Researchers unveil 31 coding guidelines to fix Android data minimization failures

A new empirical study by Dianshu Liao, Shidong Pan, Zhenchang Xing, and Xiaoyu Sun tackles the gap between privacy regulations and actual Android app code. The team first examined 1,114 open-source Android apps to map out how developers handle user data—identifying ten recurring scenarios where data minimization is routinely ignored across five stages: collection, storage, processing, sharing, and deletion. They then scaled up with a static analysis of 9,875 real-world APKs, distilling the patterns into 31 specific, actionable coding guidelines (e.g., “only request location when activity is visible” or “use one-time permissions for ephemeral data”).

Crucially, the researchers tested whether popular LLMs (like GPT-4 and Claude) reproduce these risky patterns when generating Android code. They found that current models consistently output data-greedy implementations—essentially inheriting and amplifying the worst practices seen in real-world apps. However, when the 31 guidelines were included in the prompt, violations dropped to zero across all models tested. The study advocates for a shift from policy-level privacy audits to code-level root causes, offering a practical toolkit for both human developers and AI-assisted programming environments to embed data minimization by design.