Abstract
In general, smartphone apps are rolled-out under a data over-collection based business model. Under this model, users can download and use the apps free of cost, but a large number of permissions are asked from users to access data and resources on their smartphones. Apps collect user data and sell them to interested third-parties for making profits, or abuse smartphone resources for financial gains. This phenomenon introduces privacy and trust issues. Existing vetting mechanisms in the app stores mainly depend on user feedback and expert reviews and only target malicious apps. Permission abusive apps are not included in this list yet. In this paper, we propose a light-weight framework for pre-submission vetting of Android apps by app stores. We generate functional signatures of an app from its description and analyze them to build a profile that contains different permission usage scores, or suggests whether an app is suspicious. This framework can be used in the first line of defense in app stores to vet newly submitted apps.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Schneier, B.: It’s not just Facebook. Thousands of companies are spying on you. https://bit.ly/2ro89mx. Accessed 10 Apr 2018
Ramos, D.: Uber crunches user data to determine where the most ‘one-night stands’ come from. https://tinyurl.com/y5qd6agd. Accessed 10 Apr 2018
Graham-Harrison, E., Cadwalladr, C., Osborne, H.: Cambridge analytica boasts of dirty tricks to swing elections (2018). https://tinyurl.com/y23bgenk
Dao, T.A., Singh, I., Madhyastha, H.V., Krishnamurthy, S.V., Cao, G., Mohapatra, P.: TIDE: a user-centric tool for identifying energy hungry applications on smartphones. IEEE/ACM Trans. Netw. 25, 1459–1474 (2017)
Rahman, S., et al.: Internet data budget allocation policies for diverse smartphone applications. EURASIP J. Wirel. Commun. Netw. 2016, 226 (2016)
Zhang, S., Wang, G., Bhuiyan, M.Z.A., Liu, Q.: A dual privacy preserving scheme in continuous location-based services. IEEE Internet Things J. 5, 4191–4200 (2018)
Zhang, S., Li, X., Tan, Z., Peng, T., Wang, G.: A caching and spatial K-anonymity driven privacy enhancement scheme in continuous location-based services. Future Gener. Comput. Syst. 94, 40–50 (2019)
Elahi, H., Wang, G., Li, X.: Smartphone bloatware: an overlooked privacy problem. In: Wang, G., Atiquzzaman, M., Yan, Z., Choo, K.-K.R. (eds.) SpaCCS 2017. LNCS, vol. 10656, pp. 169–185. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-72389-1_15
Phung, P.H., Mohanty, A., Rachapalli, R., Sridhar, M.: Hybridguard: a principal-based permission and fine-grained policy enforcement framework for web-based mobile applications. In: IEEE Security and Privacy Workshops (SPW), pp. 147–156. IEEE (2017)
Fragkaki, E., Bauer, L., Jia, L., Swasey, D.: Modeling and enhancing Android’s permission system. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 1–18. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33167-1_1
Mylonas, A., Kastania, A., Gritzalis, D.: Delegate the smartphone user? Security awareness in smartphone platforms. Comput. Secur. 34, 47–66 (2013)
Welch, C.: Google took down over 700,000 bad Android apps in 2017, The Verge (2018). https://tinyurl.com/yco84en2. Accessed 10 Sep 2019
Stefanko, L.: First-of-its-kind spyware sneaks into Google Play, Welivesecurity (2019). https://tinyurl.com/y6gq2z2v. Accessed 10 Sep 2019
Elahi, H., Wang, G., Xie, D.: Assessing privacy behaviors of smartphone users in the context of data over-collection problem: an exploratory study. In: IEEE SmartWorld, Ubiquitous Intelligence & Computing, Advanced & Trusted Computed, Scalable Computing & Communications, Cloud & Big Data Computing, Internet of People and Smart City Innovation (SmartWorld/SCALCOM/UIC/ATC/CBDCom/IOP/SCI), pp. 1–8. IEEE (2017)
Martens, D., Maalej, W.: Towards understanding and detecting fake reviews in app stores. Empir. Softw. Eng. 1–40 (2019). https://doi.org/10.1007/s10664-019-09706-9. ISSN: 1573-7616
Google: Permissions Overview. https://bit.ly/2HcAcye
Fu, H., Lindqvist, J.: General area or approximate location? In: Proceedings of the 13th Workshop on Privacy in the Electronic Society - WPES 2014, pp. 117–120. ACM Press, New York (2014)
Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, Washington DC, pp. 1–14. ACM, New York (2012)
Fife, E., Orjuela, J.: The privacy calculus: mobile apps and user perceptions of privacy and security. Int. J. Eng. Bus. Manag. 4, 1–10 (2012)
Google: App Permissions (Usage Notes). https://bit.ly/2LQoE61
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, Chicago, Illinois, USA, pp. 627–638. ACM, New York (2011)
Stevens, R., Ganz, J., Filkov, V., Devanbu, P., Chen, H.: Asking for (and about) permissions used by Android apps. In: 10th IEEE Working Conference on Mining Software Repositories (MSR), San Francisco, CA, pp. 31–40. IEEE (2013)
Wang, J., Cheng, H., Xue, M., Hei, X.: Revisiting localization attacks in mobile app people-nearby services. In: Wang, G., Atiquzzaman, M., Yan, Z., Choo, K.-K.R. (eds.) SpaCCS 2017. LNCS, vol. 10656, pp. 17–30. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-72389-1_2
Bartel, A., Klein, J., Le Traon, Y., Monperrus, M.: Automatically securing permission-based software by reducing the attack surface: an application to Android. In: Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering - ASE 2012, p. 274. ACM Press, New York (2012)
Seneviratne, S., Seneviratne, A., Mohapatra, P., Mahanti, A.: Predicting user traits from a snapshot of apps installed on a smartphone. Mob. Comput. Commun. Rev. 18, 1–8 (2014)
Dimitriadis, A., Efraimidis, P.S., Katos, V.: Malevolent app pairs: an Android permission overpassing scheme. In: Proceedings of the ACM International Conference on Computing Frontiers - CF 2016, pp. 431–436. ACM Press, New York (2016)
Tang, J., Li, R., Han, H., Zhang, H., Gu, X.: Detecting permission over-claim of Android applications with static and semantic analysis approach. In: IEEE Trustcom/BigDataSE/ICESS, pp. 706–713. IEEE (2017)
Segura, J.: Drive-by cryptomining campaign targets millions of Android users. https://tinyurl.com/y6pnjdob
Kang, Y., Miao, X., Liu, H., Ma, Q., Liu, K., Liu, Y.: Learning resource management specifications in smartphones. In: Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS, January 2016, pp. 100–107 (2016)
Banerjee, A., Chong, L.K., Ballabriga, C., Roychoudhury, A.: EnergyPatch: repairing resource leaks to improve energy-efficiency of Android apps. IEEE Trans. Softw. Eng. 44, 470–490 (2017). Kindly check the edits made in Ref [30]
Prochkova, I., Singh, V., Nurminen, J.K.: Energy cost of advertisements in mobile games on the Android platform. In: Proceedings of the 6th International Conference on Next Generation Mobile Applications, Services and Technologies, NGMAST 2012, pp. 147–152 (2012)
Sun, L., Li, Z., Yan, Q., Srisa-an, W., Pan, Y.: SigPID: significant permission identification for Android malware detection. In: 11th International Conference on Malicious and Unwanted Software (MALWARE), pp. 59–66. IEEE (2016)
Bugiel, S., et al.: Xmandroid : a new Android evolution to mitigate privilege escalation attacks. Center for Advanced Security Research Darmstadt, Darmstadt (2011)
Google: Privacy, Security, and Deception, Google Play (2018). https://tinyurl.com/y63o8qbb. Accessed 18 Apr 2018
Hamed, A., Ben Ayed, H.K.: Privacy risk assessment and users’ awareness for mobile apps permissions. In: IEEE/ACS 13th International Conference of Computer Systems and Applications (AICCSA), pp. 1–8. IEEE (2016)
Han, W., Wang, W., Zhang, X., Peng, W., Fang, Z.: APP vetting based on the consistency of description and APK. In: Yung, M., Zhu, L., Yang, Y. (eds.) INTRUST 2014. LNCS, vol. 9473, pp. 259–277. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-27998-5_17
Taylor, V.F., Martinovic, I.: SecuRank: starving permission-hungry apps using contextual permission analysis. In: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices - SPSM 2016, pp. 43–52. ACM Press, New York (2016)
Wu, J., Yang, M., Luo, T.: PACS: permission abuse checking system for Android applications based on review mining. In: IEEE Conference on Dependable and Secure Computing, pp. 251–258. IEEE (2017)
Slavin, R., et al.: Toward a framework for detecting privacy policy violations in Android application code. In: Proceedings of the 38th International Conference on Software Engineering - ICSE 2016, pp. 25–36. ACM Press, New York (2016)
Calciati, P., Gorla, A.: How do apps evolve in their permission requests? A preliminary study. In: IEEE/ACM 14th International Conference on Mining Software Repositories (MSR), pp. 37–41. IEEE (2017)
Cheng, Y., Yan, Z.: PerRec: a permission configuration recommender system for mobile apps. In: Ibrahim, S., Choo, K.-K.R., Yan, Z., Pedrycz, W. (eds.) ICA3PP 2017. LNCS, vol. 10393, pp. 476–485. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-65482-9_34
Acknowledgements
This work was supported in part by the National Natural Science Foundation of China under Grant 61632009, in part by the Guangdong Provincial Natural Science Foundation under Grant 2017A030308006, and in part by the High-Level Talents Program of Higher Education in Guangdong Province under Grant 2016ZJ01.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Li, B., Wang, G., Elahi, H., Duan, G. (2019). A Light-Weight Framework for Pre-submission Vetting of Android Applications in App Stores. In: Wang, G., Bhuiyan, M.Z.A., De Capitani di Vimercati, S., Ren, Y. (eds) Dependability in Sensor, Cloud, and Big Data Systems and Applications. DependSys 2019. Communications in Computer and Information Science, vol 1123. Springer, Singapore. https://doi.org/10.1007/978-981-15-1304-6_28
Download citation
DOI: https://doi.org/10.1007/978-981-15-1304-6_28
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-15-1303-9
Online ISBN: 978-981-15-1304-6
eBook Packages: Computer ScienceComputer Science (R0)