Automatic Privacy Analysis of TCF-based Android Applications

Abstract

Being greeted by a banner or consent dialog asking: “manage cookies” or “accept all” has become the norm for Europeans when browsing websites or using mobile applications in recent years due to regulations, such as the ePD and the GDPR. To help data controllers conform to these standards, the IAB created the TCF in April 2018. This framework has previously been found to cause several privacy violations when used on websites, and has therefore been updated regularly since. Previous research on the TCF has only been conducted in web contexts, therefore the aim for this thesis is to research the framework’s usage in Android applications. Our goals for this thesis are to determine the prevalence of the TCF in the Google Play Store, to confirm if popular Android apps that implement the framework respect users’ consent dialog choices, and to quantify the presence of cookie paywalls. To reach our goals we develop solutions to: 1) scrape and download 4 482 of the most popular Google Play Store apps on an emulated Android device, 2) automatically determine which apps use the TCF, 3) automatically interact with applications’ consent dialogs while simultaneously determining the presence of cookie paywalls, and lastly, 4) analyze applications’ traffic in two different stages. We find that 842 applications in our dataset implement the TCF, and that it is possible to interact with consent dialogs of 576 apps, with 15 apps only storing users’ dialog choices if the users provide full consent. In the 576 apps we find four cookie paywalls, proving their existence in Android applications. From analyzing apps’ traffic, we find that 66.5% of apps transmit personal data when provided with no consent and no legitimate interest, and 55.4% of apps transmit personal data during interactions with apps’ consent dialogs. These results imply that TCF-based apps potentially violate the GDPR.