Talk: Yifan Zhang "Security and Privacy in the Mobile Supply Chain: Uncovering Hidden Risks"
Abstract: Mobile ecosystems increasingly depend on complex, evolving supply chains—but overlooked design flaws and privacy gaps pose significant risks. In this talk, I will present two studies that address these emerging challenges. The first study investigates privacy-configurable SDK wrappers (PICO SDK wrappers), revealing that they often fail to propagate developers’ privacy settings to underlying advertisement SDKs. This misconfiguration introduces unintended privacy violations, despite developers' efforts to comply with privacy norms. The second study identifies a design flaw in Android Studio that allows malicious SDKs to override static resources in other libraries, enabling a new class of supply chain attacks. We demonstrate its real-world impact and propose a build system–level mitigation to fortify the development workflow. Together, these studies uncover critical blind spots in the mobile app supply chain and introduce practical strategies to enhance both privacy and security across the ecosystem.
Short Speaker Bio: Yifan Zhang is a Ph.D. candidate in Computer Science at Indiana University Bloomington. His research focuses on security and privacy issues in the software supply chain, mobile systems, and IoT systems. He is committed to uncovering new attack vectors and identifying emerging privacy risks in these domains. His work has been published in top-tier security conferences, including USENIX Security and CCS. In 2022, his research was selected as a Top 10 Finalist for the Best Applied Security Paper Award at CSAW.
