The rapid proliferation of mobile applications and their ecosystems has revolutionized the way users interact with technology, but it has also introduced a range of emerging security and privacy threats. This thesis investigates critical vulnerabilities in the mobile supply chain through three distinct but interconnected domains: app-in-app ecosystems, location-based services, and third-party software development kits (SDKs). First, we explore the app-in-app paradigm, where sub-apps hosted within larger applications often bypass robust security controls, leading to privilege escalation and sensitive data leakage. Second, we address the aggressive and unwarranted harvesting of location data by mobile apps, which undermines privacy principles due to insufficient access control mechanisms in mobile operating systems. Finally, we examine how to mitigate privacy risks posed by cross-library data harvesting (XLDH) in third-party SDKs, particularly those in social media, which harvest user data across applications without consent.

To mitigate these threats, this thesis proposes systematic frameworks and practical solutions, including a security assessment tool (Apinat), machine learning-based detection mechanisms (LocationScope) and a privacy-preserving SDK design (PESP). Our findings highlight the prevalence and impact of these issues, offering actionable insights for developers, platform stakeholders, and policy makers to secure the mobile supply chain. The contributions of this work aim to enhance the privacy and security of mobile ecosystems, paving the way for more resilient and compliant application development practices.