This study addresses the lack of systematic privacy and compliance analysis regarding the implementation of Transparency and Consent Frameworks (TCFs) in Android applications, particularly concerning whether user consent is genuinely respected. It extends TCF compliance research from the web to the Android ecosystem by proposing and implementing an automated analysis methodology that integrates emulator-based app crawling, automated interaction with consent banners, network traffic capture, and AAID (Android Advertising ID) tracking detection. An evaluation of 4,482 popular apps revealed that 576 employed TCF; however, only 15 correctly persisted user choices. Alarmingly, 66.2% transmitted the AAID without a valid legal basis, and 55.3% leaked this identifier even before any user interaction, exposing severe compliance deficiencies.

The Transparency and Consent Framework (TCF), developed by the Interactive Advertising Bureau (IAB) Europe, provides a de facto standard for requesting, recording, and managing user consent from European end-users. This framework has previously been found to infringe European data protection law and has subsequently been regularly updated. Previous research on the TCF focused exclusively on web contexts, with no attention given to its implementation in mobile applications. No work has systematically studied the privacy implications of the TCF on Android apps. To address this gap, we investigate the prevalence of the TCF in popular Android apps from the Google Play Store, and assess whether these apps respect users'consent banner choices. By scraping and downloading 4482 of the most popular Google Play Store apps on an emulated Android device, we automatically determine which apps use the TCF, automatically interact with consent banners, and analyze the apps'traffic in two different stages, passive (post choices) and active (during banner interaction and post choices). We found that 576 (12.85%) of the 4482 downloadable apps in our dataset implemented the TCF, and we identified potential privacy violations within this subset. In 15 (2.6%) of these apps, users'choices are stored only when consent is granted. Users who refuse consent are shown the consent banner again each time they launch the app. Network traffic analysis conducted during the passive stage reveals that 66.2% of the analyzed TCF-based apps share personal data, through the Android Advertising ID (AAID), in the absence of a lawful basis for processing. 55.3% of apps analyzed during the active stage share AAID before users interact with the apps'consent banners, violating the prior consent requirement.