Xing earns Facebook award following security discovery that impacted 9.5 million users

Luyi Xing, an assistant professor of computer science at the Luddy School of Informatics, Computing, and Engineering, has been awarded $30,000 from Facebook as part of its Bug Bounty program, which helps the technology giant detect and fix vulnerabilities while spotting new security trends.

In October, Xing and his colleagues discovered a new type of real-world privacy-harvesting activities, namely illicit software-development kits that had been actively harvesting the data of other third-party libraries that co-locate in mobile applications. These activities went undetected by anti-virus engines, vetting efforts for Google Play and the Apple Store, and previous academic approaches for privacy leakage detection.

“This research shows there is still a huge security gap between what app owners can control versus what illicit libraries in them can stealthily harvest,” Xing said. “The problem calls for joint efforts from operating system vendors, such as Google and Apple, app owners, and third-party service vendors like Facebook and Twitter.”

Xing’s research was inspired by the Facebook-Cambridge Analytica scandal in which Cambridge Analytica was found to have harvested the data of millions of Facebook users without their consent. That data was used to create psychographic profiles of users and promote political advertising on users’ Facebook page.

It’s believed that Xing’s finding impacted as many as 9.5 million users, and both Facebook and Twitter blocked apps that used the malicious software-development kits in their login frameworks. The finding also led to a change in the way Facebook monitors third-party apps in Apple’s App Store and the Google Play store.

“The full channels that cybercriminals can leverage to harvest private data haven’t been fully understood in academia and industry,” Xing said. “It’s a good indicator that my research has a huge impact on the industry and society.”

Xing’s award will help him support Ph.D. students who are passionate about security and privacy research, and his work was recently featured by Wired magazine.

“Professor Xing’s finding helped make Facebook and Twitter more secure platforms for users, and that’s exactly the kind of real-world impact we strive to make here at our school,” said Yuzhen Ye, a professor of informatics and computer science and the interim chair of the Department of Computer Science at Luddy. “Xing’s work demonstrates Indiana University’s research strength in security.”