Hi, I’m Aniketh Girish

I'm open to full-time opportunities in the next 6~12 months, feel free to contact me if you think I'd be a fit!

I’m a Postdoctoral Researcher at the IMDEA Networks Institute in Madrid, Spain. I completed my Ph.D. Cum Laude at IMDEA Networks Institute in 2025, advised by Dr. Narseo Vallina-Rodriguez. My research falls at the intersection of (1) hybrid black-box testing, (2) empirical analysis of covert privacy risks in smart home and mobile ecosystems, and (3) regulatory compliance. I have published in top peer-reviewed venues (e.g., PETS, IMC, USENIX Security). I got the Best Poster Award at the TMA’22 Ph.D. school for my novel approach to IoT testing.

During my Ph.D., I was a visiting researcher at Northeastern University’s Cybersecurity and Privacy Institute (USA), advised by Prof. David Choffnes. Prior to that, I held research positions at the Rochester Institute of Technology (USA) and IIJ Innovation Institute (Japan). I was selected twice for Google Summer of Code, contributing to KDE and GNU Linux, and spent a summer at Ben-Gurion University (Israel) exploring applications of machine learning in cybersecurity.

[email protected]

My measurement-driven research has led to concrete technical impact across platforms and ecosystems. It directly influenced platform practices — Google introduced a local-network permission in Android 16 and a localhost permission in Android 17 as a direct result of my work — and prompted privacy redesigns by major IoT vendors (e.g., Philips, Apple, TP-Link, Google) the removal of dozens of privacy-invasive apps and SDKs from the Google Play Store, and two $2,000 bug bounties from Google for exposing covert local-network scans and canvas fingerprinting via embedded WebViews. Chrome, Firefox, and DuckDuckGo deployed browser-level mitigations, while uBlock Origin and AdGuard adopted tracking protections based on our findings. The work advanced and expedited deployment of the W3C Local Network Access (LNA) standard.

At the policy and enforcement level, the Spanish Prime Minister cited our research to announce a parliamentary investigation into Meta, before which our team testified. U.S. Congress members cited the research in a formal inquiry to Meta leadership. Class action lawsuits were filed in the U.S., Canada, and Germany. Our disclosures to European regulators (EDPS, AEPD, CNIL, EDPB, UK CMA) prompted enforcement discussions. The work has been covered by 100+ international media outlets including the Washington Post, Wired, Ars Technica, El País, and Sky News, and engaged by civil society organizations (EFF, Privacy International).

More details are enclosed in my CV.

Featured Publications

Bridges to Self: Silent Web-to-App Tracking on Mobile via Localhost Tim Vlummens^*, Aniketh Girish^*, Nipuna Weerasekara, Gunes Acar, Frederik Zuiderveen Borgesius, Narseo Vallina-Rodriguez ^* Co-first authors. Proceedings of the 35th USENIX Security Symposium, 2026.
Informed browser localhost protections (adopted by Chrome, Firefox; DuckDuckGo, uBlock Origin, AdGuard); accelerated W3C LNA standardization; prompted Android 17 localhost permission; triggered regulatory engagement (CNIL, UK CMA, EC, EDPB) and U.S. congressional inquiry; cited in class actions (U.S., Canada, Germany); our team testified before Spanish Congress investigation into Meta and referenced in public statements by Spain's Prime Minister. Your Signal, Their Data: An Empirical Privacy Analysis of Wireless-scanning SDKs in Android Aniketh Girish, Joel Reardon, Juan Tapiador, Srdjan Matic, Narseo Vallina-Rodriguez. Proceedings on Privacy Enhancing Technologies (PoPETs), 2025. The Effect of Platform Policies on App Privacy Compliance: A Study of Child-Directed Apps Noura Alomar, Joel Reardon, Aniketh Girish, Narseo Vallina-Rodriguez, Serge Egelman. Proceedings on Privacy Enhancing Technologies (PoPETs), 2025. In the Room Where It Happens: Characterizing Local Communication and Threats in Smart Homes Aniketh Girish^*, Tianrui Hu^*, Vijay Prakash, Daniel J. Dubois, Srdjan Matic, Danny Yuxing Huang, Serge Egelman, Joel Reardon, Juan Tapiador, David Choffnes, Narseo Vallina-Rodriguez ^* Co-first authors. Proceedings of the 23nd ACM Internet Measurement Conference (IMC), 2023.
Prompted Android 16's new local network permission. Presented at CNIL Privacy Research Day 2024.

Show All Publications

Featured Projects

LocalMess

PrivacyAndroidTracking

Novel tracking method by Meta and Yandex affecting billions of Android users. Native apps silently listen on fixed local ports, de-anonym...

Site Code Paper

IoT-LAN

IoTSmart HomePrivacy

Tools for testing privacy and security threats of IoT local network protocols (UPnP, mDNS) in home networks. Includes active scanners, ho...

Code Paper

Wireless Beacon Analysis

AndroidWirelessSDKs

Analysis code and datasets for studying wireless-scanning SDKs in Android. Includes call graph extraction, beacon SDK detection, and empi...

Code Paper

Show All Projects

News

Invited talk at the University of Zaragoza EMACS Workshop on interoperable health and fitness ecosystem privacy. 2026-01
Bridges to Self accepted at USENIX Security 2026 — exposing silent web-to-app tracking via localhost on Android. 2025-10
Our team testified before the Spanish Congress on Meta’s localhost tracking abuse, following a parliamentary investigation announced by the Spanish Prime Minister. 2025-07
U.S. Congress members cited our localhost research in a formal inquiry to Meta leadership. 2025-07
Google introduced a localhost permission in Android 17, prompted by our research. 2025-06
Meta and Yandex terminated localhost abuse on the day of our public disclosure. Covered by 100+ outlets including Washington Post, Ars Technica, and El País. 2025-06
Chrome 137 and Firefox deployed access restrictions based on our localhost findings. 2025-06
Invited to present at IETF PEARG 123 (Madrid) on covert localhost tracking. 2025-03

Show older news

Started as Postdoctoral Researcher at IMDEA Networks Institute. 2025-10
Completed my Ph.D. Cum Laude at IMDEA Networks / UC3M. 2025-10
Two papers accepted at PoPETs 2025: wireless-scanning SDK privacy analysis and child-directed app compliance. 2025-01
Google introduced a local network permission in Android 16, prompted by our IoT smart home research. 2024-10
Invited plenary talk at RIPE 89 in Prague on smart home privacy threats. 2024-10
Visiting researcher at Northeastern University Cybersecurity and Privacy Institute, hosted by Prof. David Choffnes. 2024-04
Our paper on local communication in smart homes published at IMC 2023. 2023-10
Attended the EPFL Summer Research Institute on Security and Privacy in Lausanne. 2023-07
Best Poster and Presentation Award at TMA 2022 Ph.D. school. 2022-06