The Impact of Default Mobile SDK Usage on Privacy and Data Protection
Authors: Simon Koch (TU Braunschweig), Manuel Karl (TU Braunschweig), Robin Kirchner (TU Braunschweig), Malte Wessels (TU Braunschweig), Anne Paschke (TU Braunschweig), Martin Johns (TU Braunschweig)
Volume: 2025
Issue: 1
Pages: 808–823
DOI: https://doi.org/10.56553/popets-2025-0042
Abstract: Are mobile app developers actively enabling data collection by advertisement and analytics companies, or are they unaware of the implications of using the provided software development kits (SDKs)? Given that the current mobile app ecosystem inadvertently involves collecting user data, which often infringes upon data protection and privacy standards, the question of the underlying reason for the permissibility of data processing arises. We contribute to this research for both Android and iOS by performing a two-step qualitative analysis. First, we conduct a structured documentation review of five advertisement and five analytics SDKs, focusing on privacy-related information. Subsequently, we implement a set of example apps utilizing the basic functionality of each SDK. This custom utilization of the SDK allows us to perform a fine-grained traffic analysis of each required step from initialization until utilization. Our results show that only little guidance on data protection compliance is provided. The observed network traffic shows that overall data collection by SDKs is similar between operating systems and only requires basic usage by the developer to trigger. We discover that with current SDKs, developers have minimal influence over the collected data, as merely using the basic functionality already results in data collection, with advertisement SDKs collecting more data than analytics SDKs. Overall, we explain the observed data protection infringement in ongoing mobile privacy research by documenting how developers must bear with opaque SDKs that lead to data collection simply due to usage.
Keywords: Mobile Privacy, Android, iOS, SDK
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.
