Exposing Android social applications: linking data leakage to privacy policies.

Social media applications (apps) use sensitive/private data in their nature. Android apps continue to share data with third parties and often transmit data unencrypted, leaking data directly and inadvertently. Internet Service Providers (ISPs) can legally collect and sell this leaked, sensitive user data. End users rely on privacy policies that have largely been absent, continue to lack detailed security methods, and have had inconsistencies with app actions. Overall, we lack a detailed understanding of the state of these privacy and security issues within sensitive settings such as social media apps. We aim to expose these apps, meticulously classifying and comparing unencrypted data transmitted with privacy policy disclosure, leveraging the Platform for Privacy Preferences (P3P) Specification. We develop an analysis framework and isolated testbed environments, leveraging open-source tools to enable accurate data collection through dynamic analysis. We then peer into privacy policy revisions, advertising/analytics libraries, and business relationships held by app companies. We report detailed inconsistencies between app behaviors and privacy disclosure. Most apps in our dataset transmitted the majority of their traffic unencrypted and several leaked personally identifiable information (PII)/sensitive data, while none detailed security methods or data transmission practices. Finalizing our study, we conduct brief follow-up experiments on several apps to note substantial changes in data transmission practices. We conclude that a failure to protect sensitive user data and a tendency for vague privacy policies continue to be prevalent, but over the last few years some apps have increased encryption use, thus beginning to combat some data leakage. [ABSTRACT FROM AUTHOR]