PTKDMobile App Security
Knowledge base / PTKD-DYN-PII-THIRD-PARTY
medium M6 MASVS-PRIVACY-2 dynamic analysis PTKD-DYN-PII-THIRD-PARTY

Device/user PII sent to a third party

Personal or device-identifying data was sent to a host outside the app's own backend (typically analytics/ad SDKs).

How it's exploited

The run captured device or user identifiers (advertising ID, email, location) flowing to a domain that is not yours. That third party can correlate your users across apps and time.

Why it matters

Privacy-policy and regulatory exposure (GDPR/CCPA), store data-safety mismatches, and user trust damage.

How to fix it

  1. Identify the SDK generating the flow (host is in the evidence) and decide deliberately whether you need it.
  2. Configure the SDK's consent/data-minimization options; gate transmission on real user consent.
  3. Update your privacy disclosures and store data-safety forms to match actual traffic.

References