A Comprehensive Study on Third-Party User Tracking in Mobile Applications

Third-party tracking is becoming a prevalent practice in mobile app ecosystems. While providing benefits for app developers, this practice also introduces several privacy issues for end-users. The European General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePD) mandate that mobile apps must obtain user consent before sharing users' personal data with third-party trackers. This work presents an empirical study investigating the compliance of 400 popular mobile apps (200 Android apps and their corresponding version for iOS) with the ePD and GDPR requirements on valid consent. Moreover, we determined whether these mobile apps actually enforce the consent given by users on being tracked and which are the more common third-party tracker domains contacted by the apps. The analysis shows that none of the studied apps fully comply with ePD and GDPR requirements on valid consent. The most common violations were associated with the principles of freely-given, specific, and revocable consent. Moreover, we found that almost half of the analyzed apps contact third-party tracker domains even when the user has not given their consent to be tracked.