myOneTrustDeveloper ForumTechnology Partners
SDK Reference

How App Scanner Works

Suggest Edits

Overview

The OneTrust application can perform scans of your uploaded .ipa or .apk files to retrieve a list of available permissions and SDKs in your app. The Scanner is able to assess what's present in the application, check against our permissions database and SDK Library to match and compare those findings, and then post those results back to the OneTrust application for review.

Supported Apps

  • iOS, tvOS - .ipa
  • Android, Android TV, Fire TV - .apk, .aab

How it Works

App Scanner Flow Steps

1. Read Uploaded File and Decompile

The Scanner receives the supported app file and decompiles the app file provided.

2. Read and Match Permissions

The scanner first identifies permissions declared in application. Once identified, they are matched against a OT Permissions service returning name, description, purpose, and category information.

3. Identify SDKs using Account Level Settings

The scanner looks to identify SDKs in the app starting at the account level. The SDKs identified will match against account-level settings and return name, description, purposes, and categories based on those customer defined settings. When account level settings are found for an SDK, the scanner will prevent Step 4 from overwriting OneTrust SDK library settings.

4. Identify SDKs using OneTrust SDK Library

If not identified in Step 3, the scanner will identify SDKs in the app using the OneTrust SDK library and match the same name, description, purpose, and category information for review in OneTrust Admin.

Unidentified by Scanner - If an SDK is unidentified by scanner, there will be no entry to display in OneTrust Admin. To resolve this issue will likely require a scanner enhancement by the product team, and in some cases a discussion with your app teams, therefore it's best to contact Support for resolution timeline.

Uncategorized by Scanner - If an SDK is identified by scanner, but not categorized against Account Level or OneTrust SDK library settings, you can expect and entry to display in OneTrust Admin with categorization = Unknown.

5. Identify SDKs using Athena's NLP (Android Only)

When scanning an Android application, and the SDK categorization = Unknown based on Account and OneTrust SDK Library settings, there is an additional step of categorizing using Athena's NLP engine.

Next Steps

For more information on scanning apps, see the following:

  • Adding and Scanning Mobile Applications
  • Viewing and Categorizing Mobile App Compliance Scan Results

FAQs

What is the file size limit for file upload?

2GB

What is the max character count for file name?

100 characters

Does the scanner require the application file to be signed or not?

No, the app scanner does not care if the application file is signed or not. All that matters is the application's .apk, .aab, or .ipa file is able to be de-compiled.

Does OneTrust keep a copy of the application file uploaded?

No, once an application scan completes, OneTrust deletes the application's file reference as it is not economical for us to preserve the files in storage. For this reason, you will need to upload a new file reference each time you scan an application. Note, the results of the scan will be preserved in storage for reporting, but the application file will not.

Updated 9 months ago

Get Help
Contact Support
System Status
Scheduled Maintenance
Groups
Groups
Developer Experience
Knowledge Base
Articles
Documents
Resources
Idea Exchange
OneTrust News
Hands-On Labs
OneTrust Partner List
Training
Product Updates
OneTrust Roadmap
Release Notes
Release Webinars
Talks Tech Podcast
© 2024 ONETRUST. ALL RIGHTS RESERVED.
Privacy Policy
Cookie Notice
Cookie List