Enhancing Transparency and Accountability of TPLs with PBOM: A Privacy Bill of Materials

Abstract

Third-party libraries (TPLs) are extensively integrated into mobile apps for functionalities such as analytics, advertising, app monetization, and single-sign-on. While these libraries enhance app capabilities, they also introduce privacy risks and compliance issues. Existing privacy disclosures for TPLs, including privacy policies, privacy label guidelines, and privacy manifests, often lack uniformity, fine granularity, and timeliness, and fail to comprehensively disclose TPL data practices. We propose the Privacy Bill of Materials (PBOM), inspired by the Software Bill of Materials (SBOM), to enhance transparency, traceability, and accountability of TPLs. Our contributions include designing PBOM specifications, creating an automated PBOM generation pipeline, and conducting case studies to demonstrate PBOM’s effectiveness in improving TPL transparency and accountability