Zimmeck presented the study at the Network & Distributed System Security Symposium in San Diego, California. The study was conducted along with SCS Prof. Norman Sadeh and several other researchers working in Sadeh’s research group.
To ensure accuracy, the team did a manual analysis of 40 pairs of apps and their policies, and found that the automatic process performed found very similar discrepancies. The authors note that since the automatic analysis depends on the particular jurisdiction under which it is conducted, interpretation could vary.
Zimmeck said he was “surprised” by the number discrepancies between apps’ privacy policies and their actual behavior.
“In general, these discrepancies do not appear to be intentional or malicious,” said Zimmeck.
Sadeh, who also directs the Mobile Commerce Lab at Carnegie Mellon and teaches Mobile and IoT has supervised several hundred teams of app developers over the years.
“The discrepancies reflect a lack of sophistication among developers when it comes to understanding legal requirements associated with privacy policies,” Sadeh said. “To many developers, Android looks like a monolithic framework. They do not realize that when they use third party libraries such as Google Maps, they are actually sharing sensitive data with third parties.”
Sadeh further argues that the App Store model empowers a large number of people to develop apps, but lacks tools to help developers, especially when it comes to helping them comply with privacy requirements.
“The onus should be on the Android and iOS platforms to make such tools available to developers,” Sadeh said.