IMDEA Networks Institute Publications Repository

Don’t accept candies from strangers: An analysis of third-party SDKs

Feal, Álvaro and Gamba, Julien and Vallina-Rodriguez, Narseo and Wijesekera, Primal and Reardon, Joel and Egelman, Serge and Tapiador, Juan (2020) Don’t accept candies from strangers: An analysis of third-party SDKs. In: Computers, Privacy and Data Protection Conference (CPDP), 22-24 Jan, Brussels. (Accepted for publication)

Full text not available from this repository.


Mobile app developers often include third-party Software Development Kits (SDKs) in their software to externalize services and features, or monetize their apps through advertisements. Unfortunately, these development practices often come at a privacy cost to the end user. In this paper, we discuss the privacy damage that third-party SDKs can cause to end users due to limitations present in today’s mobile permission models, and the overall lack of transparency in the ecosystem. We combine static, dynamic and manual analysis of the SDKs embedded in the top 50 Google Play store’s applications to develop a taxonomy of hird-party libraries. We also provide insights about their data collection, and transparency issues. We also discuss different ways to tackle current challenges, like increasing developer’s awareness or changing the permission model of mobile phone to clearly state the purpose of permissions and to separate permissions requested by the app itself and third-party libraries, as well as mechanisms to ease certification and regulatory enforcement efforts.

Item Type: Conference or Workshop Papers (Paper)
Depositing User: �lvaro Feal
Date Deposited: 17 Jan 2020 09:26
Last Modified: 17 Jan 2020 09:26

Actions (login required)

View Item View Item