Skip to content

MASTG-TEST-0318: References to SDK APIs Known to Handle Sensitive User Data

Overview

This test verifies whether an app uses SDK (third-party library) APIs known to handle sensitive user data (e.g., as defined in Google Play's Data safety section or the relevant privacy regulations).

As a prerequisite, we need to identify the SDK API methods it uses as entry points for data collection by reviewing the library's documentation or codebase. For example, Google Analytics for Firebase in its class FirebaseAnalytics provides methods such as setUserId, setUserProperty, and logEvent that can be used to collect user data.

Note: This test detects only potential sensitive user data handling. For confirming that actual user data are being shared, please refer to Runtime Use of SDK APIs Known to Handle Sensitive User Data.

Steps

  1. Use Reverse Engineering Android Apps to reverse engineer the app.
  2. Use Static Analysis on Android to look for uses of these methods where sensitive user data may be passed to the SDK.

Observation

The output should list the locations where SDK methods are called.

Evaluation

The test case fails if you can find the use of these SDK methods in the app code, indicating that the app is sharing sensitive user data with the third-party SDK. If no such references are found, the test case passes.