How App Scanner Works
Overview
The OneTrust application can perform scans of your uploaded .ipa
or .apk
files to retrieve a list of available permissions and SDKs in your app. The Scanner is able to assess what's present in the application, check against our permissions database and SDK Library to match and compare those findings, and then post those results back to the OneTrust application for review.
Supported Apps
- iOS, tvOS -
.ipa
- Android, Android TV, Fire TV -
.apk
,.aab
How it Works
App Scanner Flow Steps
1. Read Uploaded File and Decompile
The Scanner receives the supported app file and decompiles the app file provided.
2. Read and Match Permissions
The scanner first identifies permissions declared in application. Once identified, they are matched against a OT Permissions service returning name, description, purpose, and category information.
3. Identify SDKs using Account Level Settings
The scanner looks to identify SDKs in the app starting at the account level. The SDKs identified will match against account-level settings and return name, description, purposes, and categories based on those customer defined settings. When account level settings are found for an SDK, the scanner will prevent Step 4 from overwriting OneTrust SDK library settings.
4. Identify SDKs using OneTrust SDK Library
If not identified in Step 3, the scanner will identify SDKs in the app using the OneTrust SDK library and match the same name, description, purpose, and category information for review in OneTrust Admin.
Unidentified by Scanner - If an SDK is unidentified by scanner, there will be no entry to display in OneTrust Admin. To resolve this issue will likely require a scanner enhancement by the product team, and in some cases a discussion with your app teams, therefore it's best to contact Support for resolution timeline.
Uncategorized by Scanner - If an SDK is identified by scanner, but not categorized against Account Level or OneTrust SDK library settings, you can expect and entry to display in OneTrust Admin with categorization = Unknown.
5. Identify SDKs using Athena's NLP (Android Only)
When scanning an Android application, and the SDK categorization = Unknown based on Account and OneTrust SDK Library settings, there is an additional step of categorizing using Athena's NLP engine.
Next Steps
For more information on scanning apps, see the following:
- Adding and Scanning Mobile Applications
- Viewing and Categorizing Mobile App Compliance Scan Results
FAQs
What is the file size limit for file upload?
2GB
What is the max character count for file name?
100 characters
Does the scanner require the application file to be signed or not?
No, the app scanner does not care if the application file is signed or not. All that matters is the application's .apk
, .aab
, or .ipa
file is able to be de-compiled.
Does OneTrust keep a copy of the application file uploaded?
No, once an application scan completes, OneTrust deletes the application's file reference as it is not economical for us to preserve the files in storage. For this reason, you will need to upload a new file reference each time you scan an application. Note, the results of the scan will be preserved in storage for reporting, but the application file will not.
Updated about 1 year ago