To address this problem, IMDEA Networks, in partnership with UC3M, has developed a hybrid analysis technique that combines static and dynamic analysis channels capable of monitoring and analyzing application behavior in real time, identifying potential privacy risks, such as leaks of personally identifiable information (PII).
“Furthermore, the project has explored the privacy expectations of citizens across Europe and different age groups, developed novel Natural Language Processing (NLP) tools to assess the transparency and compliance of consent forms and policies, and provided mechanisms for users to exercise their digital rights. At the same time, scalable content analysis mechanisms have been created to detect and rate harmful and inappropriate content, such as adult content distributed to minors through advertising networks.” explains Dr. Narseo Vallina, Professor at IMDEA Networks.
All the results, as well as the patents and vulnerability patches for major smart product vendors, attest to the pioneering research carried out in this project. “We have also published many datasets and tools as open source solutions so that they can be adopted by the research community and industry, thus enabling the transfer of knowledge to society,” Aniketh Girish, a doctoral student at IMDEA Networks, comments.
IMDEA Networks researchers have played an integral role in the TRUST aWARE project, leading the development of the mobile dynamic analytics pipeline, including network monitoring, runtime monitoring, SDK detection (a mechanism to identify third-party components in the software supply chain), and PII leak tracking.
“The project’s results have influenced the adoption of stricter privacy measures by Android and IoT providers and have contributed to improved regulations. Therefore, they will benefit society by accurately and comprehensively studying the risks to software security and privacy, transparency, and regulatory compliance. By assessing transparency and compliance, the project enables the auditing of software as a service for authorities, developers, and certification bodies, helping to mitigate risks at an early stage.” Girish says.
Innovation and the future of research
TRUST aWARE includes the development of advanced technologies and a novel tool, which are being patented (for example, the SDK detection technique invented by IMDEA Networks). These tools have established new standards for mobile application security and privacy, leading to numerous high-impact publications, triggering patches, and revealing new security vulnerabilities.
The project has also opened new lines of research. These include the analysis of location data and its use in mass surveillance strategies, the characterization of sensitive personal data collected by mobile applications and smart devices related to health, and the investigation of vulnerabilities and privacy risks within the Android browsing ecosystem known as WebViews.