This study addresses the widespread vagueness or omission in Android app privacy policies regarding logging practices, which obscures users’ understanding of actual data collection. Conducting the first large-scale empirical analysis, the authors systematically evaluate the alignment between privacy policies and real-world logging behaviors across 1,000 applications. By integrating automated log collection, natural language processing, and manual annotation, they analyze over 86.8 million log entries alongside their corresponding policy texts. The findings reveal that only 4% of apps exhibit consistency between disclosed policies and observed logging activities, while 67.6% leak sensitive information not disclosed in their policies. These results expose critical deficiencies in current privacy disclosure mechanisms and provide essential evidence to inform regulatory oversight and design improvements.

Privacy policies are intended to inform users about how software systems collect and handle data, yet they often remain vague or incomplete. This paper presents an empirical study of patterns in log-related statements within privacy policies and their alignment with privacy disclosures observed in Android application logs. We analyzed 1,000 Android apps across multiple categories, generating 86,836,964 log entries. Our findings reveal that while most applications (88.0%) provide privacy policies, only 28.5% explicitly mention logging practices. Among those that reference logging, most clearly describe what information is logged; however, 27.7% of log-related statements remain overly simplistic or vague, offering limited insight into actual data collection. We further observed widespread privacy leakages in application logs, with 67.6% of apps leaking sensitive information not mentioned in their policies. Alarmingly, only 4% of applications demonstrated consistent alignment between declared policy contents and actual logged data. These findings highlight that current privacy policies provide incomplete or ambiguous descriptions of logging practices, which frequently do not align with actual logging behaviors.