Withdrawing is believing? Detecting Inconsistencies between Withdrawal Choices and Third-party Data Collections in Mobile Apps

https://drive.google.com/file/d/17qrH8g5aXDvEcDAZBoCGnVyM_H9_AuN0/view?usp=drive_link

Popular privacy regulations such as General Data Protection Regulation (GDPR) often allow consumers to withdraw from providing data, e.g., the famous right to opt-out. Modern computer software, e.g., mobile applications (apps), often provide withdrawal interfaces, which stop data collection— e.g., from third-party ads and analytics libraries—to respect users’ withdrawal decisions. While such interfaces are marked as “withdrawal”, their correlated withdrawal decisions are often inconsistent with the apps’ actual data collection behavior, especially from third parties, which is defined as withdrawal inconsistency in the paper. Prior works have either studied website withdrawal inconsistency or privacy leaks of mobile apps. However, the mobile withdrawal inconsistency problem is different yet more complex than those in websites due to the diversity in mobile withdrawal interface and the variety of private information. At the same time, none of the existing works detecting privacy leaks of mobile apps understand users’ withdrawal decisions let alone correlate them with withdrawal behaviors. In this paper, we design and implement a novel approach, called MOWCHECKER, to detect mobile apps’ inconsistencies in third-party data collection. The key insight is that withdrawal choices should have either a control-flow dependency on personal information flow or a data-flow dependency on withdrawal APIs provided by third-party data collection libraries. Our evaluation of MOWCHECKER on real-world Android apps reveals 157 manually-confirmed, zero-day withdrawal inconsistencies. We have responsibly reported them to app developers and received 23 responses with two being fixed.