Add Google Data Safety and Privacy Policy retrieval support

[Copilot]

Adds tooling and techniques for retrieving Google Play Data Safety declarations and app privacy policies for Android security testing.

Changes

Tool: MASTG-TOOL-0145 (google-play-scraper)

• Documents Node.js library for scraping Google Play Store metadata
• Provides programmatic and CLI usage patterns for extracting Data Safety sections and privacy policy URLs

Technique: MASTG-TECH-0142 (Retrieving Google Data Safety Section)

• Browser method via https://play.google.com/store/apps/datasafety?id=<package-id>
• Automated retrieval using google-play-scraper
• Explains Data Safety categories per Google's specification: data types, security practices, usage/handling
• Validation guidance for comparing declared vs actual app behavior

Technique: MASTG-TECH-0143 (Retrieving App Privacy Policy)

• Covers Google Play apps (browser, google-play-scraper) and non-Play apps (in-app links, apktool extraction, developer websites)
• Guidance on interpreting privacy policies for security assessment
• References GDPR/CCPA requirements

Example Usage

const gplay = require('google-play-scraper');

// Get Data Safety section
gplay.datasafety({appId: 'com.example.app'})
  .then(data => console.log(JSON.stringify(data, null, 2)));

// Get privacy policy URL
gplay.app({appId: 'com.example.app'})
  .then(data => console.log('Privacy Policy:', data.privacyPolicy));

These techniques enable testers to identify discrepancies between declared and actual data handling practices during mobile app security assessments.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Add support for Google Data Safety section and privacy policy</issue_title>
<issue_description>- Add a tool https://github.com/facundoolano/google-play-scraper

• Add a technique to retrieve the Google Data Safety section for an app published to Google Play.

  • Using the tool from above or just by going to the URL https://play.google.com/store/apps/datasafety?id=com.google.android.youtube
  • Explain the sections according to https://support.google.com/googleplay/android-developer/answer/10787469?hl=en

• Add a technique to retrieve the app privacy policy whether the app is published on Google play or not.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Add support for Google Data Safety section and privacy policy #3596

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[cpholguera]

It is not possible to distinguish between what is being declared by SDKs and the main app. However, the developer of the main app is held responsible as soon as they integrate an SDK.

[anhd97088-sudo]

Data confirmed

[Diolor]

Not all sections from that article are here. E.g. The "Data Purposes" is missing.

Why is "data type" first? Is it arbitrary, or is there a communication goal?

[Diolor]

Do we discuss those anywhere in our i.e. KNOW or generic knowledge to link internally first?