Which Code Statements Implement Privacy Behaviors in Android Applications?

A "privacy behavior" in software is an action where the software uses personal information for a service or a feature, such as a website using location to provide content relevant to a user. Programmers are required by regulations or application stores to provide privacy notices and labels describing these privacy behaviors. Although many tools and research prototypes have been developed to help programmers generate these notices by analyzing the source code, these approaches are often fairly coarse-grained (i.e., at the level of whole methods or files, rather than at the statement level). But this is not necessarily how privacy behaviors exist in code. Privacy behaviors are embedded in specific statements in code. Current literature does not examine what statements programmers see as most important, how consistent these views are, or how to detect them. In this paper, we conduct an empirical study to examine which statements programmers view as most-related to privacy behaviors. We find that expression statements that make function calls are most associated with privacy behaviors, while the type of privacy label has little effect on the attributes of the selected statements. We then propose an approach to automatically detect these privacy-relevant statements by fine-tuning three large language models with the data from the study. We observe that the agreement between our approach and participants is comparable to or higher than an agreement between two participants. Our study and detection approach can help programmers understand which statements in code affect privacy in mobile applications.