The privacy of personal information has received significant attention in mobile software. Although previous researchers have designed some methods to identify the conflict between app behavior and privacy policies, little is known about investigating regulation requirements for third-party libraries (TPLs). The regulators enacted multiple regulations to regulate the usage of personal information for TPLs (e.g., the "California Consumer Privacy Act" requires businesses clearly notify consumers if they share consumers' data with third parties or not). However, it remains challenging to analyze the legality of TPLs due to three reasons: 1) TPLs are mainly published on public repositoriesinstead of app market (e.g., Google play). The public repositories do not perform privacy compliance analysis for each TPL. 2) TPLs only provide independent functions or function sequences. They cannot run independently, which limits the application of performing dynamic analysis. 3) Since not all the functions of TPLs are related to user privacy, we must locate the functions of TPLs that access/process personal information before performing privacy compliance analysis. To overcome the above challenges, in this paper, we propose an automated system named ATPChecker to analyze whether the Android TPLs meet privacy-related regulations or not. Our findings remind developers to be mindful of TPL usage when developing apps or writing privacy policies to avoid violating regulations.

翻译：个人信息隐私在移动软件中受到广泛关注。尽管先前的研究人员设计了一些方法来识别应用行为与隐私政策之间的冲突，但对于第三方库的监管要求知之甚少。监管机构制定了多项法规来规范第三方库对个人信息的使用（例如，《加州消费者隐私法案》要求企业明确告知消费者其是否与第三方共享消费者数据）。然而，分析第三方库的合法性仍面临挑战，原因有三：1）第三方库主要发布在公共仓库而非应用市场（如Google Play）。公共仓库不会对每个第三方库进行隐私合规性分析。2）第三方库仅提供独立功能或功能序列，无法独立运行，这限制了动态分析的应用。3）由于并非所有第三方库功能都与用户隐私相关，在执行隐私合规性分析之前，必须定位第三方库中访问/处理个人信息的函数。为克服上述挑战，本文提出一个名为ATPChecker的自动化系统，用于分析Android第三方库是否符合隐私相关法规。我们的研究结果提醒开发人员在开发应用或编写隐私政策时注意第三方库的使用，以避免违反法规。