Modern consumer smart ecosystems—comprising of mobile and IoT devices, platforms, apps, third-party SDKs, and cloud services—enable pervasive automation and personalization by continuously exchanging data across software using internet and local network interfaces. While this interconnection enhances usability and functionality, it also introduces systemic privacy risks that are difficult to audit and regulate.

These risks often stem from complex interactions across co-located programs, devices, and third-party infrastructure, which existing analysis tools and protection mechanisms such as sandboxing and permission mechanisms fail to capture because they are process-centric; i.e., they are focused on individual apps or devices and treat them as monolithic entities. As a result, they often miss privacy violations that exist beyond traditional program boundaries involving indirect flows, inter-app communication, and covert- channel inferences.

This dissertation challenges the current process-centric view of privacy analysis and controls. It argues that this perspective is insufficient for capturing emerging privacy risks in modern smart ecosystems, where interactions across complex components enable unvetted channels and data leakage. By adopting a holistic, ecosystem-level perspective, this work demonstrates that privacy violations often arise from such interconnectedness. To support this argument, the dissertation applies novel multi-vantage empir- ical methods—including static and dynamic app analysis, network traffic inspection, input fuzzing, and controlled execution environments.

By exposing these underexplored threats, this dissertation calls for a paradigm shift in how privacy is audited and controlled in smart ecosystems. It demonstrates that privacy should not be treated as a static property of individual apps or devices, but as a property inherent to dynamic interactions across apps, devices, SDKs, and cloud services.

Through three empirical analyses, this dissertation demonstrates how these privacy risks manifest in real-world smart ecosystems, including smart home devices and mobile apps. First, insecure local network communication in smart homes expose sensitive data enabling cross-device tracking and household fingerprinting. Second, mobile apps embed wireless-scanning SDKs that covertly infer location and bridge identifiers to persistently track users and bypass platform restrictions to access geolocation data. Third, health and fitness apps retrieve sensitive user data from aggregator platforms via OAuth-authorized APIs that bypass Android’s permission system; once data is returned to the app, embedded third-party SDKs may gain indirect access, exposing health information without platform visibility or user awareness.

These risks are not incidental, but structural—and are deeply rooted in platform design decisions, opaque third-party integrations, insufficient access controls, and enforcement mechanisms. Consequently, this dissertation provides groundbreaking empirical foundations for advancing platform accountability, in- forming regulatory oversight, and strengthening user-centric privacy protections in today’s interconnected digital environments. In response to the findings presented in this dissertation and our active responsible disclosure practices, major industry actors including Apple, Google, TP-Link, Philips, and over 20 other IoT vendors acknowledged these risks and have implemented privacy protections in their products. No- tably, Philips overhauled its identifier scheme to prevent long-term device tracking, and Google introduced a dedicated local network permission in Android 16 to restrict unauthorized device discovery—changes that now benefit billions of Android users worldwide.

About Aniketh Girish

I am a final year Ph.D. student at IMDEA Networks Institute in Madrid, Spain, advised by Dr. Narseo Vallina-Rodriguez since 2020. My research falls at the intersection of (1) hybrid black-box testing, (2) empirical analysis of covert privacy risks in smart home and mobile ecosystems, and (3) regulatory compliance. I have published in top peer-reviewed venues (e.g., PETS, IMC, USENIX Security), and Q1 journals (IEEE Transactions on Software Engineering). I got the Best Poster Award at the TMA’22 Ph.D. school for my novel approach to IoT testing.

During my Ph.D., I was a visiting researcher at Northeastern University’s Cybersecurity and Privacy Institute and previously held research positions at RIT (USA) and IIJ Innovation Institute (Japan). I was also a two-time Google Summer of Code student and spent a summer at Ben-Gurion University exploring machine learning for cybersecurity.

My research has influenced industry practices, regulatory bodies, and policy makers at scale. My work revealed covert tracking techniques in modern smart devices, prompting action from major companies—including Apple, Google, Philips, TP-Link, and over 20 other IoT vendors—to strengthen privacy protections across their ecosystems. For instance, Google removed dozens of privacy-invasive apps and SDKs from the Play Store, awarded me two bug bounties—one for exposing covert local network scans, and another for revealing canvas fingerprinting via embedded WebViews—and introduced a dedicated local network permission in Android 16 as a direct result of my work. My work has also influenced enforcement actions by regulators like the EDPS, AEPD, and CNIL, and has been featured in international media, including The Washington Post, Ars Technica, Wired, CBC News, and El País.

PhD Thesis Advisor: Dr. Narseo Vallina Rodríguez, IMDEA Networks Institute, Spain

University: Universidad Carlos III de Madrid

Doctoral Program: Telematic Engineering

PhD Committee members:

• President: Sandra Siby, Assistant Professor at New York University Abu Dhabi, UAE
• Secretary: Ángel Cuevas, Associate Professor at Universidad Carlos III de Madrid
• Panel member: Mathieu Cunche, Professor at Institut National Des Sciences Appliquees de Lyon, Insa Lyon