Don’t accept candies from strangers: An analysis of third-party SDKs

Abstract

Mobile app developers often include third-party Software Development Kits (SDKs) in their software to externalize services and features, or monetize their apps through advertisements. Unfortunately, these development practices often come at a privacy cost to the end user. In this paper, we discuss the privacy damage that third-party SDKs can cause to end users due to limitations present in today’s mobile permission models, and the overall lack of transparency in the ecosystem. We combine static, dynamic and manual analysis of the SDKs embedded in the top 50 Google Play store’s applications to develop a taxonomy of hird-party libraries. We also provide insights about their data collection, and transparency issues. We also discuss different ways to tackle current challenges, like increasing developer’s awareness or changing the permission model of mobile phone to clearly state the purpose of permissions and to separate permissions requested by the app itself and third-party libraries, as well as mechanisms to ease certification and regulatory enforcement efforts.