Privacy risk analysis and mitigation of analytics libraries in the android ecosystem

While much effort has been made to detect and measure the privacy leakage caused by the advertising (ad) libraries integrated in mobile applications, analytics libraries, which are also widely used in mobile apps have not been systematically studied for their privacy risks. Different from ad libraries, the main function of analytics libraries is to collect users' in-app actions. Hence, by design analytics libraries are more likely to leak users' private information. In this work, we study what information is collected by the analytics libraries integrated in popular Android apps. We design and implement a framework called 'Alde'. Given an app, Alde employs both static analysis and dynamic analysis to detect the users' in-app actions collected by analytics libraries. We also study what private information can be leaked by the apps that use the same analytics library. Moreover, we analyze apps' privacy policies to see whether app developers have notified the users that their in-app action data is collected by analytics libraries. Finally, we select eight widely used analytics libraries to study and apply our method to 300 popular apps downloaded from both Chinese app markets and Google play. Our experimental results show that some apps indeed leak users' personal information through analytics libraries even though their genuine purposes of using analytics services are legal. To mitigate such threats, we have developed an app named 'ALManager' that leverages the Xposed framework to manage analytics libraries in other apps.