Android’s Privacy Posture

About the speakers

Dinesh Venkatesan
Microsoft, Hyderabad, India

Dinesh Venkatesan is presently working as lead security researcher in Microsoft. He has been in the Cyber Security industry for over 14 years working with Symantec, HCL Technologies and has published numerous blog posts on malware analysis. He is a specialist in Mobile threat landscape and desktop security threats and has discovered multiple vulnerabilities in Android framework layer, responsibly reporting it to Google and helped in making the OS secure. He has hands on expertise in writing generic detection and cure routines for prevalent malware families. He is on an active look out for collecting threat intel about sophisticated attacks and keen on researching various threat actors and developing useful insights into malware evolution.

Aditi Bhatnagar
Microsoft, Hyderabad, India

Aditi Bhatnagar is a security enthusiast who is presently working as Software Engineer in end point security team at Microsoft. She is an advocate of digital privacy, security and digital wellbeing and has a keen interest in researching the several aspects of evolving relationship between humans and technology which she often writes about in her blogs. She has conducted several talks and workshops and also started an initiative named Digitised to spread awareness regarding the same.

Abstract

A smartphone is something that stays with you almost “always” throughout the day. It’s equivalent to roaming around with an explicit sensor which can listen to you, get your location, get your movements, get your conversations, see your facial expressions, in fact, even get your heartbeat and so on. The device can literally capture your state as-is and is easily capable of compromising your privacy. This talk brings forward an in-depth investigation into Android Apps eco-system from a purely privacy perspective. We will dive deep into:

  1. Permissions: How permissions roll in Android, what all data can be collected without user permission by privacy invasive apps, the nature and validity of permissions;
  2. Client side collusion of information: Interaction and information exchange between the apps using same third-party libraries;
  3. Server side collusion of information collected across clients;
  4. Spywares and attacks to compromise one’s privacy and steal data;
  5. Device fingerprinting; and
  6. Our findings on privacy leaks caused by the myriad IoT gadgets.