IoTPrivComp: Privacy Compliance in IoT Apps

The growth of IoT apps poses increasing concerns on sensitive data leaks. While privacy policies are required to describe how IoT apps use private user data (i.e., data practice), problems such as missing, inaccurate, and inconsistent policies have been repeatedly reported. Therefore, it is important to assess the actual data practice in IoT apps and identify the potential gaps between the actual data usage and the declared usages in the apps' privacy policies. In this work, we propose a framework called IoTPrivComp, which applies automated privacy policy and app code analysis of the IoT apps, to study the compliance gaps in IoT app practices and app privacy policies. We have collected 1,737 IoT apps from Play Store, and found that only 1,323 of them have English privacy policies available. We used IoTPrivComp to examine 411 apps that contain sensitive external data flows, and found compliance gaps in 312 (75.9%) of them. In addition, there are apps that do not have a privacy policy at all, while there is a significant number of apps that have undisclosed, inaccurately disclosed, and contradictorily disclosed data leaks. Out of the 43 data flows that involve health and wellness data, 34 (79.1%) flows were inconsistent with the disclosed practices in the app privacy policies.