research-article

Comparing Privacy Labels of Applications in Android and iOS

Authors:

Rishabh Khandelwal,

Kassem FawazAuthors Info & Claims

WPES '23: Proceedings of the 22nd Workshop on Privacy in the Electronic Society

Pages 61 - 73

https://doi.org/10.1145/3603216.3624967

Published: 26 November 2023 Publication History

Abstract

The increasing concern for privacy protection in mobile apps has prompted the development of tools such as privacy labels to assist users in understanding the privacy practices of applications. Both Google and Apple have mandated developers to use privacy labels to increase transparency in data collection and sharing practices. These privacy labels provide detailed information about apps' data practices, including the types of data collected and the purposes associated with each data type. This offers a unique opportunity to understand apps' data practices at scale. In this study, we conduct a large-scale measurement study of privacy labels using apps from the Android Play Store (n=2.4M) and the Apple App Store (n=1.38M). We establish a common mapping between iOS and Android labels, enabling a direct comparison of disclosed practices and data types between the two platforms. By studying over 100K apps, we identify discrepancies and inconsistencies in self-reported privacy practices across platforms. Our findings reveal that at least 60% of all apps have different practices on the two platforms. Additionally, we explore factors contributing to these discrepancies and provide valuable insights for developers, users, and policymakers. Our analysis suggests that while privacy labels have the potential to provide useful information concisely, in their current state, it is not clear whether the information provided is accurate. Without robust consistency checks by the distribution platforms, privacy labels may not be as effective and can even create a false sense of security for users. Our study highlights the need for further research and improved mechanisms to ensure the accuracy and consistency of privacy labels.

References

[1]

2022. JoMingyu/google-play-scraper: Google play scraper for Python. https: //github.com/JoMingyu/google-play-scraper

[2]

Mir Masood Ali, David G Balash, Chris Kanich, and Adam J Aviv. 2023. Honesty is the Best Policy: On the Accuracy of Apple Privacy Labels Compared to Apps' Privacy Policies. arXiv preprint arXiv:2306.17063 (2023).

[3]

Kevin Allix, Tegawendé F. Bissyandé, Jacques Klein, and Yves Le Traon. 2016. AndroZoo: Collecting Millions of Android Apps for the Research Community. In Proceedings of the 13th International Conference on Mining Software Repositories (Austin, Texas) (MSR '16). ACM, New York, NY, USA, 468--471. https://doi.org/ 10.1145/2901739.2903508

Digital Library

[4]

Understand app privacy & security practices with Google Play's Data safety section Computer Google Play Help. 2022. (2022). https://support.google. com/googleplay/answer/11416267?hl=en&visit_id=638094609270086018- 2285502702&p=data-safety&rd=1#zippy=%2Csecurity-practices

[5]

David G Balash, Mir Masood Ali, Xiaoyuan Wu, Chris Kanich, and Adam J Aviv. 2022. Longitudinal Analysis of Privacy Labels in the Apple App Store. arXiv preprint arXiv:2206.02658 (2022).

[6]

Rebecca Balebako, Abigail Marsh, Jialiu Lin, Jason I Hong, and Lorrie Faith Cranor. 2014. The privacy and security behaviors of smartphone app developers. (2014).

[7]

Rebecca Balebako, Florian Schaub, Idris Adjerid, Alessandro Acquisti, and Lorrie Cranor. 2015. The impact of timing on the salience of smartphone app privacy notices. In Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices. 63--74.

Digital Library

[8]

Theodore Book, Adam Pridgen, and Dan S Wallach. 2013. Longitudinal analysis of android ad library permissions. arXiv preprint arXiv:1303.0857 (2013).

[9]

Fred H Cate. 2010. The limits of notice and choice. IEEE Security & Privacy 8, 2 (2010), 59--62.

Digital Library

[10]

Lorrie Faith Cranor. 2012. Necessary but not sucient: Standardized mechanisms for privacy notice and choice. J. on Telecomm. & High Tech. L. 10 (2012), 273.

[11]

Lorrie Faith Cranor. 2022. Mobile-app privacy nutrition labels missing key ingredients for success. Commun. ACM 65, 11 (2022), 26--28.

Digital Library

[12]

Pardis Emami-Naeini, Yuvraj Agarwal, Lorrie Faith Cranor, and Hanan Hibshi. 2020. Ask the experts: What should be on an IoT privacy and security label?. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 447--464.

[13]

Pardis Emami-Naeini, Janarth Dheenadhayalan, Yuvraj Agarwal, and Lorrie Faith Cranor. 2021. Which privacy and security attributes most impact consumers' risk perception and willingness to purchase IoT devices?. In 2021 IEEE Symposium on Security and Privacy (SP). IEEE, 519--536.

[14]

Grace Fox, Colin Tonge, Theo Lynn, and John Mooney. 2018. Communicating compliance: developing a GDPR privacy label. (2018).

[15]

Jack Gardner, Yuanyuan Feng, Kayla Reiman, Zhi Lin, Akshath Jain, and Norman Sadeh. 2022. Helping mobile application developers create accurate privacy labels. In 2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, 212--230.

[16]

Joshua Gluck, Florian Schaub, Amy Friedman, Hana Habib, Norman Sadeh, Lorrie Faith Cranor, and Yuvraj Agarwal. 2016. How short is too short? implications of length and framing on the eectiveness of privacy notices. In Twelfth symposium on usable privacy and security (SOUPS 2016). 321--340.

[17]

Ashish Hooda, Matthew Wallace, Kushal Jhunjhunwalla, Earlence Fernandes, and Kassem Fawaz. 2022. SkillFence: A Systems Approach to Practically Mitigating Voice-Based Confusion Attacks. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 6, 1 (2022), 1--26.

Digital Library

[18]

Patrick Gage Kelley, Joanna Bresee, Lorrie Faith Cranor, and Robert W. Reeder. 2009. A "Nutrition Label" for Privacy. In Proceedings of the 5th Symposium on Usable Privacy and Security (Mountain View, California, USA) (SOUPS '09). Association for Computing Machinery, New York, NY, USA, Article 4, 12 pages. https://doi.org/10.1145/1572532.1572538

Digital Library

[19]

Patrick Gage Kelley, Lucian Cesca, Joanna Bresee, and Lorrie Faith Cranor. 2010. Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Atlanta, Georgia, USA) (CHI '10). Association for Computing Machinery, New York, NY, USA, 1573--1582. https://doi.org/10.1145/1753326.1753561

Digital Library

[20]

Patrick Gage Kelley, Lorrie Faith Cranor, and Norman Sadeh. 2013. Privacy as part of the app decision-making process. In Proceedings of the SIGCHI conference on human factors in computing systems. 3393--3402.

Digital Library

[21]

Patrick Gage Kelley, Lorrie Faith Cranor, and Norman Sadeh. 2013. Privacy as Part of the App Decision-Making Process. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Paris, France) (CHI '13). Association for Computing Machinery, New York, NY, USA, 3393--3402. https://doi.org/10.1145/ 2470654.2466466

Digital Library

[22]

Rishabh Khandelwal, Asmit Nayak, Paul Chung, and Kassem Fawaz. 2023. Unpacking Privacy Labels: A Measurement and Developer Perspective on Google's Data Safety Section. arXiv preprint arXiv:2306.08111 (2023).

[23]

Konrad Kollnig, Anastasia Shuba, Reuben Binns, Max Van Kleek, and Nigel Shadbolt. 2021. Are iPhones Really Better for Privacy? Comparative Study of iOS and Android Apps. arXiv preprint arXiv:2109.13722 (2021).

[24]

Konrad Kollnig, Anastasia Shuba, Max Van Kleek, Reuben Binns, and Nigel Shadbolt. 2022. Goodbye tracking? Impact of iOS app tracking transparency and privacy labels. arXiv preprint arXiv:2204.03556 (2022).

[25]

Tianshi Li, Kayla Reiman, Yuvraj Agarwal, Lorrie Faith Cranor, and Jason I Hong. 2022. Understanding Challenges for Developers to Create Accurate Privacy Nutrition Labels. In CHI Conference on Human Factors in Computing Systems. 1--24.

Digital Library

[26]

Jialiu Lin. 2013. Understanding and capturing people's mobile app privacy preferences. Ph. D. Dissertation. Carnegie Mellon University.

[27]

Thomas Linden, Rishabh Khandelwal, Hamza Harkous, and Kassem Fawaz. 2018. The privacy policy landscape after the GDPR. arXiv preprint arXiv:1809.08396 (2018).

[28]

Aleecia M McDonald, Robert W Reeder, Patrick Gage Kelley, and Lorrie Faith Cranor. 2009. A comparative study of online privacy policies and formats. In International Symposium on Privacy Enhancing Technologies Symposium. Springer, 37--55.

Digital Library

[29]

Florian Schaub, Rebecca Balebako, Adam L Durity, and Lorrie Faith Cranor. 2015. A design space for effective privacy notices. In Eleventh symposium on usable privacy and security (SOUPS 2015). 1--17.

Digital Library

[30]

Gian Luca Scoccia, Marco Autili, Giovanni Stilo, and Paola Inverardi. 2022. An empirical study of privacy labels on the Apple iOS mobile app store. (2022).

[31]

Haoyu Wang, Yao Guo, Ziang Ma, and Xiangqun Chen. 2015. Wukong: A scalable and accurate two-phase approach to android app clone detection. In Proceedings of the 2015 International Symposium on Software Testing and Analysis. 71--82.

Digital Library

[32]

Yue Xiao, Zhengyi Li, Yue Qin, Jiale Guan, Xiaolong Bai, Xiaojing Liao, and Luyi Xing. 2022. Lalaine: Measuring and Characterizing Non-Compliance of Apple Privacy Labels at Scale. arXiv preprint arXiv:2206.06274 (2022).

[33]

Shikun Zhang, Yuanyuan Feng, Yaxing Yao, Lorrie Faith Cranor, and Norman Sadeh. 2022. How Usable Are iOS App Privacy Labels? UMBC Faculty Collection (2022).

Cited By

Zhang SKlucinec LNorton KSadeh NCranor LKelley PKapadia A(2024)Exploring expandable-grid designs to make iOS app privacy labels more usableProceedings of the Twentieth USENIX Conference on Usable Privacy and Security10.5555/3696899.3696907(139-157)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696899.3696907

Index Terms

Comparing Privacy Labels of Applications in Android and iOS
1. Human-centered computing
  1. Human computer interaction (HCI)
    1. HCI design and evaluation methods
2. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Usability in security and privacy

Recommendations

Understanding iOS Privacy Nutrition Labels: An Exploratory Large-Scale Analysis of App Store Data
CHI EA '22: Extended Abstracts of the 2022 CHI Conference on Human Factors in Computing Systems

Since December 2020, the Apple App Store has required all developers to create a privacy label when submitting new apps or app updates. However, there has not been a comprehensive study on how developers responded to this requirement. We present the ...
Cross-Compiling Android Applications to iOS and Windows Phone 7

Android is currently leading the smartphone segment in terms of market share since its introduction in 2007. Android applications are written in Java using an API designed for mobile apps. Other smartphone platforms, such as Apple's iOS or Microsoft's ...
A Measurement-based Study on Application Popularity in Android and iOS App Stores
Mobidata '15: Proceedings of the 2015 Workshop on Mobile Big Data

Mobile application stores (appstores) are emerging digital distribution platforms with explosive growth. Although there have been some observations on the mobile application (app) popularity in Android appstores, there is no report on the app popularity ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WPES '23: Proceedings of the 22nd Workshop on Privacy in the Electronic Society

November 2023

186 pages

ISBN:9798400702358

DOI:10.1145/3603216

Program Chairs:
Bart Knijnenburg
Clemson University, USA
,
Panos Papadimitratos
KTH Royal Institute of Technology, Sweden

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 26 November 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

NSF

Conference

CCS '23

Sponsor:

SIGSAC

CCS '23: ACM SIGSAC Conference on Computer and Communications Security

November 26, 2023

Copenhagen, Denmark

Acceptance Rates

Overall Acceptance Rate 106 of 355 submissions, 30%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
198
Total Downloads

Downloads (Last 12 months)147
Downloads (Last 6 weeks)16

Reflects downloads up to 15 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Zhang SKlucinec LNorton KSadeh NCranor LKelley PKapadia A(2024)Exploring expandable-grid designs to make iOS app privacy labels more usableProceedings of the Twentieth USENIX Conference on Usable Privacy and Security10.5555/3696899.3696907(139-157)Online publication date: 12-Aug-2024
https://dl.acm.org/doi/10.5555/3696899.3696907

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents