This study empirically analyzed 1,000 Android apps, finding that privacy policies are often vague and frequently fail to align with the actual sensitive data logged by the applications.

This study empirically demonstrates that privacy exposure in mobile gaming apps is primarily driven by complex, configuration-level SDK ecosystems rather than just the permissions the app explicitly r…

The paper proposes a privacy-by-design pipeline for Android malware detection that achieves strong performance by avoiding the collection of sensitive user data entirely.

PrivacyAssist is a multi-agent LLM framework that detects inconsistencies between user-granted app permissions and the app's actual data collection practices, finding that most apps are not fully tran…

This study empirically analyzed 41 mobile gaming apps, finding that while device ID disclosures were relatively consistent, location and personal information disclosures showed significant mismatches…

This study investigates user perceptions of privacy risks associated with GenAI smartphones, finding that users express heightened concerns across the entire data lifecycle and suggest comprehensive,…

The paper introduces MyPhoneBench, a new framework that demonstrates that current phone-use agents often fail to respect user privacy, even when successfully completing simple tasks, primarily due to…

The paper empirically compares the security and privacy implementation characteristics of major Android messaging apps (Meta Messenger, Signal, and Telegram) using static and dynamic analysis, finding…

This paper empirically characterizes the clandestine third-party iOS app stores in Iran, revealing a complex ecosystem driven by sanctions and censorship that facilitates piracy, unauthorized monetiza…

The paper proposes and evaluates DePRa, a system that democratizes privacy assessment by making everyday users active evaluators of mobile app data access, showing its potential to complement expert a…

The paper analyzes Android's permission system and finds that two legacy mechanisms—permission groups and normal-level custom permissions—allow apps to silently gain excessive permissions and expose s…

WOOTdroid is a novel, non-invasive system for comprehensive on-device tracing on stock Android that simultaneously addresses syscall data loss and the semantic gap in Binder IPC events.

AndroScanner is an automated pipeline that detects backend vulnerabilities in Android applications by combining static and dynamic analysis, successfully identifying a zero-day Excessive Data Exposure…

This study provides an ecosystem-scale measurement of commit signing on GitHub, finding that current signing adoption rates are misleading and that developers struggle to maintain consistent, long-ter…

The paper analyzed 25 popular mental health apps and found significant privacy gaps, revealing that most apps fail to disclose embedded trackers and dangerous permissions, undermining informed user co…

The paper investigates how users perceive and utilize security and privacy transparency in consumer-facing generative AI, finding that users rely on proxies like popularity and require actionable, tru…

The study analyzes coding patterns in malware versus benign software, finding that malware code is optimized for quick evasion and secrecy rather than maintainability, though its metrics are not uniqu…

The paper investigates how AI coding assistants shift developers' security focus from proactive prevention to reactive review, finding that this structural change is reinforced by current tool interac…

This study proposes a negotiation framework, using composite indices (RBTI and CATI), to explain how youth navigate competing privacy pressures when using smart voice assistants, finding that high usa…

The paper proposes Trajectory Induced Preference Optimization (TIPO) to improve mobile GUI agent personalization by explicitly modeling and optimizing for privacy-related behavioral differences in exe…