Vinuri Bandara

I am a predoctoral researcher (Ph.D. candidate) at the IMDEA Networks Institute in Madrid, Spain, where I work under the supervision of Dr. Narseo Vallina-Rodríguez. My research interests span software security, mobile security, and network protocol analysis, with a focus on real-world vulnerabilities and vendor-led deviations in critical system components.

I hold an M.Sc. in Software and Systems from Universidad Politécnica de Madrid (UPM), where I received the Best Academic Record award and the 2024 SISTEDES Best Master's Thesis Award. I also earned my B.Sc. in Information Systems from the University of Colombo School of Computing, where I was awarded the IFS Academic Excellence Award for the highest academic performance in a four-year degree program.

Previously, I was a research intern at SCoRe Lab in Sri Lanka and collaborated with the International Computer Science Institute (ICSI) at UC Berkeley. I have contributed to open-source tools like BugZero, Sequza, DNSTool-CLI, and CommunityDict. I am particularly interested in vulnerability remediation and understanding how developer practices influence the introduction and fixing of bugs in software.

Outside of research, I enjoy traveling, reading, and dancing.

Email  /  Google Scholar  /  LinkedIn  /  CV /  Transcript

profile photo
News
  • [Mar 2025] 📄 Our paper "Beneath the Surface: An Analysis of OEM Customizations on the Android TLS Protocol Stack" was accepted to IEEE Euro S&P 2025! (Camera-ready version)
  • [Oct 2024] 🎓 Selected for the FPU Predoctoral Fellowship by the Spanish Ministry of Universities. Only 30 candidates were selected nationwide in the field of "Tecnologías de la Información y las Comunicaciones". (We declined this grant due to overlap with CAM grant).
  • [Sep 2024] 🎓 Awarded the CAM Predoctoral Fellowship by the Comunidad de Madrid to support my Ph.D. studies.
  • [Aug 2024] 📄 Our paper "Mules and permission laundering in android: Dissecting custom permissions in the wild" was published in IEEE Transactions on Dependable and Secure Computing (Q1).
  • [Jul 2024] 🧪 Selected for and participated in the SURI Fellowship program at EPFL, Switzerland (remote participation).
  • [May 2024] 🥇 Awarded the Best Master's Thesis Award (Premio al Mejor TFM) by SISTEDES for my M.Sc. research on Android vendor customizations.
  • [Aug 2023] 🥇 Received the Best Academic Record for my M.Sc. in Software and Systems from Universidad Politécnica de Madrid (UPM).
  • [Jul 2023] 🎓 Defended my M.Sc. thesis with Matrícula de Honor and received an honorable mention from the evaluation jury.
  • [Aug 2022] 💻 Joined IMDEA Networks Institute in Madrid as a Ph.D. candidate, part of the Internet Analytics Group.
  • [Jul 2022] 🎓 Graduated with a B.Sc. (Hons) in Information Systems from University of Colombo. Received the IFS Academic Excellence Award for the best academic performance in a 4-year degree.
  • [Nov 2021] 📄 Published a demo paper on Sequza, a tool for large-scale analysis of vulnerability remediation in JavaScript projects.
  • [Sep 2021] 🧪 Completed the Mobile Application Hacking and Penetration Testing course. [Certificate]
  • [Nov 2020] 📄 Published my first research paper "Fix that Fix Commit" at IEEE SCAM 2020, analyzing vulnerability remediation in open-source JavaScript projects.
  • [Dec 2019] 🌍 Represented Sri Lanka at the Huawei Seeds for the Future program in China. [In the news]
Research

My research focuses on software and mobile security, with a particular interest in how developer behavior, ecosystem fragmentation, and vendor customizations impact secure communication and vulnerability remediation. I work on both empirical software engineering and network protocol analysis, with an emphasis on Android security.

I am currently investigating OEM-driven customizations to Android's networking and TLS protocol stack, analyzing their security and privacy implications through large-scale measurements.

Beneath the Surface: An Analysis of OEM Customizations on the Android TLS Protocol Stack
Vinuri Bandara, Stijn Pletinckx, Ilya Grishchenko, Christopher Kruegel, Giovanni Vigna, Juan Tapiador, Narseo Vallina-Rodríguez
To appear in IEEE European Symposium on Security and Privacy (Euro S&P), 2025

This paper presents the first large-scale analysis of how Android device vendors modify the TLS protocol stack. We study the implications of these customizations on secure communication and identify risks introduced at the OEM level.

(Camera-ready version)
Mules and permission laundering in android: Dissecting custom permissions in the wild
Julien Gamba, Álvaro Feal, Eduardo Blazquez, Vinuri Bandara, Abbas Razaghpanah, Juan Tapiador
IEEE Transactions on Dependable and Secure Computing (TDSC), 2024 (Q1 journal)

This paper presents the first large-scale empirical analysis of custom permissions in Android, revealing their widespread and undocumented use, and highlighting security and privacy risks stemming from privilege escalation and lack of user transparency.

Sequza - Tool for analyzing the overall security posture of a software repository

Published a demonstration on the Sequza tool and the continuation on the research in CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security.
This tool provides an innovative pipeline for analyzing the vulnerabilities and a quantification of the overall security through repository timeline.

Fix that Fix Commit: A real-world remediation analysis of JavaScript projects
Vinuri Bandara,Thisura Rathnayake, Nipuna Weerasekara, Charitha Elvitigala,Kenneth Thilakarathna, Dr. Primal Wijesekera, Dr.Chamath Keppitiyagama
IEEE 20th International Working Conference on Source Code Analysis and Manipulation (SCAM), 2020

A large-scale analysis on vulnerability remediation in open-source javascript projects, focusing on commits and developers responsible for introducing vulnerabilities into the codebase and fixing these vulnerabilities in the codebase.

Pre-print

BugZero - Crowdsouring bug bounty platform

BugZero is a fully managed crowd powered bug bounty platforms. Bug Zero platform provides security testing services to the organizations with no upfront costs. With Bug Zero organizations can provide rewards to the security researchers as per their discretion for any vulnerability discovery
Other
  • [Sep, 21]Successfully completed GSoC 2021.
  • [May, 20] GSoC 2020 - Started working under SCoRe Lab, Sri Lanka on project DNS Command Line Tool .
  • [Aug, 20] Successfully completed GSoC 2020.
  • [May, 20] GSoC 2020 - Started working under SCoRe Lab, Sri Lanka on project Community Dictionary .
  • [Jan, 20] Successfully completed Google code-in 2019.
  • [Dec, 19] Google Code-in 2019 - Started serving as a mentor under SCoRe Lab, Sri Lanka.

Gallery

  • SCAM Presentation
    IEEE SCAM 2020 – Presented findings from my final year research on vulnerability remediation.
  • Sequza dashboard
    Sequza – Visualizing the security posture of open-source JavaScript repositories.
  • GSoC 2021 certificate
    Google Summer of Code 2021 – Successfully completed under SCoRe Lab, Sri Lanka.
  • GSoC 2020 certificate
    Google Summer of Code 2020 – Contributed to security tooling projects at SCoRe Lab.
  • Huawei Seeds for the Future
    Huawei Seeds for the Future 2019 – Represented Sri Lanka in China.
  • Language and culture experience in China
    Exploring language and culture during my visit to China.
  • Huawei Certificate
    Completed the Huawei Seeds for the Future program successfully.
  • GCI Mentor Certificate
    Google Code-In 2019 – Mentored students under SCoRe Lab, Sri Lanka.

Credits to Jon Barron.
Last updated May 2021.