conference paper Mugdha Khedkar author 88024 Ambuj Kumar Mondal author Eric Bodden author 592560000-0003-3470-3647 76 department 39th IEEE/ACM International Conference on Automated Software Engineering (ASE 2024) Many Android applications collect data from users. The European Union's General Data Protection Regulation (GDPR) requires vendors to faithfully disclose which data their apps collect. This task is complicated because many apps use third-party code for which the same information is not readily available. Hence we ask: how accurately do current Android apps fulfill these requirements? In this work, we first expose a multi-layered definition of privacy-related data to correctly report data collection in Android apps. We further create a dataset of privacy-sensitive data classes that may be used as input by an Android app. This dataset takes into account data collected both through the user interface and system APIs. We manually examine the data safety sections of 70 Android apps to observe how data collection is reported, identifying instances of over- and under-reporting. Additionally, we develop a prototype to statically extract and label privacy-related data collected via app source code, user interfaces, and permissions. Comparing the prototype's results with the data safety sections of 20 apps reveals reporting discrepancies. Using the results from two Messaging and Social Media apps (Signal and Instagram), we discuss how app developers under-report and over-report data collection, respectively, and identify inaccurately reported data categories. Our results show that app developers struggle to accurately report data collection, either due to Google's abstract definition of collected data or insufficient existing tool support. https://ris.uni-paderborn.de/download/56137/56138/2409.04167v1.pdf application/pdf 2024Sacramento, California eng 2409.0416710.1145/3691621.3694949 Khedkar, Mugdha, et al. “Do Android App Developers Accurately Report Collection of Privacy-Related Data?” <i>In Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops (ASEW ’24)</i>, 2024, doi:<a href="https://doi.org/10.1145/3691621.3694949">10.1145/3691621.3694949</a>. M. Khedkar, A.K. Mondal, E. Bodden, in: In Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops (ASEW ’24), 2024. @inproceedings{Khedkar_Mondal_Bodden_2024, title={Do Android App Developers Accurately Report Collection of Privacy-Related Data?}, DOI={<a href="https://doi.org/10.1145/3691621.3694949">10.1145/3691621.3694949</a>}, booktitle={In Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops (ASEW ’24)}, author={Khedkar, Mugdha and Mondal, Ambuj Kumar and Bodden, Eric}, year={2024} } Khedkar, M., Mondal, A. K., &#38; Bodden, E. (2024). Do Android App Developers Accurately Report Collection of Privacy-Related Data? <i>In Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops (ASEW ’24)</i>. 39th IEEE/ACM International Conference on Automated Software Engineering (ASE 2024), Sacramento, California. <a href="https://doi.org/10.1145/3691621.3694949">https://doi.org/10.1145/3691621.3694949</a> M. Khedkar, A. K. Mondal, and E. Bodden, “Do Android App Developers Accurately Report Collection of Privacy-Related Data?,” presented at the 39th IEEE/ACM International Conference on Automated Software Engineering (ASE 2024), Sacramento, California, 2024, doi: <a href="https://doi.org/10.1145/3691621.3694949">10.1145/3691621.3694949</a>. Khedkar, Mugdha, Ambuj Kumar Mondal, and Eric Bodden. “Do Android App Developers Accurately Report Collection of Privacy-Related Data?” In <i>In Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops (ASEW ’24)</i>, 2024. <a href="https://doi.org/10.1145/3691621.3694949">https://doi.org/10.1145/3691621.3694949</a>. Khedkar M, Mondal AK, Bodden E. Do Android App Developers Accurately Report Collection of Privacy-Related Data? In: <i>In Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops (ASEW ’24)</i>. ; 2024. doi:<a href="https://doi.org/10.1145/3691621.3694949">10.1145/3691621.3694949</a> 561372024-09-16T08:50:54Z2024-11-18T13:19:51Z