Publications

Peer-reviewed papers

Mules and Permission Laundering in Android: Dissecting Custom Permissions in the Wild [PDF]

Julien Gamba, Álvaro Feal, Eduardo Blázquez, Vinuri Bandara, Abbas Razaghpanah, Juan Tapiador, Narseo Vallina-Rodriguez

In IEEE Transactions on Dependable and Secure Computing, 2023.

Log: It's Big, It's Heavy, It's Filled with Personal Data! Measuring the Logging of Sensitive Information in the Android Ecosystem [PDF]

Allan Lyons, Julien Gamba, Austin Shawaga, Joel Reardon, Juan Tapiador, Serge Egelman, Narseo Vallina-Rodriguez

In 32^nd Usenix Security Symposium, August 9–11 2023, Anaheim, CA, USA.

Mixed Signals: Analyzing Software Attribution Challenges in the Android Ecosystem [PDF]

Kaspar Hageman, Álvaro Feal, Julien Gamba, Aniketh Girish, Jakob Bleier, Martina Lindorfer, Juan Tapiador, Narseo Vallina-Rodriguez

In IEEE Transactions on Software Engineering, 2023.

Not Your Average App: A Large-scale Privacy Analysis of Android Browsers [PDF]

Amogh Pradeep, Álvaro Feal, Julien Gamba, Ashwin Rao, Martina Lindorfer, Narseo Vallina-Rodriguez, David Choffnes

In Privacy Enhancing Technologies Symposium, July 10–15 2023, Lausanne, Switzerland.

Trouble Over-The-Air: An Analysis of FOTA Apps in the Android Ecosystem [PDF]

Eduardo Blázquez, Sergio Pastrana, Álvaro Feal, Julien Gamba, Platon Kotzias, Narseo Vallina-Rodriguez, Juan Tapiador

In IEEE Symposium on Security and Privacy, May 24–27 2021, online.

Blocklist babel: On the Transparency and Dynamics of Open Source Blocklisting [PDF]

Álvaro Feal, Pelayo Vallina-Rodriguez, Julien Gamba, Sergio Pastrana, Antonio Nappa, Oliver Hohlfeld, Narseo Vallina-Rodriguez, Juan Tapiador

In IEEE Transactions on Network and Service Management, 2021.

Mis-shapes, Mistakes, Misfits: An Analysis of Domain Classification Services [PDF]

Pelayo Vallina-Rodriguez, Victor Le Pochat, Álvaro Feal, Marius Paraschiv, Julien Gamba, Tim Burke, Oliver Hohlfeld, Juan Tapiador and Narseo Vallina-Rodriguez

In ACM Internet Measurements Conference, October 27–29 2020, online.

An Analysis of Pre-installed Android Software [PDF]

Julien Gamba, Mohammed Rashed, Abbas Razaghpanah, Narseo Vallina-Rodriguez and Juan Tapiador.

In IEEE Symposium on Security and Privacy, May 18–20 2020, online.

Don't Accept Candy from Strangers: An Analysis of Third-Party Mobile SDKs [PDF]

Álvaro Feal, Julien Gamba, Narseo Vallina-Rodriguez, Primal Wijesekera, Joel Reardon, Serge Egelman, and Juan Tapiador.

In Computers, Privacy & Data Protection, January 22–24 2020, Brussels, Belgium. Also published in Data Protection and Privacy, Volume 13: Data Protection and Artificial Intelligence, 2021, Bloomsbury Publishing.

Tales from the Porn: A Comprehensive Privacy Analysis of the Web Porn Ecosystem [PDF]

Pelayo Vallina-Rodriguez, Álvaro Feal, Julien Gamba, Narseo Vallina-Rodriguez and Antonio Fernández.

In ACM Internet Measurements Conference, October 21–23 2019, Amsterdam, The Netherlands.

A Long Way to the Top: Significance, Structure, and Stability of Internet Top Lists [PDF]

Quirin Scheitle, Oliver Hohlfeld, Julien Gamba, Jonas Jelten, Torsten Zimmermann, Stephen Strowes and Narseo Vallina-Rodriguez.

In ACM Internet Measurements Conference, October 31–November 2018, Boston, MA, USA.

|> [ACM SIGCOMM Community Contribution Award]

An Analysis of Pre-installed Android Software [PDF]

Julien Gamba, Mohammed Rashed, Abbas Razaghpanah, Narseo Vallina-Rodriguez and Juan Tapiador.

In JNIC, June 13–15 2018, San Sebastián, Spain.

This Is My Private Business! Privacy Risks on Adult Websites [PDF]

Pelayo Vallina-Rodriguez, Julien Gamba, Álvaro Feal, Narseo Vallina-Rodriguez and Antonio Fernández.

In JNIC, June 13–15 2018, San Sebastián, Spain.

BGP Table Fragmentation: what & who? [PDF]

Julien Gamba, Romain Fontugne, Cristel Pelsser, Randy Bush and Emile Aben.

In CoRes, May 29–30 2017, Quiberon, France.
Video presentation from RIPE 74.

Thesis

"Do Android Dream of Electric Sheep?" On Privacy in the Android Supply Chain [PDF] [slides]

PhD thesis, Universidad Carlos III de Madrid, Spain (2022).

Abstract

The Android Open Source Project (AOSP) was first released by Google in 2008 and has since become the most used operating system. Thanks to the openness of its source code, any smartphone vendor or original equipment manufacturer (OEM) can modify and adapt Android to their specific needs, or add proprietary features before installing it on their devices in order to add custom features to differentiate themselves from competitors. This has created a complex and diverse supply chain, completely opaque to end-users, formed by manufacturers, resellers, chipset manufacturers, network operators, and prominent actors of the online industry that partnered with OEMs. Each of these stakeholders can pre-install extra apps, or implement proprietary features at the framework level.

However, such customizations can create privacy and security threats to end-users. Pre-installed apps are privileged by the operating system, and can therefore access system APIs or personal data more easily than apps installed by the user. Unfortunately, despite these potential threats, there is currently no end-to-end control over what apps come pre-installed on a device and why, and no traceability of the different software and hardware components used in a given Android device. In fact, the landscape of pre-installed software in Android and its security and privacy implications has largely remained unexplored by researchers.

In this thesis, I investigate the customization of Android devices and their impact on the privacy and security of end-users. Specifically, I perform the first large-scale and systematic analysis of pre-installed Android apps and the supply chain. To do so, I first develop an app, Firmware Scanner, to crowdsource close to 34,000 Android firmware versions from 1,000 different OEMs from all over the world. This dataset allows us to map the stakeholders involved in the supply chain and their relationships, from device manufacturers and mobile network operators to third-party organizations like advertising and tracking services, and social network platforms. I could identify multiple cases of privacy-invasive and potentially harmful behaviors. My results show a disturbing lack of transparency and control over the Android supply chain, thus showing that it can be damageable privacy- and security-wise to end-users.

Next, I study the evolution of the Android permission system, an essential security feature of the Android framework. Coupled with other protection mechanisms such as process sandboxing, the permission system empowers users to control what sensitive resources (e.g., user contacts, the camera, location sensors) are accessible to which apps. The research community has extensively studied the permission system, but most previous studies focus on its limitations or specific attacks. In this thesis, I present an up-to-date view and longitudinal analysis of the evolution of the permissions system. I study how some lesser-known features of the permission system, specifically permission flags, can impact the permission granting process, making it either more restrictive or less. I then highlight how pre-installed apps developers use said flags in the wild and focus on the privacy and security implications. Specifically, I show the presence of third-party apps, installed as privileged system apps, potentially using said features to share resources with other third-party apps.

Another salient feature of the permission system is its extensibility: apps can define their own custom permissions to expose features and data to other apps. However, little is known about how widespread the usage of custom permissions is, and what impact these permissions may have on users’ privacy and security. In the last part of this thesis, I investigate the exposure and request of custom permissions in the Android ecosystem and their potential for opening privacy and security risks. I gather a 2.2-million-app-large dataset of both pre-installed and publicly available apps using both Firmware Scanner and purpose-built app store crawlers. I find the usage of custom permissions to be pervasive, regardless of the origin of the apps, and seemingly growing over time. Despite this prevalence, I find that custom permissions are virtually invisible to end-users, and their purpose is mostly undocumented. While Google recommends that developers use their reverse domain name as the prefix of their custom permissions, I find widespread violations of this recommendation, making sound attribution at scale virtually impossible. Through static analysis methods, I demonstrate that custom permissions can facilitate access to permission-protected system resources to apps that lack those permissions, without user awareness. Due to the lack of tools for studying such risks, I design and implement two tools, PermissionTracer and PermissionTainter to study custom permissions. I highlight multiple cases of concerning use of custom permissions by Android apps in the wild.

In this thesis, I systematically studied, at scale, the vast and overlooked ecosystem of pre-installed Android apps. My results show a complete lack of control of the supply chain which is worrying, given the huge potential impact of pre-installed apps on the privacy and security of end-users. I conclude with a number of open research questions and future avenues for further research in the ecosystem of the supply chain of Android devices.

Conception rules for IGP and iBGP topologies to ensure BGP correctness [PDF] [slides]

Master's thesis, University of Strasbourg, France (2017).

Media coverage

This is how Android apps reveal our secrets without us being aware of it
El País (May 2023, also published in Spanish)

Los expertos apuntan a un error humano como probable causa del apagón de WhatsApp, Facebook e Instagram
El País (October 2021, also published in Portuguese)

My research was the basis of An open letter to Google
Privacy International (January 2020, also published in French and in Spanish)

My research was mentioned in Mozilla Foundation's Internet Health Report
Mozilla Foundation (August 2019, page 42)

Quién sabe que miras porno "online"
El País (July 2019, also published in Portuguese)

Eggheads confirm: Rampant Android bloatware a privacy and security hellscape
The Register (May 2019)

Software preinstalado en Android: la amenaza silenciosa que acecha al usuario
ABC (Spain) (April 2019)

Google y los fabricantes no aclaran la vigilancia oculta en los moviles Android
El País (April 2019)

La collecte cachée des applications préinstallées sur Android
Le Figaro (April 2019)

Android users' security and privacy at risk from shadowy ecosystem of pre-installed software, study warns
TechCrunch (March 2019)

Android apps gather user data without permission
The Times (UK) (March 2019)

Android permite a empresas acceso indebido a datos personales
La Vanguardia (March 2019)

Android ecosystem of pre-installed apps is a privacy and security mess
ZDNet (March 2019)

Aplicaciones móviles que nos espían
RNE (Radio) - Todo Noticias (March 2019)

¿Sabes cómo tu móvil Android te espía?
Cadena COPE (Radio) - Herrera en COPE (March 2019)

Ens espein a traves del mobil?
TV3 (TV) - News (March 2019)

El móvil: Tu mejor y tu peor aliado te espía con aplicaciones que te instalan otros
Telecinco (TV) (March 2019)

Los móviles Android acceden de forma masiva a los datos personales de los usuarios sin su conocimiento
RTVE (TV) (March 2019)

Un estudio revela vigilancia masiva por móvil con aplicaciones preinstaladas
Cadena COPE (Radio) (March 2019)

Los móviles Android acceden de forma masiva a los datos personales de los usuarios sin su conocimiento
RTVE (TV) (March 2019)

Protección de Datos ve "riesgos para la privacidad" en los dispositivos Android
Publico (March 2019)

Android permite que gran número de actores monitoricen y obtengan información personal de usuarios, según un estudio
EuropaPress (March 2019)

Mòbils espies: la privacitat en risc
TV3 (TV) - Els Matins (March 2019)

I spy: How Android phones keep tabs on our every move
El País (March 2019, also published in Spanish)

Study Shows Limited Control Over Privacy Breaches by Pre-Installed Android Apps
Reuters (March 2019)