Privacy Settings of Third-Party Libraries in Android Apps: A Study of Facebook SDKs
Authors: David Rodriguez (ETSI Telecomunicación, Universidad Politécnica de Madrid), Joseph A. Calandrino, Jose M. Del Alamo (ETSI Telecomunicación, Universidad Politécnica de Madrid), Norman Sadeh (Carnegie Mellon University)
Volume: 2025
Issue: 2
Pages: 173–187
DOI: https://doi.org/10.56553/popets-2025-0056
Abstract: Previous studies have demonstrated that privacy issues in mobile apps often stem from the integration of third-party libraries (TPLs). To shed light on factors that contribute to these issues, we investigate the privacy-related configuration choices available to and made by Android app developers who incorporate the Facebook Android SDK and Facebook Audience Network SDK in their apps. We compile these Facebook SDKs' privacy-related settings and their defaults. Employing a multi-method approach that integrates static and dynamic analysis, we analyze more than 6,000 popular apps to determine whether the apps incorporate Facebook SDKs and, if so, whether and how developers modify settings. Finally, we assess how these settings align with the privacy practices that developers disclose in the apps’ privacy labels and policies. We observe widespread inconsistencies between practices and disclosures in popular apps. These inconsistencies often stem from privacy settings, including a substantial number of cases in which apps retain default settings over alternatives that offer greater privacy. We observe fewer possible compliance issues in potentially child-directed apps, but issues persist even in these apps. We discuss remediation strategies that SDK and TPL providers could employ to help developers, particularly developers with fewer resources who rely heavily on SDKs. Our recommendations include aligning default privacy settings with data minimization principles and other conservative practices and making privacy-related SDK information both easier to find and harder to miss.
Keywords: Third-party libraries, software development kits, privacy settings, Facebook SDK, Android applications, dynamic analysis, default settings, compliance analysis, privacy labels, privacy policies
Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution 4.0 license.
