Assessing Privacy Disclosure Compliance of Android Third-Party SDKs

Third-party Software Development Kits (SDKs) are widely adopted in Android app development, to accelerate development pipelines and enhance app functionality effortlessly. However, this convenience raises substantial concerns about unauthorized access to users’ privacy-sensitive information, which could be further abused for illegitimate purposes like user tracking or monetization. Our study offers a targeted analysis of user privacy protection among Android third-party SDKs, filling a critical gap in the Android software supply chain. It focuses on two aspects of their privacy practices, including data exfiltration and behavior-policy compliance (or privacy disclosure compliance), utilizing taint analysis and large language models. It covers 158 widely used SDKs collected from two major distribution channels: the official platform and a leading third-party alternative. From these SDKs, we identified 338 instances of personal data exfiltration. On privacy disclosure compliance, our study reveals that more than 30% of the examined SDKs fail to provide a privacy policy to disclose their data handling practices. Among those that provide privacy policies, 37% of them over-collect user data, and 88% falsely claim access to sensitive data. We revisit the latest versions of the SDKs after 12 months. Our analysis demonstrates a persistent lack of improvement in these concerning trends. Based on our findings, we propose three actionable recommendations to mitigate the privacy leakage risks and enhance privacy protection for Android users. Our research not only serves as an urgent call for industry attention but also provides crucial insights for future regulatory interventions. © 2026 IEEE.