How App Scanner Works
iOS Scanner v2 and Android Feature Parity is under Public Preview. Please contact your account representative or OneTrust Support to request early access.
Overview
The Mobile Application Scanner uses enhanced detection capabilities and may identify additional SDKs in your mobile apps. These newly discovered SDKs are automatically classified using our intelligent classification system. You can manually reclassify them at any time. Existing SDK classifications will remain unchanged and will not be overwritten or removed.
The OneTrust application can perform scans of your uploaded .ipa
or .apk
files to retrieve a list of available highly risky permissions and SDKs in your app. The Scanner is able to assess what's present in the application, check against our permissions database and SDK Detector Library (Android) and SDK Automated Discovery (iOS) to match and compare those findings, and then post those results back to the OneTrust Scan Results page for review.
Key Features
- Automated SDK Classification: The scanner automatically identifies and categorizes SDKs, eliminating the need for manual cookie category assignment.
- SDK Data Collection and App Permissions Insights: It retrieves and displays data collection behaviours of SDKs, as well as highlighting any dangerous or deprecated app permissions.
- Regulatory Compliance Reports: Our scanner generates detailed reports to assist with regulatory compliance, as well as for submission to app stores (Google Play for Android and App Store for iOS).
Our Mobile Application scanner helps ensure that your mobile app adheres to privacy regulations and is optimized for iOS App Store and Google Play Store submissions.
Supported Apps
- iOS, tvOS -
.ipa
- Android, Android TV, Fire TV -
.apk
How it Works

Mobile App Scanner Flow Steps
1. Read uploaded file and decompile
The scanner receives the uploaded .ipa (iOS) or .apk (Android) and decompiles the file scanning for SDKs and highly risky app permissions present in the application.
2. Identify and classify SDKs using recursive dependency and build data analysis
The SDKs present along with their SDK name, version (iOS only), vendor, and default cookie category and Google Play SDK Index Category (Android only) metadata will be displayed in an SDK Details table.
3. Identify Permissions and enrich with metadata
The permissions present in the application are stored in a database along with their category, respective status (Dangerous, Highly Sensitive, Sensitive), and description.
4. Store results, link existing SDKs and vendors, and generate reports
The Android scanner also looks for Data Types collected by SDKs* present within the application.
*1000+ Android systems and third-party libraries are supported by our Android SDK Detectors Library.
iOS
- If the SDK and its associated metadata are present in the application, it will be automatically discovered by the scanner.
- You may find some gaps if the SDK metadata information cannot be found against our intelligent engine.
- The iOS SDK Intelligent Classification System classifies with logic, reasoning, and confidence, which reduces the need to re-classify SDK categories.
- Supports Third-Party Data Audit; Permission Audit Report and legacy PDF and XLS export reports.
Android
- If the SDK and its associated metadata are present in the application, it will only be discovered by the scanner if found in our Android SDK Detectors Library.
- We use the Google Play SDK Index as a source of truth for mapping and cookie classifying third-party SDKs and Android system build libraries.
- The scanner also supports detection of 140 highly sensitive SDK data points within 38 data types to help you understand data collection behaviors.
For more information, see Performing SDK Data Type Analysis.
- Supports PDF and XLS format for legacy export reports
FAQs
What is the file size limit for the file upload and why?
500MB. This is consistent with Google and Apple's optimized thresholds for app submissions.
What is the maximum character count for file name?
100 characters.
Does the scanner require the application file to be signed or not?
No, the app scanner does not care if the application file is signed or not.
Does the scanner support obfuscated application files?
No, the scanner does not support obfuscated application files, as obfuscation significantly degrades the accuracy of detecting SDKs and their data collection behaviors.
Does OneTrust retain a copy of the application file uploaded?
No, once an application scan completes, OneTrust deletes the application's file reference as it is not economical for us to preserve the files in storage. You will therefore need to upload a new file reference each time you scan an application.
The results of the scan will be preserved in storage for reporting, but the application file will not.
Does the scanner overwrite or delete SDK classifications?
No, the scanner does not overwrite or delete SDK classifications. However, you can manually edit both existing classifications and newly discovered SDKs that have been automatically classified.
Updated 14 days ago