The AEPD awards its third consecutive data protection prize to IMDEA Networks researchers
The winning article is "50 Ways to Leak Your Data: An Exploration of Apps' Circumvention of the Android Permissions System"
28 January 2022
The Spanish Data Protection Agency (AEPD) has awarded on January 28, for the third consecutive time, the “Emilio Aced Research and Personal Data Protection Award” to a study conducted by IMDEA Networks’ Internet Analytics Group (IAG) led by Dr. Narseo Vallina-Rodriguez.
The award-winning article is “50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System“, which was presented at the prestigious international conference USENIX Security 2019. At that time, the scientific community already recognized its value and impact by awarding it with the Distinguished Paper Award.
This pioneering research was the result of a collaboration between researchers from IMDEA Networks, the University of Calgary (Canada), the International Computer Science Institute at UC Berkeley (USA) and the cybersecurity start-up AppCensus (USA). The study demonstrated for the first time the presence of vulnerabilities in the Android operating system that allowed thousands of apps to collect sensitive information of millions of users, such as their geolocation and unique identifiers, without their knowledge and consent through covert-channels and side-channel attacks. “If we think of access to personal data as entering a home, a side-channel consists of finding a method of access that is not monitored (such as forcing a window instead of entering through the door) while a covert-channel consists of sharing information through an alternative channel with the help of another entity (as if a person opens the back door to gain access to the inside of the house),” explains Álvaro Feal, a PhD student at IMDEA Networks and co-author of the paper.
The social and industrial impact of the study has been immense. Following the responsible disclosure of the vulnerability, Google included in Android 10 several changes to the permissions system to block the side and covert attacks discovered in the study. However, all those with Android devices that do not receive operating system updates may still be vulnerable to these attacks.
Three years after its publication, the impact of the article is still remarkable. In fact, recently, several US congressmen cited the article in a letter to the US regulator, the USA Federal Trade Commission, urging them to take action to control intrusive practices in the digital industry.
“As scientists, it is very gratifying for us to see our efforts having such a direct and tangible social impact. It is a great honor to see regulatory agents around the world using our research to legislate and defend our fundamental and digital rights in the face of such a powerful and complex digital industry,” says Narseo Vallina-Rodriguez, co-author of the study. This new award from the AEPD is a recognition that ratifies the value of the work carried out by IMDEA Networks researchers in the field of security and privacy.