Together, the work performed led to a number of research results which strengthen user control and improve the security and privacy of users and their self-determination. An overview of the key results follows:
1. We introduced the first kernel-only method for reconstructing application behaviors on Android-based smart devices. The method, called SliceDroid, is based on collecting kernel traces using modern features offered by the Linux kernel underlying the Android OS, and then employing event slicing to piece together relevant information. The method can be used to offer transparency to end-users on their personal devices. Preliminary results on employing even more advanced kernel features (eBPF) suggest further potential for the method.
2. Using SliceDroid, we performed a hybrid (static/dynamic) analysis of the behavior of popular instant messaging applications for the Android OS, focusing on their security and privacy characteristics. With this study, we showed the practical utility of our method. These results can inform regulators and consumer protection bodies assessing the privacy practices of widely-used communication platforms.
3. We designed and implemented a benchmarking framework to assess the adoption potential of privacy-preserving unlinkable credentials for the EU Digital Identity Wallet, especially for mobile devices. We found that even resource-constrained devices, such as smart watches can be used for identity verification, given an efficient implementation of the underlying zero-knowledge proof scheme. Our framework can be used to guide policy discussions and inform the technical specifications for the EU Digital Identity Wallet.
4.Together with collaborators from the University of Athens, we were the first to study the susceptibility of the emerging practice of AI-powered code-review to supply-chain attacks via exploiting the inherent confirmation bias in state-of-the-art LLM-powered AI systems. We found that these systems are susceptible to adversarial inputs in pull request metadata and proposed measures to mitigate this threat. Most importantly, these systems are not mature enough yet and human review of all code changes should be a mandatory requirement, especially for security-relevant software. Further research is needed to develop robust defenses against adversarial inputs in AI-assisted development tools, and we recommend that standardization bodies consider guidelines for the use of AI in security-critical software review processes.