Understanding Interconnected Abuse in Consumer Smart Device Ecosystems

Abstract

Modern consumer smart ecosystems—comprising of mobile and IoT devices, platforms, apps, third-party SDKs, and cloud services—enable pervasive automation and personalization by continuously exchanging data across software using internet and local network interfaces. While this interconnection enhances usability and functionality, it also introduces systemic privacy risks that are difficult to audit and regulate. These risks often stem from complex interactions across co-located programs, devices, and third-party infrastructure, which existing analysis tools and protection mechanisms such as sandboxing and permission mechanisms fail to capture because they are process-centric; i.e., they are focused on individual apps or devices and treat them as monolithic entities. As a result, they often miss privacy violations that exist beyond traditional program boundaries involving indirect flows, inter-app communication, and covert- channel inferences. This dissertation challenges the current process-centric view of privacy analysis and controls. It argues that this perspective is insufficient for capturing emerging privacy risks in modern smart ecosystems, where interactions across complex components enable unvetted channels and data leakage. By adopting a holistic, ecosystem-level perspective, this work demonstrates that privacy violations often arise from such interconnectedness. To support this argument, the dissertation applies novel multi-vantage empir- ical methods—including static and dynamic app analysis, network traffic inspection, input fuzzing, and controlled execution environments. By exposing these underexplored threats, this dissertation calls for a paradigm shift in how privacy is audited and controlled in smart ecosystems. It demonstrates that privacy should not be treated as a static property of individual apps or devices, but as a property inherent to dynamic interactions across apps, devices, SDKs, and cloud services. Through three empirical analyses, this dissertation demonstrates how these privacy risks manifest in real-world smart ecosystems, including smart home devices and mobile apps. First, insecure local network communication in smart homes expose sensitive data enabling cross-device tracking and household fingerprinting. Second, mobile apps embed wireless-scanning SDKs that covertly infer location and bridge identifiers to persistently track users and bypass platform restrictions to access geolocation data. Third, health and fitness apps retrieve sensitive user data from aggregator platforms via OAuth-authorized APIs that bypass Android’s permission system; once data is returned to the app, embedded third-party SDKs may gain indirect access, exposing health information without platform visibility or user awareness. These risks are not incidental, but structural—and are deeply rooted in platform design decisions, opaque third-party integrations, insufficient access controls, and enforcement mechanisms. Consequently, this dissertation provides groundbreaking empirical foundations for advancing platform accountability, in- forming regulatory oversight, and strengthening user-centric privacy protections in today’s interconnected digital environments. In response to the findings presented in this dissertation and our active responsible disclosure practices, major industry actors including Apple, Google, TP-Link, Philips, and over 20 other IoT vendors acknowledged these risks and have implemented privacy protections in their products. No- tably, Philips overhauled its identifier scheme to prevent long-term device tracking, and Google introduced a dedicated local network permission in Android 16 to restrict unauthorized device discovery—changes that now benefit billions of Android users worldwide.