The privacy of personal information has received significant attention in mobile software. Although previous researchers have designed some methods to identify the conflict between app behavior and privacy policies, little is known about investigating regulation requirements for third-party libraries (TPLs). The regulators enacted multiple regulations to regulate the usage of personal information for TPLs (e.g., the "California Consumer Privacy Act" requires businesses clearly notify consumers if they share consumers' data with third parties or not). However, it remains challenging to analyze the legality of TPLs due to three reasons: 1) TPLs are mainly published on public repositoriesinstead of app market (e.g., Google play). The public repositories do not perform privacy compliance analysis for each TPL. 2) TPLs only provide independent functions or function sequences. They cannot run independently, which limits the application of performing dynamic analysis. 3) Since not all the functions of TPLs are related to user privacy, we must locate the functions of TPLs that access/process personal information before performing privacy compliance analysis. To overcome the above challenges, in this paper, we propose an automated system named ATPChecker to analyze whether the Android TPLs meet privacy-related regulations or not. Our findings remind developers to be mindful of TPL usage when developing apps or writing privacy policies to avoid violating regulations.

翻译：个人信息隐私问题在移动软件领域备受关注。尽管已有研究者设计了一些方法来识别应用行为与隐私政策之间的冲突，但针对第三方库（TPLs）的监管要求研究仍较为匮乏。监管机构颁布了多项法规来规范第三方库对个人信息的使用（例如，《加州消费者隐私法案》要求企业明确告知消费者是否与第三方共享其数据）。然而，由于以下三个原因，分析第三方库的合法性仍具有挑战性：1）第三方库主要发布在公共代码仓库而非应用市场（如Google Play），公共代码仓库并未对每个第三方库进行隐私合规性分析；2）第三方库仅提供独立功能或功能序列，无法独立运行，这限制了动态分析方法的适用性；3）由于并非所有第三方库功能都与用户隐私相关，在进行隐私合规性分析前，必须定位其访问/处理个人信息的函数。为克服上述挑战，本文提出名为ATPChecker的自动化系统，用于分析Android第三方库是否符合隐私相关法规。我们的研究结果提醒开发者在开发应用或编写隐私政策时需谨慎使用第三方库，以避免违反法规。