harshit beniwal profile photo illustrated

Mobile App Scanning

Bringing Privado's set of web tools, such as data flows, consent management, and code scanning, to mobile apps.

Details

Privado logo

What's Privado?

Privado is a platform that automates privacy compliance and governance by scanning code to map data flows, identify risks, and embed privacy into your software development lifecycle.

assessments icon

What's Code-scan?

Privado's code engine automatically scans your codebase to identify data flows, detect privacy issues, and reveal how personal data is being used and processed throughout your applications.

Code-scan is a tool to automatically detect privacy issues in your code base. This works perfectly for web-applications, but this meant a big chunk of our market was not able to use Privado as our engine could not access Mobile Apps.


My role involved leading the end-to-end design for a proof of concept for a new suite of privacy tools for Privado to capture the mobile app market.

Team

Harshit Beniwal

,

Product Designer

Nitin Garg

,

Head of Design

Vaibhav Antil

,

CEO

Links

Privado - Mobile App

Prototype

Timeline

2024 - 2 month

Goals

Bringing Privacy Tools to Mobile Teams

1

Understand how software teams develop mobile apps

2

Find ways to provide privacy teams visibility into mobile apps

Process

Understanding Mobile Development

Mobile apps are developed differently from conventional web apps, where updates are continuously pushed. Instead, mobile apps are versioned, packaged, and then deployed as applications.

Changes made

in codebase

Changes made

in codebase

Update

deployed

Privado

Code-Scan

Update

deployed

Privado

Code-Scan

Web

Changes made

in codebase

Changes made

in codebase

Packaged

into .apk or .ipa

Privado can

not scan

Packaged

into .apk or .ipa

Privado can

not scan

Mobile

Web app vs Mobile app development

Understanding Privacy Teams

Privacy teams are often non-technical, and spread thin as they juggle compliance across different apps, builds, and versions. This shaped our focus on simplicity to allow them to test mobile apps without any technical skills and visibility to help them gain insights across various apps.

Another pattern in mobile apps different from our codescan was that many apps were geo-locked where an app had many versions based on specific regional laws.

Unlike web apps, where the whole code base is connected to Privado via Git or CICD Pipeline and scans automatically, mobile apps do not allow this automation. This requires manual privacy tests for each app.

Another pattern in mobile apps different from our codescan was that many apps were geo-locked where an app had many versions based on specific regional laws.

I am basically trusting what the developers tell me

I am basically trusting what the developers tell me

Based on our conversations with existing customers about using Privado to assess their mobile app's privacy health, we identified the potential for a 'test recorder' workflow that partially automates tests and allows privacy teams to use code as a source of truth for privacy issues.

Another pattern in mobile apps different from our codescan was that many apps were geo-locked where an app had many versions based on specific regional laws.

New workflow for mobile apps:

Another pattern in mobile apps different from our codescan was that many apps were geo-locked where an app had many versions based on specific regional laws.

Add Apps

->

Manual Tests

->

Observe Results

Conceptualising a Mobile App Tester

After some brainstorming with the engineering team, we came up with two ideas to help privacy teams test mobile apps.

Another pattern in mobile apps different from our codescan was that many apps were geo-locked where an app had many versions based on specific regional laws.

Flow-Map Creator

Birds Eye View of the mobile app

Manually create maps

Need to know App Architecture

Mobile App Simulator

Visualise Flow with App UI

Granular Single Flow Recorder

Requires 3rd Party Integration to simulate

We opted for the simulator idea for a few simple reasons:

  • Recording flows by using the app UI works better for non-technical users.

  • Single flow test recording allowed for better organisation and versioning.

  • Both combined, visual simulation and single flow, also allowed for better sharing with leadership.

Another pattern in mobile apps different from our codescan was that many apps were geo-locked where an app had many versions based on specific regional laws.

Solution

Mobile Apps and Versioning

App new app in Privado

To start testing mobile applications, we need packaged app files. By scanning the APK and IPA files, we can identify the SDKs, permissions, Third Parties, and Data Elements utilised by the app.

Version Control for Mobile apps

Privado dashboard
Privado dashboard
Privado dashboard

Delta from previous app versions

But unlike the web, which has version control built in, mobile apps use packaged apps that need to be manually uploaded by the users. This requires manual versioning within Privado to detect changes in each app update.

Mobile App Tester

Privacy officers are not familiar with simulating and testing. To address this we set out to create a testing tool that removes the complexity of a traditional simulator and focuses on allowing them to record flows.

Privado mobile testing screens
Privado mobile testing screens
Privado mobile testing screens

Test recorder

We had to use metaphors from a recorder to help them understand the test recording functions.

Record

Similar to a recorder, you can start and stop "recording" your steps.

Replay

Once recorded, you can "playback" your steps to verify the actions.

Restart

If you recorded the wrong step or made an error, restart anytime.

These metaphors simplified the interface, allowing users to interact with the mobile application and focus on recording the flow.

Overview Dashboard

Privado dashboard
Privado dashboard
Privado dashboard

Mobile app overview

A single app will have multiple policies applied based on geographic locations and applicable laws, such as GDPR and CCPA. Each policy will include several tests.


To assist privacy officers in understanding this complexity, we created an overview of all findings related to an app. Giving them a birds-eye view of the third parties sharing, data elements compromised and issues created by Privado Mobile App scan.

Reports for Stakeholder Buy-ins

Privado report screenshots
Privado report screenshots
Privado report screenshots
Privado report screenshots
Privado report screenshots
Privado report screenshots
Privado report screenshots
Privado report screenshots
Privado report screenshots

Mobile app PDF report

We also created an exportable report that offers an overview of high-level data and findings for privacy officers to share with management and leadership. This aims to build confidence in investing resources in privacy.

Results

Completing the Privado Privacy Suite

The mobile app scan was the final missing piece in Privado's suite of privacy tools. With this project, we completed all privacy touchpoints: codebase, websites, and now mobile apps.


The product architecture enables our sales team to join sales calls with an APK file that has already been scanned and analyzed, highlighting any privacy issues. This demonstrates value even before customers purchase Privado.


The mobile app has solidified Privado's position as a privacy center within organizations and has helped us acquire 5 new enterprise customers within a single quarter in the mobile gaming, consumer apps, and e-commerce sectors.

Privado Mobile App Privacy
Privado Mobile App Privacy
Privado Mobile App Privacy
View Figma Prototype
View Figma Prototype
View Figma Prototype
This project would not have been possible without

my team

@privado.ai

my manager and mentor

@nitin

Details

Goals

Process

Solution

Results