pith. sign in

arxiv: 2605.25713 · v1 · pith:ISEB3FRInew · submitted 2026-05-25 · 💻 cs.CR

Ecosystem-Driven Privacy Exposure in Mobile Gaming Apps: A Configuration-Aware Empirical Analysis

Pith reviewed 2026-06-29 21:53 UTC · model grok-4.3

classification 💻 cs.CR
keywords privacy exposuremobile gaming appsSDK ecosystemsAndroid permissionsconfiguration analysischild-oriented gamesstatic analysisecosystem architecture
0
0 comments X

The pith

Privacy exposure in mobile games stems more from SDK ecosystems and app configurations than from permission requests alone.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper conducts a static analysis of 41 Android gaming apps to assess privacy exposure through permissions, manifest configurations, exported components, and third-party SDKs. It finds that exposure levels align closely with the size, diversity, and type of SDK ecosystems, especially advertising-oriented ones, rather than with the number or sensitivity of permissions requested. Child-oriented games show exposure conditions comparable to general-audience games even when they request fewer sensitive permissions. The work argues that permission-centric views miss the dominant role of ecosystem-level architectural choices in creating privacy risks.

Core claim

A configuration-aware static analysis of 41 widely deployed Android mobile gaming apps shows that privacy exposure is strongly associated with ecosystem-level architectural decisions such as SDK ecosystem complexity and manifest-level configurations rather than permission requests alone. Child-oriented games frequently demonstrate exposure conditions comparable to general-audience apps despite sometimes requesting fewer sensitive permissions, while larger and more diverse SDK ecosystems and advertising-oriented SDKs are significantly associated with elevated privacy exposure levels.

What carries the argument

Configuration-aware static analysis examining permissions, manifest configurations, exported components, and SDK ecosystem complexity, with statistical evaluation via Spearman correlation, Mann-Whitney U, and Chi-square tests.

If this is right

  • Permission-centric assessment approaches have limitations for modern mobile software systems.
  • Configuration-aware and ecosystem-aware privacy evaluation methodologies are required.
  • Child-oriented games need privacy scrutiny beyond the count of sensitive permissions requested.
  • Larger and more diverse SDK ecosystems are linked to higher privacy exposure levels.
  • Advertising-oriented SDKs show a strong association with high exposure classifications.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • App developers could lower exposure by selecting smaller or non-advertising SDK sets during design.
  • Mobile app stores might add ecosystem-based privacy indicators alongside permission lists.
  • Regulatory attention limited to permissions may leave gaps in protecting users of children's games.

Load-bearing premise

The 41 apps collected from Google Play and the static analysis method provide a representative and accurate measure of privacy exposure across the mobile gaming ecosystem without needing runtime or dynamic validation.

What would settle it

Running dynamic runtime analysis on the same 41 apps and finding that exposure levels do not correlate with SDK ecosystem size or advertising SDK presence would challenge the central association.

read the original abstract

Mobile gaming apps increasingly rely on third-party Software Development Kits SDKs for advertising, analytics, attribution, and user engagement, potentially introducing privacy exposure beyond traditional permission based risks. Existing studies have largely focused on permissions or isolated tracking behaviors, providing only a partial understanding of privacy exposure in modern mobile ecosystems. This study presents a configuration aware empirical assessment of privacy exposure in Android mobile gaming apps by examining permissions, manifest level configurations, exported components, and SDK ecosystem complexity across children-oriented and general-audience games. A systematic static analysis was conducted on 41 widely deployed Android mobile gaming apps collected from the Google Play ecosystem. The analysis incorporated SDK categorisation and statistical evaluation using Spearman correlation, Mann Whitney U, and Chi square testing. The results revealed that privacy exposure is strongly associated with ecosystem-level architectural decisions rather than permission requests alone. Child-oriented games frequently demonstrated exposure conditions comparable to general-audience apps despite sometimes requesting fewer sensitive permissions. Furthermore, larger and more diverse SDK ecosystems were significantly associated with elevated privacy exposure levels, while advertising-oriented SDKs showed strong association with high exposure classifications. These findings highlight the limitations of permission-centric assessment approaches and emphasize the importance of configuration aware and ecosystem-aware privacy evaluation methodologies for modern mobile software systems.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper claims that a static analysis of permissions, manifest configurations, exported components, and SDK ecosystems in 41 Android gaming apps shows privacy exposure is strongly associated with ecosystem-level architectural decisions (SDK count, diversity, and advertising SDKs) rather than permission requests alone; child-oriented games exhibit comparable exposure levels to general-audience apps despite sometimes requesting fewer sensitive permissions. Statistical tests (Spearman correlation, Mann-Whitney U, Chi-square) are used to support the associations.

Significance. If the static proxy for exposure can be shown to correspond to actual data flows, the work would usefully highlight limitations of permission-centric privacy assessment and motivate configuration-aware and ecosystem-aware methodologies. The application of multiple non-parametric tests to a mobile-gaming corpus is a modest but concrete contribution to the empirical security literature.

major comments (2)
  1. [Methods] Methods (static analysis description): the central claim equates manifest-level configurations, exported components, and SDK counts with 'privacy exposure' and attributes differences to ecosystem architecture. No dynamic taint tracking, network monitoring, or permission-enforcement checks are described to confirm that the flagged configurations produce actual data flows or third-party leaks; the reported associations could therefore be artifacts of the unvalidated static proxy.
  2. [Results] Results (sample and statistical reporting): the study uses n=41 apps with unspecified selection criteria from Google Play and no sensitivity analysis on exposure-score thresholds. This small, convenience sample undermines the strength of the Spearman/Mann-Whitney/Chi-square associations and the claim that ecosystem decisions dominate permission-based risk.
minor comments (2)
  1. [Abstract] Abstract reports no quantitative results, effect sizes, or p-values, making it impossible for readers to gauge the magnitude of the reported associations.
  2. [Discussion] The paper should explicitly discuss the threat to validity arising from the absence of runtime validation and the reliance on a static exposure proxy.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments, which help clarify the scope and limitations of our static analysis. We address each major comment below and note planned revisions.

read point-by-point responses
  1. Referee: [Methods] Methods (static analysis description): the central claim equates manifest-level configurations, exported components, and SDK counts with 'privacy exposure' and attributes differences to ecosystem architecture. No dynamic taint tracking, network monitoring, or permission-enforcement checks are described to confirm that the flagged configurations produce actual data flows or third-party leaks; the reported associations could therefore be artifacts of the unvalidated static proxy.

    Authors: We agree that the analysis relies on static configuration proxies without dynamic validation of actual data flows. This is a methodological limitation, as the study prioritizes scalable examination of ecosystem factors over runtime confirmation. We will revise the Methods and Discussion sections to explicitly acknowledge this and frame the results as associations with potential exposure indicators rather than confirmed leaks. revision: partial

  2. Referee: [Results] Results (sample and statistical reporting): the study uses n=41 apps with unspecified selection criteria from Google Play and no sensitivity analysis on exposure-score thresholds. This small, convenience sample undermines the strength of the Spearman/Mann-Whitney/Chi-square associations and the claim that ecosystem decisions dominate permission-based risk.

    Authors: We acknowledge that selection criteria were described only at a high level. We will add a Methods subsection detailing the Google Play collection process, including popularity-based selection and category balance. We will also add a sensitivity analysis on exposure-score thresholds. The modest n=41 is noted as a constraint, but non-parametric tests were chosen accordingly; claims are limited to observed associations. revision: yes

Circularity Check

0 steps flagged

No circularity: purely empirical static analysis with standard statistical tests

full rationale

The paper performs static analysis on 41 apps, categorizes SDKs, and applies Spearman correlation, Mann-Whitney U, and Chi-square tests to observed data. No equations, fitted parameters renamed as predictions, self-definitional constructs, or load-bearing self-citations appear in the derivation. The central associations are computed directly from the collected manifest and SDK features; the study is self-contained with no reduction of results to inputs by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Abstract-only review; no free parameters, invented entities, or explicit axioms beyond standard statistical assumptions are stated.

axioms (1)
  • domain assumption Static analysis of permissions, manifests, and SDKs accurately captures privacy exposure conditions.
    Core premise of the empirical assessment described in the abstract.

pith-pipeline@v0.9.1-grok · 5742 in / 1189 out tokens · 34337 ms · 2026-06-29T21:53:36.205630+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

39 extracted references · 4 canonical work pages

  1. [1]

    Mobile gaming market size, share & industry analysis, by game type available online: Https://www.Fortunebusinessinsights.Com/mobile-gaming-market-113099 (accessed on 23 may 2026)

    Insights, F.B. Mobile gaming market size, share & industry analysis, by game type available online: Https://www.Fortunebusinessinsights.Com/mobile-gaming-market-113099 (accessed on 23 may 2026)

  2. [2]

    Global mobile gaming market size available online: Https://market.Us/report/mobile-gaming-market/ (accessed on 23 may 2026)

    Market.us. Global mobile gaming market size available online: Https://market.Us/report/mobile-gaming-market/ (accessed on 23 may 2026)

  3. [3]

    70+ key mobile gaming statistics for 2026 & beyond available at: Https://maf.Ad/en/blog/mobile-gaming-statistics/ (accessed on 23 may 2026)

    MAF. 70+ key mobile gaming statistics for 2026 & beyond available at: Https://maf.Ad/en/blog/mobile-gaming-statistics/ (accessed on 23 may 2026)

  4. [4]

    Kids educational apps market available online: Https://dataintelo.Com/report/kids-educational-apps-market (accessed on 23 may 2026)

    Intelo, D. Kids educational apps market available online: Https://dataintelo.Com/report/kids-educational-apps-market (accessed on 23 may 2026)

  5. [6]

    Book, T.; Wallach, D.S. In A case of collusion: A study of the interface between ad libraries and their apps, Proceedings of the Third ACM workshop on Security and privacy in smartphones & mobile devices, 2013; pp 79-86

  6. [7]

    A large-scale privacy assessment of android third-party sdks

    Meng, M.H.; Yan, C.; Hao, Y.; Zhang, Q.; Wang, Z.; Wang, K.; Teo, S.G.; Bai, G.; Dong, J.S. A large-scale privacy assessment of android third-party sdks. arXiv preprint arXiv:2409.10411 2024

  7. [8]

    In Apps, trackers, privacy, and regulators: A global study of the mobile tracking ecosystem, The 25th annual network and distributed system security symposium (NDSS 2018), 2018

    Razaghpanah, A.; Nithyanand, R.; Vallina-Rodriguez, N.; Sundaresan, S.; Allman, M.; Kreibich, C.; Gill, P. In Apps, trackers, privacy, and regulators: A global study of the mobile tracking ecosystem, The 25th annual network and distributed system security symposium (NDSS 2018), 2018

  8. [9]

    An empirical analysis of google play data safety disclosures: A consistency study of privacy indicators in mobile gaming apps

    Aljedaani, B. An empirical analysis of google play data safety disclosures: A consistency study of privacy indicators in mobile gaming apps. arXiv preprint arXiv:2603.23935 2026

  9. [10]

    Beyond permissions: A configuration -aware empirical assessment of privacy exposure in children -oriented and general-audience mobile gaming apps

    Aljedaani, B. Beyond permissions: A configuration -aware empirical assessment of privacy exposure in children -oriented and general-audience mobile gaming apps. arXiv preprint arXiv:2602.10877 2026

  10. [11]

    In Android permissions demystified , Proceedings of the 18th ACM conference on Computer and communications security, 2011; pp 627-638

    Felt, A.P.; Chin, E.; Hanna, S.; Song, D.; Wagner, D. In Android permissions demystified , Proceedings of the 18th ACM conference on Computer and communications security, 2011; pp 627-638

  11. [12]

    Ren, J.; Rao, A.; Lindorfer, M.; Legout, A.; Choffnes, D. In Recon: Revealing and controlling pii leaks in mobile network traffic , Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services, 2016; pp 361-374

  12. [13]

    -G.; Cox, L.P.; Jung, J.; McDaniel, P.; Sheth, A.N

    Enck, W.; Gilbert, P.; Han, S.; Tendulkar, V.; Chun, B. -G.; Cox, L.P.; Jung, J.; McDaniel, P.; Sheth, A.N. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS) 2014, 32, 1-29

  13. [14]

    In 50 ways to leak your data: An exploration of apps' circumvention of the android permissions system, 28th USENIX security symposium (USENIX security 19), 2019; pp 603- 620

    Reardon, J.; Feal, Á.; Wijesekera, P.; On, A.E.B.; Vallina-Rodriguez, N.; Egelman, S. In 50 ways to leak your data: An exploration of apps' circumvention of the android permissions system, 28th USENIX security symposium (USENIX security 19), 2019; pp 603- 620

  14. [15]

    Privacy settings of third-party libraries in android apps: A study of facebook sdks

    Rodriguez, D.; Calandrino, J.A.; Del Alamo, J.M.; Sadeh, N. Privacy settings of third-party libraries in android apps: A study of facebook sdks. Proceedings on Privacy Enhancing Technologies 2025

  15. [16]

    In Navigating the privacy compliance maze: Understanding risks with {privacy -configurable} mobile {sdks}, 33rd USENIX Security Symposium (USENIX Security 24), 2024; pp 6543-6560

    Zhang, Y.; Hu, Z.; Wang, X.; Hong, Y.; Nan, Y.; Wang, X.; Cheng, J.; Xing, L. In Navigating the privacy compliance maze: Understanding risks with {privacy -configurable} mobile {sdks}, 33rd USENIX Security Symposium (USENIX Security 24), 2024; pp 6543-6560

  16. [17]

    Won’t somebody think of the children?

    Reyes, I.; Wijesekera, P.; Reardon, J.; Elazari Bar On, A.; Razaghpanah, A.; Vallina -Rodriguez, N.; Egelman, S. In “Won’t somebody think of the children?” examining coppa compliance at scale , The 18th Privacy Enhancing Technologies Symposium (PETS 2018), 2018

  17. [18]

    In Not seen, not heard in the digital world! Measuring privacy practices in children’s apps, Proceedings of the ACM Web Conference 2023, 2023; pp 2166-2177

    Sun, R.; Xue, M.; Tyson, G.; Wang, S.; Camtepe, S.; Nepal, S. In Not seen, not heard in the digital world! Measuring privacy practices in children’s apps, Proceedings of the ACM Web Conference 2023, 2023; pp 2166-2177

  18. [19]

    In Ask the experts: What should be on an iot privacy and security label?, 2020 IEEE Symposium on Security and Privacy (SP), 2020; IEEE: pp 447-464

    Emami-Naeini, P.; Agarwal, Y.; Cranor, L.F.; Hibshi, H. In Ask the experts: What should be on an iot privacy and security label?, 2020 IEEE Symposium on Security and Privacy (SP), 2020; IEEE: pp 447-464

  19. [20]

    I n Automated analysis of privacy requirements for mobile apps, NDSS, 2017; pp 1.4-2.3

    Zimmeck, S.; Wang, Z.; Zou, L.; Iyengar, R.; Liu, B.; Schaub, F.; Wilson, S.; Sadeh, N.M.; Bellovin, S.M.; Reidenberg, J.R. I n Automated analysis of privacy requirements for mobile apps, NDSS, 2017; pp 1.4-2.3

  20. [21]

    In Android permissions: User attention, comprehension, and behavior, Proceedings of the eighth symposium on usable privacy and security, 2012; pp 1-14

    Felt, A.P.; Ha, E.; Egelman, S.; Haney, A.; Chin, E.; Wagner, D. In Android permissions: User attention, comprehension, and behavior, Proceedings of the eighth symposium on usable privacy and security, 2012; pp 1-14

  21. [22]

    How to ask for permission

    Felt, A.P.; Egelman, S.; Finifter, M.; Akhawe, D.; Wagner, D.A. How to ask for permission. HotSec 2012, 12, 7-7

  22. [23]

    In Security analysis of top-ranked mhealth fitness apps: An empirical study, Nordic Conference on Secure IT Systems, 2024; Springer: pp 364-381

    Forsberg, A.; Iwaya, L.H. In Security analysis of top-ranked mhealth fitness apps: An empirical study, Nordic Conference on Secure IT Systems, 2024; Springer: pp 364-381

  23. [24]

    Chen, S.; Su, T.; Fan, L.; Meng, G.; Xue, M.; Liu, Y.; Xu, L. In Are mobile banking apps secure? What can be improved?, Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 2018; ACM: pp 797-802. Computers 2026, 15, x FOR PEER REVIEW 19 of 19 https://doi.org/10...

  24. [25]

    In Unsafe exposure analysis of mobile in-app advertisements, Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks, 2012; pp 101-112

    Grace, M.C.; Zhou, W.; Jiang, X.; Sadeghi, A.-R. In Unsafe exposure analysis of mobile in-app advertisements, Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks, 2012; pp 101-112

  25. [26]

    In Third party tracking in the mobile ecosystem, Proceedings of the 10th ACM Conference on Web Science, 2018; pp 23-31

    Binns, R.; Lyngs, U.; Van Kleek, M.; Zhao, J.; Libert, T.; Shadbolt, N. In Third party tracking in the mobile ecosystem, Proceedings of the 10th ACM Conference on Web Science, 2018; pp 23-31

  26. [27]

    Paci, F.; Pizzoli, J.; Zannone, N. In A comprehensive study on third-party user tracking in mobile applications, Proceedings of the 18th international conference on availability, reliability and security, 2023; pp 1-8

  27. [28]

    Derr, E.; Bugiel, S.; Fahl, S.; Acar, Y.; Backes, M. In Keep me updated: An empirical study of third -party library updatability on android, Proceedings of the 2017 ACM SIGSAC conference on computer and communications security, 2017; pp 2187-2200

  28. [29]

    Assessing privacy disclosure compliance of android third-party sdks

    Meng, M.H.; Yan, C.; Zhang, Q.; Wang, Z.; Wang, K.; Teo, S.G.; Bai, G.; Dong, J.S. Assessing privacy disclosure compliance of android third-party sdks. IEEE Transactions on Software Engineering 2026

  29. [30]

    Static analysis of android apps: A systematic literature review

    Li, L.; Bissyandé, T.F.; Papadakis, M.; Rasthofer, S.; Bartel, A.; Octeau, D.; Klein, J.; Traon, L. Static analysis of android apps: A systematic literature review. Information and Software Technology 2017, 88, 67-95

  30. [31]

    In The price to play: A privacy analysis of free and paid games in the android ecosystem, Proceedings of the ACM Web Conference 2022, 2022; pp 3440-3449

    Laperdrix, P.; Mehanna, N.; Durey, A.; Rudametkin, W. In The price to play: A privacy analysis of free and paid games in the android ecosystem, Proceedings of the ACM Web Conference 2022, 2022; pp 3440-3449

  31. [32]

    Developers say the darnedest things: Privacy compliance processes followed by developers of child-directed apps

    Alomar, N.; Egelman, S. Developers say the darnedest things: Privacy compliance processes followed by developers of child-directed apps. Proceedings on Privacy Enhancing Technologies 2022

  32. [33]

    The effect of platform policies on app privacy compliance: A study of child-directed apps

    Alomar, N.; Reardon, J.; Girish, A.; Vallina -Rodriguez, N.; Egelman, S. The effect of platform policies on app privacy compliance: A study of child-directed apps. Proceedings on Privacy Enhancing Technologies 2025 2025

  33. [34]

    In Do privacy labels answer users’ privacy questions, Workshop on Usable Security and Privacy, 2023

    Zhang, S.; Sadeh, N. In Do privacy labels answer users’ privacy questions, Workshop on Usable Security and Privacy, 2023

  34. [35]

    In Privacy in popular children's mobile applications: A network traffic analysis, MIPRO ICT and Electronics Convention, 2023; IEEE: pp 1213-1218

    Carlsson, R.; Rauti, S.; Laato, S.; Heino, T.; Leppänen, V. In Privacy in popular children's mobile applications: A network traffic analysis, MIPRO ICT and Electronics Convention, 2023; IEEE: pp 1213-1218

  35. [36]

    In A conundrum of permissions: Installing applications on an android smartphone, International conference on financial cryptography and data security, 2012; Springer: pp 68-79

    Kelley, P.G.; Consolvo, S.; Cranor, L.F.; Jung, J.; Sadeh, N.; Wetherall, D. In A conundrum of permissions: Installing applications on an android smartphone, International conference on financial cryptography and data security, 2012; Springer: pp 68-79

  36. [37]

    In Analyzing inter-application communication in android , Proceedings of the 9th international conference on Mobile systems, applications, and services, 2011; pp 239-252

    Chin, E.; Felt, A.P.; Greenwood, K.; Wagner, D. In Analyzing inter-application communication in android , Proceedings of the 9th international conference on Mobile systems, applications, and services, 2011; pp 239-252

  37. [38]

    Owasp mobile top 10 available online: Https://owasp.Org/www-project-mobile-top-10/ (accessed on 23 may 2026)

    OWASP. Owasp mobile top 10 available online: Https://owasp.Org/www-project-mobile-top-10/ (accessed on 23 may 2026). 2023

  38. [39]

    In Why eve and mallory love android: An analysis of android ssl (in) security, Proceedings of the 2012 ACM conference on Computer and communications security, 2012; pp 50- 61

    Fahl, S.; Harbach, M.; Muders, T.; Baumgärtner, L.; Freisleben, B.; Smith, M. In Why eve and mallory love android: An analysis of android ssl (in) security, Proceedings of the 2012 ACM conference on Computer and communications security, 2012; pp 50- 61

  39. [40]

    In Pscout: Analyzing the android permission specification , Proceedings of the 2012 ACM conference on Computer and communications security, 2012; pp 217-228

    Au, K.W.Y.; Zhou, Y.F.; Huang, Z.; Lie, D. In Pscout: Analyzing the android permission specification , Proceedings of the 2012 ACM conference on Computer and communications security, 2012; pp 217-228