B-82%
Quality Score
7
Pages
116
Issues
8.0
Avg Confidence
7.8
Avg Priority
47 Critical48 High21 Medium
>_ Testers.AI
AI Analysis
Android was tested and 116 issues were detected across the site. The most critical finding was: Unconsented third-party tracking via Google Tag Manager on android.com. Issues span Security, Performance, A11y, Other categories. Persona feedback rated Visual highest (7/10) and Accessibility lowest (5/10).
Qualitative Quality
Android
Category Avg
Best in Category
Pages Tested · 7 screenshots
Homepage
www.android.com.phones.shop.
www.android.com.phones.shop.
www.android.com.phones.shop.
www.android.com.phones.shop.
www.android.com.phones.shop.
www.android.com.phones.shop.
Detected Issues · 116 total
1
Unconsented third-party tracking via Google Tag Manager on android.com
CRIT P9
Prompt to Fix
Prompt for AI coding assistant: Implement consent-gated loading for Google Tag Manager on android.com. Do not load https://www.googletagmanager.com/gtm.js or https://www.gstatic.com/marketing-cms/reviewed-scripts/gtm/gtm.js until the CMP indicates that the user has granted tracking consent. Use a CMP state (e.g., consentGiven = true/false) to conditionally inject the GTM script tag and to initialize GTM with consent mode (gtag('consent', 'update', { 'analytics_storage': 'granted', 'ad_storage': 'granted' }) when consent is given; keep it as 'denied' otherwise). Ensure that if consent is not granted, no GTM dataLayer is pushed and no tracking pixel/cookie data is sent. Update the HTML/JS to listen for CMP events and only then load GTM. Add regression tests to confirm: (1) GTM script is not requested before consent, (2) once consent is granted, GTM loads and functions with consent mode, (3) no PII is transmitted via GTM. Include a brief integration note for privacy policy and a quick verification script for the browser console.
Why it's a bug
The page loads Google Tag Manager and related third-party tracking resources (e.g., GTM scripts) without clear evidence of a consent gating mechanism. This enables cross-site tracking and data collection by third parties before user consent, potentially exposing behavioral data and identifiers to ad/analytics networks.
Why it might not be a bug
If a robust consent management platform (CMP) is fully integrated and GTM is loaded only after explicit user consent, this would not be a bug. The presence of a cookie notification bar suggests a consent flow may exist, but the captured activity does not demonstrate that consent was granted before GTM loads.
Suggested Fix
Gate all third-party tracking scripts behind explicit user consent. Do not load GTM (https://www.googletagmanager.com/gtm.js?id=GTM-KZDPH9F or https://www.gstatic.com/marketing-cms/reviewed-scripts/gtm/gtm.js?id=GTM-KZDPH9F&cookieCategory=2A) until the user has consented to tracking. Implement GTM Consent Mode or equivalent, and ensure no tracking cookies or data is sent prior to consent. Tie loading of GTM to the CMP's consent state and pass consent state to GTM (e.g., analytics_storage, ad_storage). Add tests to verify no GTM network calls occur before consent is granted.
Why Fix
Protect user privacy, comply with privacy regulations (GDPR/CCPA), and reduce cross-site tracking risk. This helps maintain user trust and reduces potential legal/regulatory exposure.
Route To
Frontend/Privacy Engineer
Page
Tester
Pete · Privacy Networking Analyzer
Technical Evidence
Network:
https://www.gstatic.com/marketing-cms/reviewed-scripts/gtm/gtm.js?id=GTM-KZDPH9F&cookieCategory=2A2
PII-like unique user identifier exposed in analytics request URL (auid parameter in collect endpoint)
CRIT P9
Prompt to Fix
Remove the auid parameter from all analytics/collect endpoints. If a user identifier is required, replace with a non-identifying, hashed session ID and ensure it is never transmitted in URL query strings. Enforce data minimization and consider server-side anonymization for analytics data.
Why it's a bug
The analytics collection request includes a parameter auid=692263063.1774510068 in the query string. This appears to be a unique user identifier exposed to a third-party analytics endpoint, which can facilitate cross-session/user-level tracking and correlation across sites/services. This constitutes PII-like data in transit and is not minimized or obfuscated.
Why it might not be a bug
Analytics pipelines sometimes transmit identifiers for measurement and troubleshooting. If auid is strictly pseudonymous/hashed and not linked to real-world identity, it may be considered acceptable, but the raw value shown is a memorable identifier exposed in URL parameters and could be logged by intermediaries.
Suggested Fix
Remove or replace the auid parameter with a non-identifiable, hashed, or fully anonymized session identifier. Treat any user identifiers as sensitive; ensure they are never exposed in URL query strings. Prefer server-side aggregation or consented, opt-in client-side IDs with minimal leakage.
Why Fix
Minimizes exposure of user-level identifiers to third parties, reduces risk of cross-site correlation, and aligns with data minimization principles and privacy regulations.
Route To
Privacy Engineer / Analytics Engineer
Page
Tester
Pete · Privacy Networking Analyzer
Technical Evidence
Network:
https://www.google.com/ccm/collect?frm=0&ae=g&en=page_view&dl=https%3A%2F%2Fwww.android.com%2Fwhy-android%2F&auid=692263063.1774510068&navt=n&npa=0&ep.ads_data_redaction=03
Unconsented Google Analytics data collection (PII/Tracking)
CRIT P9
Prompt to Fix
In the app's analytics integration, add a consent gate before any analytics data is sent. Implement a feature flag or cookie-based consent check; if consent is not given, do not call analytics.google.com/g/collect. Remove or redact personally identifiable query parameters from requests (avoid exposing dl/dt when not strictly needed), enable IP anonymization (anonymize_ip: true), and ensure user identifiers (cid, auid, ecid) are not transmitted unless consent is explicitly granted. Document data-sharing practices and ensure GA4 configuration respects user privacy choices.
Why it's a bug
The page makes a POST request to https://analytics.google.com/g/collect with detailed page context (dl, dt), client identifiers (cid, auid, ecid), and numerous parameters that can be used to track a user across sessions and sites. There is no clear evidence of an explicit user consent flow or gating around this data submission in the observed activity, raising risks of unconsented data collection and cross-site tracking.
Why it might not be a bug
If a user consent flow exists elsewhere in the app and authorizes analytics usage, this data collection could be legitimate. However, the provided trace does not show any consent indicator prior to the analytics request, making it a high-risk privacy scenario.
Suggested Fix
Implement consent-gated analytics: require explicit user consent before sending any analytics data. Gate the analytics.post (g/collect) behind the consent state, and only send non-identifiable analytics data by default. Remove or redact PII-like fields (avoid including dl/dt if they can reveal user context), enable IP anonymization (anonymize_ip), disable collection of user_id-like fields (avoid cid being tied to identifiable data without consent), and consider using privacy-preserving analytics or server-side measurement with strict data minimization.
Why Fix
Fixing this reduces the risk of unconsented user tracking, aligns with data minimization principles, and mitigates regulatory and trust concerns related to third-party data sharing.
Route To
Privacy Engineer / Frontend Engineer (Web/Mobile Web Eng)
Page
Tester
Pete · Privacy Networking Analyzer
Technical Evidence
Console:
⚠️ POTENTIAL ISSUE: Tracking request detectedNetwork:
POST https://analytics.google.com/g/collect?v=2&tid=G-B3NBHZEJE6>m=45je63o1v868868723z8810972521za20gzb810972521zd810972521&_p=1774510102420&gcs=G111&gcd=13r3r3l3l5l1&npa=0&dma=0&cid=575919427.1774510068&ecid=576160931&ul=en-us&sr=800x600&ir=1&uaa=&uab=&uafvl=&uamb=0&uam=&uap=&uapv=&uaw=0&are=1&frm=0&pscdl=noapi&_ng=1&ec_mode=a&_eu=EAAAAGQ&_s=1&tag_exp=103116026~103200004~115938466~115938468~116024733~116133312~116991817~117484252~118199987&dl=https%3A%2F%2Fwww.android.com%2Fai%2F&sid=1774510068&sct=1&seg=1&dt=AI%20on%20Android%3A%20Features%2C%20Apps%20%26%20Your%20AI%20Assistant%20%7C%20Android&en=page_view&ep.is_eea=false&ep.page_locale=en_us&ep.container_id=GTM-KZDPH9F&ep.container_version=191&ep.percent_scrolled=0&ep.scroll_increment=0&ep.scroll_instance=1&_et=1&tfd=450