Empowering Privacy Audits: The Data Inspection Module in Consentis

by Fotis Fouskas (AEGIS IT RESEARCH)

In an era where mobile applications routinely collect vast amounts of personal data, understanding what an app collects — and whether that collection respects user consent — has become a challenge for both individuals and regulatory bodies. The Consentis framework aims to address this challenge directly through its Data Inspection and Audit Module, a component that brings privacy auditing capabilities to a wide audience, from everyday users to Data Protection Authorities (DPAs). AEGIS IT Research aims to integrate this module into the Consentis framework as part of the project’s commitment to making consent management not just a passive agreement, but an actively verifiable and enforceable reality.

The Audit Module is a privacy inspection tool built to answer a deceptively simple question: Does this mobile application actually behave the way it claims to? Rather than relying solely on self-reported privacy policies, the module inspects real network traffic generated by an application as it runs [1], [2]. The hardware platform at the heart of the system is a Raspberry Pi running the PiRogue Tool Suite, an open-source toolkit built for mobile traffic interception and analysis. It operates by following a structured pipeline that takes raw network activity and transforms it into actionable privacy insights across four stages:

1. Network traffic decryption: When a mobile device connects through the Audit Module, the system intercepts and decrypts the encrypted traffic generated by the application under review. Modern applications use encryption and a range of obfuscation techniques designed to protect data in transit, making this a technically demanding task. PiRogue handles this complexity transparently, producing a clear view of what data is actually leaving the device [3].
2. Data type identification: The module analyses the content and patterns of the decrypted data flows, searching for signatures that reveal the nature of the information being transmitted — whether that is device identifiers or other sensitive categories. Sustained communication with a known advertising infrastructure, for instance, is a strong indicator that the application is feeding personal data into advertising systems, regardless of what its privacy policy states.
3. Data usage analysis: Examines how the data is being used and where it is going. By mapping data flows to known third-party services — advertising networks, analytics providers, data brokers — the module builds a contextual picture of the application’s data ecosystem, transforming raw observations into meaningful privacy intelligence.
4. Data comparison: The findings are compared against the user’s declared preferences and consent settings within the Consentis framework. If an application is found to be transmitting data in ways that contradict the user’s choices, the module raises a violation alert, closing the loop between consent declaration and real-world enforcement [2].

Rather than operating as a standalone tool, it has been integrated into the Consentis framework as the project’s verification layer, the mechanism that ensures consent is not merely recorded but respected. Where other components of Consentis handle the collection and management of user preferences, the Audit Module provides the evidence that those preferences are being honoured, or flags clearly when they are not. This integration reflects a core philosophy of the project: that meaningful consent requires meaningful accountability [1], [2]. A user’s choices about their data should not disappear into a black box once an application is installed. The Audit Module ensures that those choices remain visible, verifiable, and — when violated — actionable.

References

[1] Y. Agarwal and M. Hall, “ProtectMyPrivacy: Detecting and mitigating privacy leaks on iOS devices using crowdsourcing,” in Proc. 11th Annu. Int. Conf. Mobile Systems, Applications, and Services (MobiSys), Taipei, Taiwan, 2013, pp. 97–110.

[2] A. Razaghpanah, A. A. Niaki, N. Vallina-Rodriguez, S. Sundaresan, J. Amann, and P. Gill, “Studying TLS usage in Android apps,” in Proc. 13th Int. Conf. Emerging Networking EXperiments and Technologies (CoNEXT), 2017, pp. 350–362.

[3] B. Andow, S. Acharya, B. Reaves, K. Singh, T. Ristenpart, and S. Egelman, “Actions speak louder than words: Entity-sensitive privacy policy and data flow analysis with PoliCheck,” in 29th USENIX Security Symposium (USENIX Security 20), 2020, pp. 985–1002.