Search papers, labs, and topics across Lattice.
This paper analyzes 1,000 Android apps and their privacy policies against 86 million log entries to assess the alignment between stated logging practices and actual data disclosures. The study reveals that only 28.5% of apps explicitly mention logging in their privacy policies, and even among those, 27.7% provide vague or simplistic descriptions. A significant 67.6% of apps leak sensitive information in logs that are not disclosed in their privacy policies, indicating a severe misalignment between policy and practice.
Your Android app's privacy policy is likely a lie: 68% of apps leak sensitive data in logs that aren't disclosed in their policies.
Privacy policies are intended to inform users about how software systems collect and handle data, yet they often remain vague or incomplete. This paper presents an empirical study of patterns in log-related statements within privacy policies and their alignment with privacy disclosures observed in Android application logs. We analyzed 1,000 Android apps across multiple categories, generating 86,836,964 log entries. Our findings reveal that while most applications (88.0%) provide privacy policies, only 28.5% explicitly mention logging practices. Among those that reference logging, most clearly describe what information is logged; however, 27.7% of log-related statements remain overly simplistic or vague, offering limited insight into actual data collection. We further observed widespread privacy leakages in application logs, with 67.6% of apps leaking sensitive information not mentioned in their policies. Alarmingly, only 4% of applications demonstrated consistent alignment between declared policy contents and actual logged data. These findings highlight that current privacy policies provide incomplete or ambiguous descriptions of logging practices, which frequently do not align with actual logging behaviors.
