Ruhr-Uni-Bochum

Keeping Privacy Labels Honest: Developer conformity to self declared data collection via Apple Privacy Labels

2022

Conference / Journal

Authors

Martin Johns Madita Olvermann Benjamin Altpeter Malte Wessels Simon Koch

Research Hub

Research Hub C: Sichere Systeme

Research Challenges

RC 8: Security with Untrusted Components

Abstract

At the end of 2020, Apple introduced privacy nutritional labels, requiring app developers to state what data is collected by their apps and for what purpose. In this paper, we take an in-depth look at the privacy labels and how they relate to actual transmitted data. First, we give an exploratory statistically evaluation of 11074 distinct apps across 22 categories and their corresponding privacy label or lack thereof. Our dataset shows that only some apps provide privacy labels, and a small number self-declare that they do not collect any data. Additionally, our statistical methods showcase the differences of the privacy labels across application categories.

We then select a subset of 1687 apps across 22 categories from the German App Store to conduct a no-touch traffic collection study. We analyse the traffic against a set of 18 honey-data points and a list of known advertisement and tracking domains. At least 276 of these apps violate their privacy label by transmitting data without declaration, showing that the privacy labels’ correctness was not validated during the app approval process. In addition, we evaluate the apps’ adherence to the GDPR in respect of providing a privacy consent form, through collected screenshots, and identify numerous potential violations of the directive.

Tags

Privacy
Program Analysis