This topic describes the compliance requirements for integrating the Anti-Bot SDK into apps. To effectively protect user personal information and prevent infringement of end users' privacy rights due to third-party SDKs, configurations must comply with regulatory requirements when integrating the Web Application Firewall (WAF) Anti-Bot SDK into apps.
SDK privacy policy disclosure
App operators must transparently inform end users about the SDK's personal information processing methods, including the SDK name, business function, information processing objectives, types of personal information collected, and privacy policy references.
The app must have a dedicated privacy policy that details the use of the WAF SDK. For example, include the following in your app's Third-Party Sharing Checklist:
SDK name: Web Application Firewall App Protection SDK.
Business function: Provides anti-crawler protection and detects abnormal or at-risk devices.
Types of personal information collected: Specify based on the actual data collected.
Permission used: Specify based on the actual permissions configured.
Privacy policy link: Web Application Firewall App Protection SDK Privacy Policy.
SDK requests for system permissions
Permissions for Android apps
Permission | Required | Purpose | Application timing |
INTERNET | Yes | Accesses networks. If the permission is not allowed, the SDK does not work. | Before invoking the information collection interface |
ACCESS_WIFI_STATE | No (but recommended) | Obtains the WiFi status of a device. | Before invoking the information collection interface |
ACCESS_NETWORK_STATE | No (but recommended) | Obtains the network status of a device. | Before invoking the information collection interface |
BLUETOOTH_CONNECT | No (but recommended) | Obtains the Bluetooth MAC address. | Before invoking the information collection interface |
READ_PHONE_STATE | No (but recommended) | Obtains fields related to the device ID. | Before invoking the information collection interface |
WRITE_EXTERNAL_STORAGE READ_EXTERNAL_STORAGE | No (but recommended) | Caches configuration files on the local disk. | Before invoking the information collection interface |
ACCESS_FINE_LOCATION ACCESS_COARSE_LOCATION | No (but recommended) | Obtains location information | Before invoking the information collection interface |
Permissions for iOS apps
Permission | Required | Purpose | Application timing |
NSLocalNetworkUsageDescription | No (but recommended) | Obtains the connectivity of devices within a local area network (LAN) to discover risks, such as devices in modem pools and multi-tasking software. | Before invoking the information collection interface |
NSUserTrackingUsageDescription | No | Obtains the identifier for advertisers (IDFA) information to enhance the stability of the device ID. | Before invoking the information collection interface |
Optional personal information configuration
Developers can refer to Android access or iOS access to configure the collection of optional personal information. Because omitting certain information can impact related functions, you can make corresponding configurations based on actual business requirements. The methods for selecting personal information collection on iOS and Android apps are as follows:
Configurations for Android apps
You can configure the scope of personal information collection by adjusting the type parameter in the initialization information collection interface. Collection is divided into three modes: full collection, custom privacy collection, and non-privacy collection.
TT_DEFAULT: Indicates full data collection.
TT_NO_X | TT_NO_Y: Indicates neither X nor Y is collected, representing custom privacy collection.
TT_NOT_GRANTED: Indicates no privacy data is collected.
Personal information field | Description | CollectType configuration field |
Basic device information, device identity information, device network information, device location information, device log information, etc. | Full data collection | TT_DEFAULT |
Device name (Build.DEVICE), Android version number (Build.VERSION#RELEASE), screen resolution. | No basic device data collection | TT_NO_BASIC_DATA |
IMEI, IMSI, SimSerial, BuildSerial (SN), MAC address | No device identity data collection | TT_NO_IDENTIFY_DATA |
OAID, Google advertising ID, Android ID | No unique identifier data collection | TT_NO_UNIQUE_DATA |
Cyber underground economy chain app list, LAN IP, DNS IP, connected WiFi information (SSID, BSSID), nearby WiFi list, location information, sensor information | No extended device data collection | TT_NO_EXTRA_DATA |
Other data except all privacy fields | No privacy data collection | TT_NOT_GRANTED |
You can select the scope of personal information collection by adjusting the Type in the initialization information collection interface. The following is a code example:
// Full collection
int ret = TigerTallyAPI.init(this.getApplicationContext(), appkey, TigerTallyAPI.TT_DEFAULT, options, null);
// Specify privacy data collection, different privacy data can be concatenated with "|"
int privacyFlag = TigerTallyAPI.TT_NO_BASIC_DATA | TigerTallyAPI.TT_NO_UNIQUE_DATA;
int ret = TigerTallyAPI.init(this.getApplicationContext(), appkey, privacyFlag, options, null);
// Do not collect privacy fields
int ret = TigerTallyAPI.init(this.getApplicationContext(), appkey, TigerTallyAPI.TT_NOT_GRANTED, options, null);
Log.d("AliSDK", "ret:" + ret);Configurations for iOS apps
Configure whether to collect IDFA fields by selecting different Framework SDK files.
Personal information field
Description
IDFA
Identifier for advertisers
The iOS SDK is available in two versions: one with IDFA (Identifier for Advertising) and one without. The corresponding SDK files are as follows:
AliTigerTally_IDFA.framework
AliTigerTally_NOIDFA.framework
When your SDK file is AliTigerTally_IDFA.framework, it collects the iOS privacy field IDFA. When the SDK file is AliTigerTally_NOIDFA.framework, it does not collect the iOS privacy field IDFA.
Configure the scope of optional personal information field collection by adjusting the type parameter in the initialization information collection interface. Collection is divided into three modes: full collection, custom privacy collection, and non-privacy collection.
TT_DEFAULT: Indicates full data collection.
TT_NO_X | TT_NO_Y: Indicates neither X nor Y is collected, representing custom privacy collection.
TT_NOT_GRANTED: Indicates no privacy data is collected.
Personal information field
Description
collectType configuration
Basic device information, device identity information, device network information, device log information, etc.
Full data
TT_DEFAULT
Device name, system version number, screen resolution
Basic device data
TT_NO_BASIC_DATA
IDFV, IDFA
Unique identifier data
TT_NO_UNIQUE_DATA
Connected WiFi information (SSID, BSSID), nearby WiFi list
Extended device data
TT_NO_EXTRA_DATA
Other data except all privacy fields
No privacy data collection
TT_NOT_GRANTED
Control the scope of personal information collection by adjusting the Type parameter in the initialization information collection interface. The following is a code example:
// Full collection int ret = [[AliTigerTally sharedInstance] init:appkey collectType:TT_DEFAULT options:options listener:nil]; // Specify privacy data collection, different privacy data can be concatenated with "|" TTCollectType collectPrivacy = TT_NO_BASIC_DATA | TT_NO_EXTRA_DATA; int ret = [[AliTigerTally sharedInstance] init:appkey collectType:collectPrivacy options:options listener:nil]; // Do not collect privacy fields int ret = [[AliTigerTally sharedInstance] init:appkey collectType:TT_NOT_GRANTED options:options listener:nil];
SDK initialization and business function call timing
When users first launch the app, obtain their consent to the privacy policy before calling related APIs. Additionally, only proceed with these actions when users actively engage with the app's features. Avoid collecting device information immediately after the privacy policy is accepted unless absolutely necessary to prevent excessive or premature data collection. For information collection interface configuration documentation, you can check the access manual. For Android, view the SDK initialization section in the document guide. For iOS, view the SDK initialization section in the guide.
References
Web Application Firewall APP Protection SDK Privacy Policy: Web Application Firewall APP Protection SDK Privacy Policy
Android Access Manual: Integrate the Anti-Bot SDK into Android apps
iOS Access Manual: Integrate the Anti-Bot SDK into iOS apps
HarmonyOS Access Manual: Integrate the Anti-Bot SDK into Harmony apps