The Transparency and Consent Framework (TCF), developed by the Interactive Advertising Bureau (IAB) Europe, provides a de facto standard for requesting, recording, and managing user consent from European end-users. This framework has previously been found to infringe European data protection law and has subsequently been regularly updated. Previous research on the TCF focused exclusively on web contexts, with no attention given to its implementation in mobile applications. No work has systematically studied the privacy implications of the TCF on Android apps. To address this gap, we investigate the prevalence of the TCF in popular Android apps from the Google Play Store, and assess whether these apps respect users' consent banner choices. By scraping and downloading 4482 of the most popular Google Play Store apps on an emulated Android device, we automatically determine which apps use the TCF, automatically interact with consent banners, and analyze the apps' traffic in two different stages, passive (post choices) and active (during banner interaction and post choices). We found that 576 (12.85%) of the 4482 downloadable apps in our dataset implemented the TCF, and we identified potential privacy violations within this subset. In 15 (2.6%) of these apps, users' choices are stored only when consent is granted. Users who refuse consent are shown the consent banner again each time they launch the app. Network traffic analysis conducted during the passive stage reveals that 66.2% of the analyzed TCF-based apps share personal data, through the Android Advertising ID (AAID), in the absence of a lawful basis for processing. 55.3% of apps analyzed during the active stage share AAID before users interact with the apps' consent banners, violating the prior consent requirement.

翻译：由欧洲互动广告局（IAB Europe）制定的透明与同意框架（TCF），为获取、记录和管理欧洲终端用户的同意提供了事实标准。该框架先前已被认定违反欧洲数据保护法，并随后进行了定期更新。以往关于TCF的研究仅关注网页环境，未涉及其在移动应用中的实施情况。目前尚无研究系统性地探讨TCF对Android应用的隐私影响。为填补这一空白，我们调查了Google Play商店热门Android应用中TCF的普及程度，并评估这些应用是否尊重用户在同意横幅中的选择。通过在模拟Android设备上抓取并下载4482个最热门的Google Play商店应用，我们自动识别了哪些应用使用TCF，自动与同意横幅进行交互，并在两个不同阶段（被动阶段[选择后]与主动阶段[横幅交互期间及选择后]）分析应用流量。研究发现，在数据集内可下载的4482个应用中，有576个（12.85%）实施了TCF，并在此子集中发现了潜在的隐私违规行为。其中15个应用（2.6%）仅在用户授予同意时存储其选择，拒绝同意的用户每次启动应用时都会再次看到同意横幅。被动阶段的网络流量分析显示，66.2%基于TCF的应用在缺乏合法处理依据的情况下，通过Android广告标识符（AAID）共享个人数据。在主动阶段分析的应用中，55.3%在用户与同意横幅交互前即共享AAID，违反了事先同意原则。