Mobile apps frequently use Bluetooth Low Energy (BLE) and WiFi scanning permissions to discover nearby devices like peripherals and connect to WiFi Access Points (APs). However, wireless interfaces also serve as a covert proxy for geolocation data, enabling continuous user tracking and profiling. This includes technologies like BLE beacons, which are BLE devices broadcasting unique identifiers to determine devices’ indoor physical locations; such beacons are commonly deployed in shopping centres. Despite the widespread use of wireless scanning APIs and their potential for privacy abuse, the interplay between commercial mobile SDKs with wireless sensing and beaconing technologies remains largely unexplored. In this talk, we present the first systematic analysis of 52 wireless-scanning SDKs, revealing their data collection practices and associated privacy risks. We introduce a comprehensive analysis pipeline that allows us to detect beacon scanning capabilities, inject wireless events to trigger app behaviors, and monitor runtime execution on instrumented devices. Our findings show that 86% of apps integrating these SDKs collect at least one sensitive data type, including device and user identifiers such as AAID, email, as well as GPS coordinates, WiFi, and Bluetooth scan results. We uncover widespread SDK-to-SDK data sharing and evidence of ID bridging, where persistent and resettable identifiers are shared and synchronized within SDKs embedded in applications to potentially construct detailed mobility profiles, compromising user anonymity and enabling long-term tracking. We provide evidence of key actors engaging in these practices and conclude by discussing potential mitigation strategies such as stronger SDK sandboxing, stricter enforcement of platform policies, and improved transparency mechanisms to limit unauthorized tracking.
I am a final year Ph.D. student at IMDEA Networks Institute in Madrid, Spain, advised by Dr. Narseo Vallina-Rodriguez since 2020. My research falls at the intersection of (1) hybrid black-box testing, (2) empirical analysis of covert privacy risks in smart home and mobile ecosystems, and (3) regulatory compliance. I have published in top peer-reviewed venues (e.g., PETS, IMC, USENIX Security), and Q1 journals (IEEE Transactions on Software Engineering). I got the Best Poster Award at the TMA’22 Ph.D. school for my novel approach to IoT testing.
During my Ph.D., I was a visiting researcher at Northeastern University’s Cybersecurity and Privacy Institute and previously held research positions at RIT (USA) and IIJ Innovation Institute (Japan). I was also a two-time Google Summer of Code student and spent a summer at Ben-Gurion University exploring machine learning for cybersecurity.
My research has influenced industry practices, regulatory bodies, and policy makers at scale. My work revealed covert tracking techniques in modern smart devices, prompting action from major companies—including Apple, Google, Philips, TP-Link, and over 20 other IoT vendors—to strengthen privacy protections across their ecosystems. For instance, Google removed dozens of privacy-invasive apps and SDKs from the Play Store, awarded me two bug bounties—one for exposing covert local network scans, and another for revealing canvas fingerprinting via embedded WebViews—and introduced a dedicated local network permission in Android 16 as a direct result of my work. My work has also influenced enforcement actions by regulators like the EDPS, AEPD, and CNIL, and has been featured in international media, including The Washington Post, Ars Technica, Wired, CBC News, and El País.
Este evento se impartirá en inglés