The privacy of personal information has received significant attention in mobile software. Although previous researchers have designed some methods to identify the conflict between app behavior and privacy policies, little is known about investigating regulation requirements for third-party libraries (TPLs). The regulators enacted multiple regulations to regulate the usage of personal information for TPLs (e.g., the "California Consumer Privacy Act" requires businesses clearly notify consumers if they share consumers' data with third parties or not). However, it remains challenging to analyze the legality of TPLs due to three reasons: 1) TPLs are mainly published on public repositoriesinstead of app market (e.g., Google play). The public repositories do not perform privacy compliance analysis for each TPL. 2) TPLs only provide independent functions or function sequences. They cannot run independently, which limits the application of performing dynamic analysis. 3) Since not all the functions of TPLs are related to user privacy, we must locate the functions of TPLs that access/process personal information before performing privacy compliance analysis. To overcome the above challenges, in this paper, we propose an automated system named ATPChecker to analyze whether the Android TPLs meet privacy-related regulations or not. Our findings remind developers to be mindful of TPL usage when developing apps or writing privacy policies to avoid violating regulations.

翻译：个人信息隐私在移动软件中备受关注。尽管先前研究者已设计出一些方法用于识别应用行为与隐私政策之间的冲突，但针对第三方库（TPLs）监管要求的研究尚不充分。监管机构已颁布多项法规以规范第三方库对个人信息的使用（例如《加州消费者隐私法案》要求企业明确告知消费者是否与第三方共享其数据）。然而，分析第三方库合规性仍面临三大挑战：1）第三方库主要发布在公共代码仓库而非应用市场（如Google Play），公共仓库不会对每个第三方库进行隐私合规分析；2）第三方库仅提供独立功能或功能序列，无法独立运行，限制了动态分析技术的应用；3）由于第三方库的功能并非全部涉及用户隐私，在进行隐私合规分析前，必须定位访问/处理个人信息的第三方库功能。为应对上述挑战，本文提出自动化系统ATPChecker，用于分析Android第三方库是否符合隐私相关法规。我们的研究结果提醒开发者在开发应用或编写隐私政策时需谨慎使用第三方库，以避免违反法规。