSE-Companion), Melbourne, Australia, 2023, Pp. 197-199</i>. doi:<a href=\"https://doi.org/10.1109/ICSE-Companion58688.2023.00054\">10.1109/ICSE-Companion58688.2023.00054</a>"},"_id":"44146","department":[{"_id":"76"}],"user_id":"88024","file_date_updated":"2023-04-24T12:15:27Z","type":"conference","status":"public","date_created":"2023-04-24T12:14:17Z","title":"Static Analysis for Android GDPR Compliance Assurance","year":"2023","external_id":{"arxiv":["2303.09606"]},"keyword":["static analysis","data protection and privacy","GDPR compliance"],"ddc":["004"],"language":[{"iso":"eng"}],"publication":"2023 IEEE/ACM 45th International Conference on Software Engineering: Companion Proceedings (ICSE-Companion), Melbourne, Australia, 2023, pp. 197-199","abstract":[{"lang":"eng","text":"Many Android applications collect data from users. When they do, they must\r\nprotect this collected data according to the current legal frameworks. Such\r\ndata protection has become even more important since the European Union rolled\r\nout the General Data Protection Regulation (GDPR). App developers have limited\r\ntool support to reason about data protection throughout their app development\r\nprocess. Although many Android applications state a privacy policy, privacy\r\npolicy compliance checks are currently manual, expensive, and prone to error.\r\nOne of the major challenges in privacy audits is the significant gap between\r\nlegal privacy statements (in English text) and technical measures that Android\r\napps use to protect their user's privacy. In this thesis, we will explore to\r\nwhat extent we can use static analysis to answer important questions regarding\r\ndata protection. Our main goal is to design a tool based approach that aids app\r\ndevelopers and auditors in ensuring data protection in Android applications,\r\nbased on automated static program analysis."}],"file":[{"success":1,"relation":"main_file","content_type":"application/pdf","file_size":85313,"file_name":"2023047614.pdf","file_id":"44147","access_level":"closed","date_updated":"2023-04-24T12:15:27Z","date_created":"2023-04-24T12:15:27Z","creator":"khedkarm"}]}]