Sample Report — Anonymised Assessment Extract

The following is a demonstration of a BlackFlag Advisory Passive Mobile App GRC Assessment report. The app name, developer, and all identifying details are fictionalised. This extract demonstrates the structure, rigour, and Board-ready format of a typical deliverable.

Confidential
Passive Mobile App GRC Assessment
Mobile Application Privacy &
Compliance Assessment Report
Passive OSINT Assessment — No Systems Accessed — No Active Scanning Performed
Application
ConnectField Pro
Developer
Apex Mobile Solutions Pty Ltd
Platform
Android (Google Play)
Assessment Date
April 2026
Assessed By
Cluny Archibald — BlackFlag Advisory
Overall Risk Rating
HIGH
Sample Document — For Demonstration Purposes Only
All identifying details are fictionalised — methodology and findings structure are representative
01Executive Summary

ConnectField Pro is a field service management application used by the client organisation's 47 field technicians to log job records, capture client signatures, photograph completed work, and access the customer database. The application was deployed organisation-wide following a recommendation from IT without a formal privacy or security assessment. This assessment was conducted following a staff complaint regarding the app's data collection practices.

The passive assessment identified significant compliance concerns. The application requests permissions substantially in excess of what its stated field service function requires, embeds six third-party trackers including two advertising SDKs with no disclosed purpose, transfers data to servers in the United States and Singapore without adequate disclosure in the developer's privacy policy, and the developer entity cannot be independently verified through Australian corporate registries. Three Critical and three High findings are identified.

Overall Risk Rating
HIGH
This application presents material compliance risk under the Australian Privacy Act 1988 and should not continue in organisational use without remediation of Critical findings and vendor engagement on disclosure obligations. Immediate Board notification is recommended given the volume of client personal information processed through the application.
3
Critical
3
High
4
Medium
2
Low
02Application Profile
ConnectField Pro — Field Service Management
Developer: Apex Mobile Solutions Pty Ltd — Listed jurisdiction: Australia — Last updated: January 2026 — Installs: 10,000+
Field Service
Job Management
Client Signatures
Photo Capture
Customer Database
03Permissions Analysis

ConnectField Pro requests 14 Android permissions. The following assessment evaluates each permission against the app's stated purpose as a field service management tool. Permissions highlighted in red are assessed as excessive for the stated function and require justification from the developer.

Excessive
READ_CONTACTS
Excessive
RECORD_AUDIO
Excessive
ACCESS_BACKGROUND_LOCATION
Review Required
READ_CALL_LOG
Review Required
SEND_SMS
Expected
CAMERA
Expected
ACCESS_FINE_LOCATION
Expected
READ_EXTERNAL_STORAGE
Expected
WRITE_EXTERNAL_STORAGE
Expected
INTERNET
Expected
RECEIVE_BOOT_COMPLETED
Expected
VIBRATE
Source: Passive OSINT assessment using publicly available data sources — assessed April 2026.
04Tracker & SDK Analysis

Exodus Privacy identified 6 embedded trackers in ConnectField Pro. Two are advertising SDKs with no disclosed commercial justification for a B2B field service tool. None of the six trackers are disclosed by name in the developer's privacy policy.

Tracker
Purpose
Data Destination
Type
Meta Audience Network
Behavioural advertising — transmits device ID, usage patterns and location to Meta (Facebook) advertising infrastructure
United States
Ad Tech
Google AdMob
In-app advertising SDK — transmits device identifiers, location and behavioural data to Google advertising network
United States
Ad Tech
Firebase Analytics
Usage analytics and crash reporting — transmits app usage events, device information and user session data
United States
Analytics
Amplitude
Product analytics — transmits detailed user interaction events, feature usage patterns and funnel data
United States
Analytics
Appsflyer
Mobile attribution and marketing analytics — tracks installs, campaign performance and user acquisition source
United States / Singapore
Attribution
Crashlytics (Firebase)
Crash reporting — transmits device state, stack traces and error logs when the app crashes
United States
Crash Report
Source: Passive OSINT assessment using publicly available data sources — assessed April 2026.
05Key Findings
Critical
Two advertising SDKs embedded in a B2B field service app with no commercial justification or disclosure
Meta Audience Network and Google AdMob — both advertising SDKs — are embedded in an application whose stated purpose is B2B field service management. These SDKs transmit device identifiers, location data, and usage patterns to Meta and Google advertising infrastructure. Client personal information captured through the app (customer names, addresses, job records) may be accessible to these SDKs. Neither is disclosed in the privacy policy. There is no commercial justification for advertising SDKs in an enterprise field service application.
APP Obligation: APP 1 (privacy policy), APP 5 (notification), APP 6 (use and disclosure)
Likelihood: Confirmed
Critical
Cross-border data transfer to USA and Singapore not disclosed — APP 8 breach
AppCensus network analysis confirmed data transmission to servers in the United States (Meta, Google, Amplitude, Appsflyer, Firebase) and Singapore (Appsflyer). The developer's privacy policy contains no mention of overseas data disclosure, no reference to APP 8 obligations, and no consent mechanism for cross-border transfer. Under the Privacy Act 1988 as amended December 2024, this represents a prima facie breach of APP 8.1. Client personal information captured through the app is being transferred offshore without appropriate disclosure or consent.
APP Obligation: APP 8 (cross-border disclosure of personal information)
Likelihood: Confirmed
Critical
RECORD_AUDIO permission — microphone access with no stated purpose
ConnectField Pro requests RECORD_AUDIO (microphone access) on Android. The application's stated purpose — job logging, signatures, and photo capture — has no requirement for microphone access. The permission is not explained in the Data Safety section of the Google Play listing, not mentioned in the privacy policy, and no in-app notification is provided to users before the permission is requested. This represents a collection of personal information (audio data) beyond what is necessary for the app's function, in potential breach of APP 3.3.
APP Obligation: APP 3 (collection of solicited personal information), APP 5 (notification)
Likelihood: Confirmed
High
Developer entity unverifiable via ASIC — registered address does not match corporate records
ASIC Connect search for "Apex Mobile Solutions Pty Ltd" returned a registered entity with an address in Queensland. The developer's Play Store listing and website both show a Sydney address. A cross-reference of the ABN against the registered entity name returns no match. The developer's website domain was registered through a privacy-protected registrar in 2023 with no publicly identifiable owner. The corporate identity of the developer cannot be independently verified through Australian public records.
APP Obligation: APP 1 (open and transparent management of personal information)
Likelihood: Confirmed
High
Background location access enabled — tracking continues when app is not in use
The ACCESS_BACKGROUND_LOCATION permission allows the app to access precise device location even when the user is not actively using the application. For field technicians, this means the application may be tracking their location continuously throughout their working day and potentially outside working hours. This data is not accounted for in the privacy policy and is transmitted to third-party SDK destinations including Google Firebase.
APP Obligation: APP 3 (collection of solicited personal information), APP 6 (use and disclosure)
High
Known CVE identified in Firebase SDK version — CVSS 7.4
NVD cross-reference of the Firebase Analytics SDK version embedded in ConnectField Pro (confirmed via Exodus Privacy) identified a known CVE (CVSS 7.4 — High). The vulnerability permits unauthorised access to locally cached session tokens under specific network conditions. A patch was issued by Google in February 2026. The version embedded in the app predates the patch, indicating the app has not been updated to address this vulnerability.
Reference: the identified CVE — the National Vulnerability Database — CVSS 7.4 High
06Australian Privacy Principles Compliance Assessment

Each of the 13 Australian Privacy Principles is assessed against the developer's publicly observable practices. Assessment is based on the published privacy policy, App Store disclosures, tracker analysis, and corporate intelligence gathered in this assessment.

APPPrincipleStatusFinding
APP 1Open & transparent managementFAILPrivacy policy does not reflect actual data collection practices. Trackers, overseas transfers, and advertising SDKs are not disclosed.
APP 2Anonymity and pseudonymityPARTIALApp does not offer anonymised use option. Account required for all functions.
APP 3Collection of solicited personal informationFAILAudio and background location collected beyond what is necessary for stated purpose. Excessive collection.
APP 4Dealing with unsolicited personal informationPASSNo evidence of unsolicited collection beyond declared channels.
APP 5Notification of collectionFAILNo in-app notification provided before permissions are requested. Privacy policy does not describe all collection categories.
APP 6Use or disclosure of personal informationFAILData shared with advertising SDKs and analytics platforms not disclosed. Purpose of advertising SDK use not stated.
APP 7Direct marketingPARTIALNo direct marketing evident within the app. However advertising SDK use may facilitate profiling for third-party marketing purposes.
APP 8Cross-border disclosureFAILData confirmed transferred to USA and Singapore. No disclosure in privacy policy. No consent obtained. Prima facie APP 8 breach.
APP 9Government related identifiersPASSNo government identifiers identified in scope of this assessment.
APP 10Quality of personal informationPARTIALNo data correction mechanism identified in the app or privacy policy.
APP 11Security of personal informationPARTIALKnown CVE in embedded SDK. Background location data transmitted to multiple third parties. Adequacy of security measures cannot be independently verified.
APP 12Access to personal informationFAILPrivacy policy contains no access request mechanism. No contact details for privacy enquiries provided.
APP 13Correction of personal informationFAILNo correction mechanism identified. No process described in privacy policy.
Assessment conducted against Australian Privacy Act 1988 and the Australian Privacy Principles. This assessment is based on publicly observable practices only and does not constitute legal advice.
07Remediation Roadmap
#
Action
Timeline
Owner
1
Suspend organisational use of ConnectField Pro pending vendor responseNotify all 47 field technicians. Evaluate alternative field service applications. Do not process client personal information through this app until Critical findings are addressed.
Immediate — within 48 hours
IT / Operations
2
Formal written request to developer for privacy disclosureRequest written explanation of: advertising SDK purpose, complete list of all third-party data recipients, cross-border transfer locations, and updated privacy policy reflecting actual practices. Set 14-day response deadline.
Within 5 business days
Legal / Privacy Officer
3
Board notification and risk acceptance decisionPresent findings to the Board. The volume of client personal information processed through the app and the confirmed APP 8 breach constitute a material privacy risk that requires Board-level awareness and a documented risk acceptance or remediation decision.
Within 10 business days
CEO / Board
4
Assess whether OAIC notification is requiredEngage legal counsel to assess whether the confirmed APP 8 breach and potentially excessive data collection constitute an eligible data breach under the Notifiable Data Breaches scheme requiring OAIC notification.
Within 14 business days
Legal / Privacy Officer
5
Establish a formal mobile app approval processImplement a documented process requiring privacy assessment before any app is approved for organisational use. This assessment framework should be applied to all currently approved apps within 90 days.
Within 30 days
IT / Privacy Officer
6
Update organisational privacy policyReview and update the organisation's own privacy policy to reflect that a third-party app was in use that transferred data overseas. Consider whether a privacy collection notice should be issued to affected clients.
Within 30 days
Legal / Marketing
Ready to assess your organisation's apps? This is what a BlackFlag Advisory Passive Mobile App GRC Assessment delivers. No systems accessed. Board-ready report. Fixed price.
Request an Assessment →