Third-party Software Development Kits (SDKs) are widely adopted in Android app development, to effortlessly accelerate development pipelines and enhance app functionality. However, this convenience raises substantial concerns about unauthorized access to users' privacy-sensitive information, which could be further abused for illegitimate purposes like user tracking or monetization. Our study offers a targeted analysis of user privacy protection among Android third-party SDKs, filling a critical gap in the Android software supply chain. It focuses on two aspects of their privacy practices, including data exfiltration and behavior-policy compliance (or privacy compliance), utilizing techniques of taint analysis and large language models. It covers 158 widely-used SDKs from two key SDK release platforms, the official one and a large alternative one. From them, we identified 338 instances of privacy data exfiltration. On the privacy compliance, our study reveals that more than 30% of the examined SDKs fail to provide a privacy policy to disclose their data handling practices. Among those that provide privacy policies, 37% of them over-collect user data, and 88% falsely claim access to sensitive data. We revisit the latest versions of the SDKs after 12 months. Our analysis demonstrates a persistent lack of improvement in these concerning trends. Based on our findings, we propose three actionable recommendations to mitigate the privacy leakage risks and enhance privacy protection for Android users. Our research not only serves as an urgent call for industry attention but also provides crucial insights for future regulatory interventions.

翻译：第三方软件开发工具包（SDK）在Android应用开发中被广泛采用，能够轻松加速开发流程并增强应用功能。然而，这种便利性引发了关于未经授权访问用户隐私敏感信息的重大担忧，这些信息可能被进一步滥用于用户追踪或商业化等非法目的。本研究针对Android第三方SDK的用户隐私保护进行了针对性分析，填补了Android软件供应链中的一个关键空白。研究聚焦于其隐私实践的两个方面，包括数据外泄和行为-策略合规性（即隐私合规性），并利用了污点分析和大型语言模型技术。研究涵盖了来自官方及大型替代平台这两个关键SDK发布平台的158个广泛使用的SDK。从中，我们识别出338例隐私数据外泄实例。在隐私合规性方面，我们的研究表明，超过30%的被检SDK未能提供隐私政策以披露其数据处理实践。在提供了隐私政策的SDK中，37%存在过度收集用户数据的行为，88%则虚假声明了对敏感数据的访问权限。我们在12个月后重新审视了这些SDK的最新版本。分析表明，这些令人担忧的趋势持续缺乏改善。基于我们的发现，我们提出了三项可操作的建议，以减轻隐私泄露风险并加强Android用户的隐私保护。本研究不仅是对行业关注的一次紧急呼吁，也为未来的监管干预提供了关键见解。