TIME: 3:30 PM

LOCATION: GMCS 314

SPEAKER: Yifan Zhang, San Diego State University, Computer Science

ABSTRACT: Mobile ecosystems rely on ever-evolving supply chains, but overlooked design flaws and privacy gaps pose significant risks. In this talk, I will present two studies addressing these challenges. The first reveals a design flaw in Android Studio that allows malicious SDKs to override static resources in other libraries, creating opportunities for supply chain attacks. By analyzing real-world apps and open-source projects, we identified widespread vulnerabilities and proposed a Gradle-based mitigation method. The second study examines privacy violations caused by privacy-configurable SDK wrappers (PICO SDK wrappers) that fail to relay app developers’ privacy configurations to underlying advertisement SDKs. Through a large-scale analysis of 65 SDKs and over 48,000 apps, we found that 31.7% of apps were misconfigured, with 54.5% of PICO wrappers amplifying privacy risks.

HOST: Jose Castillo