This makes the following claim seem inaccurate:
> Our system is accurate, identifying 98.2% of leaks for the vast majority of flows in our dataset
There is no way <2% of the web and application traffic is encrypted. Bypassing all detection would be as easy as going to the HTTPS version of a website.
This also seems like it would pose a significant security risk as the servers would be a very juicy target to hack (holding all their customer's personal information and passwords) as well as ability for the staff themselves to surveil their users.
For example, I think PMP doesn't have options to filter loading native libraries or executing external commands - and this is sometimes useful, e.g. by blocking loadLibrary calls for libYandexMetricaNativeModule.so (some apps would crash, some would survive and would probably leak less analytics)
I believe both tools (and anything Xposed-based) isn't perfect, though - native code can work around this stuff. I wonder if there's QubesOS-like Android-in-Android (using a virtualization) solution exists, besides that Samsung's proprietary enterprisey nonsense...
All those apps receive android.intent.action.PHONE_STATE broadcasts whenever the phone state changes (new call, etc), and for the incoming calls that intent's data always (AFAIK, maybe some firmware builds have privacy controls for this) contains the phone number.
If "read phone state" is listed then the app knows who's calling you, in a sense system feeds this data. Whenever the app uses it or not depends on how shady it is.
Should be "Information" on the screenshot.