Mobile app developers often include third-party Software Development Kits (SDKs) in their software to externalize services and features, or monetize their apps through advertisements. Unfortunately, these development practices often come at a privacy cost to the end user.
In this paper, we discuss the privacy damage that third-party SDKs can cause to end users due to limitations present in today’s mobile permission models, and the overall lack of transparency in the ecosystem. We combine static, dynamic and manual analysis of the SDKs embedded in the top 50 Google Play store’s applications to develop a taxonomy of third-party libraries. We also provide insights about their data collection, and transparency issues. We also discuss different ways to tackle current challenges, like increasing developer’s awareness or changing the permission model of mobile phone to clearly state the purpose of permissions and to separate permissions requested by the app itself and third-party libraries, as well as mechanisms to ease certification and regulatory enforcement efforts.
About Álvaro Feal
Álvaro Feal received his Bachelor’s in Computer Engineering from Universidade da Coruña and his Master’s in Software and Systems from Universidad Politécnica de Madrid. He is now a PhD student working at IMDEA Networks Institute under Prof. Narseo Vallina-Rodriguez’s advice. He works in analyzing privacy threats in the mobile and web ecosystem using static and dynamic analysis techniques as well as network measurements. He has published in different venues such as ConPro, CPDP, IMC, PETS and USENIX Security, receiving a Distinguished Paper Award in the latter.
This event will be conducted in English