The Transparency and Consent Framework (TCF), developed by the Interactive Advertising Bureau (IAB) Europe, provides a de facto standard for requesting, recording, and managing user consent from European end-users. This framework has previously been found to infringe European data protection law and has subsequently been regularly updated. Previous research on the TCF focused exclusively on web contexts, with no attention given to its implementation in mobile applications. No work has systematically studied the privacy implications of the TCF on Android apps. To address this gap, we investigate the prevalence of the TCF in popular Android apps from the Google Play Store, and assess whether these apps respect users' consent banner choices. By scraping and downloading 4482 of the most popular Google Play Store apps on an emulated Android device, we automatically determine which apps use the TCF, automatically interact with consent banners, and analyze the apps' traffic in two different stages, passive (post choices) and active (during banner interaction and post choices). We found that 576 (12.85%) of the 4482 downloadable apps in our dataset implemented the TCF, and we identified potential privacy violations within this subset. In 15 (2.6%) of these apps, users' choices are stored only when consent is granted. Users who refuse consent are shown the consent banner again each time they launch the app. Network traffic analysis conducted during the passive stage reveals that 66.2% of the analyzed TCF-based apps share personal data, through the Android Advertising ID (AAID), in the absence of a lawful basis for processing. 55.3% of apps analyzed during the active stage share AAID before users interact with the apps' consent banners, violating the prior consent requirement.

翻译：互动广告署欧洲分会（IAB Europe）制定的透明与同意框架（TCF）为获取、记录和管理欧洲终端用户的同意提供了事实标准。该框架先前已被认定违反欧洲数据保护法，并因此定期更新。现有对TCF的研究仅关注网页环境，未涉及其在移动应用中的实施情况，亦无研究系统探讨TCF对Android应用的隐私影响。为填补这一空白，本研究调查了Google Play商店热门Android应用中TCF的普及程度，并评估这些应用是否尊重用户在同意义务中的选择。通过在模拟Android设备上抓取并下载4482款热门Google Play应用，我们自动识别使用TCF的应用，自动与同意义务进行交互，并在被动（选择后）与主动（义务交互期间及选择后）两个阶段分析应用流量。研究发现，数据集中可下载的4482款应用中有576款（12.85%）实施了TCF，并在此子集中发现潜在隐私违规行为。其中15款应用（2.6%）仅在用户授予同意时存储选择结果，拒绝同意的用户每次启动应用时都会重复看到同意义务。被动阶段的网络流量分析显示，66.2%基于TCF的应用在缺乏合法处理依据的情况下，通过Android广告标识符（AAID）共享个人数据。主动阶段分析的应用中，55.3%在用户与同意义务交互前即共享AAID，违反了事先同意原则。