67% of Android apps log data not mentioned in their privacy policies

A large-scale academic study found that roughly two-thirds of Android apps fail to accurately disclose how they collect sensitive data through logging, exposing a significant transparency gap between privacy policies and real-world behavior.

The research, conducted by a team from the Rochester Institute of Technology, the University of Waterloo, and Ontario Tech University, analyzed 1,000 Android applications and nearly 87 million log entries over an 11-month period from November 2024 to September 2025. The findings reveal widespread inconsistencies between what apps claim in their privacy policies and what they actually record in their runtime logs.

Logs are a core component of modern software, used by developers to debug issues, monitor performance, and analyze user behavior. However, they often contain sensitive information such as IP addresses, device identifiers, location data, and even user credentials.

The researchers examined apps across 42 categories on the Google Play Store, including social media, productivity, health, and entertainment. While 88% of the analyzed apps provided a privacy policy, only 28.5% explicitly mentioned logging practices. Even among those that did, over a quarter of disclosures were vague or overly simplistic, offering little meaningful insight into what data was being collected or why.

More concerning was the gap between stated policies and actual behavior. The team discovered that 60.7% of apps leaked sensitive information through logs, and in 67.6% of cases, the leaked data types were not mentioned in the app’s privacy policy. In total, only 4% of applications demonstrated full alignment between their declared privacy practices and observed logging activity.

Fine-grained location data was the most frequently exposed, with over 37,000 instances, followed by IP addresses and device identifiers. 97.5% of device model data disclosures were not documented in privacy policies.

Developers often implement logging for technical reasons without fully considering privacy implications, while privacy policies are drafted using generic templates that may not reflect actual data collection practices. This results in outdated, incomplete, or misleading policies.

Apps with higher download counts and more user reviews were statistically more likely to mention logging in their policies, suggesting that public scrutiny and regulatory pressure may influence transparency.

Privacy policies are intended to serve as the primary mechanism for informing users about data collection, particularly under frameworks such as GDPR and CCPA. When these policies fail to accurately describe logging behavior, users remain unaware of potential privacy risks, and regulators struggle to enforce compliance.

To address these issues, the researchers recommend that developers treat logging data as sensitive by default and explicitly disclose what is collected, why it is collected, and how it is handled. Suggested safeguards include minimizing the collection of sensitive identifiers, applying anonymization techniques, encrypting transmitted logs, and conducting regular audits of logging practices.