A Comprehensive Study of Permission Usage on Android

  • Yemian LuEmail author
  • Qi Li
  • Purui Su
  • Juan Pan
  • Jia Yan
  • Pengyi Zhan
  • Wei Guo
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11058)


Nowadays, redundant permissions and probing permissions are common in Android applications and third-party libraries, which may cause massive security threats to their users. Existing tools used for permission analysis may introduce incorrect detection results, due to their regardless of the relationships between permissions and the values of function parameters and fields. In order to extract the exact used permissions in Android applications and third-party libraries, we propose a Dalvik register-based data flow analysis technique (DARFA) to get the parameter values of function parameters and fields. By leveraging DARFA, we design and implement PermHunter, a static analysis tool, to detect redundant permissions and probing permissions in Android apps and third-party libraries. We have evaluated PermHunter by analyzing 45 third-party libraries and 653 applications. These results indicate that nearly half of these third-party libraries have redundant permissions and probing permissions, and the proportions in Android applications are even higher.


Permission analysis Redundant permissions Probing permissions Android 


  1. 1.
    Felt, A.P., Chin, E., Hanna, S., et al.: Android permissions demystified. In: Proceedings of the 2011 ACM Conference on Computer and Communications Security (CCS), pp. 627–638. ACM, New York (2011)Google Scholar
  2. 2.
    Au, K.W.Y., Zhou, Y.F., Huang, Z., et al.: PScout: analyzing the android permission specification. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS), pp. 217–228. ACM, New York (2012)Google Scholar
  3. 3.
    Backes, M., Bugiel, S., Derr, E., et al.: On demystifying the android application framework: re-visiting android permission sepecification analysis. In: Proceedings of the 25th USENIX Security Symposium (USENIX Security), pp. 1101–1118. USENIX Association, Berkeley (2016)Google Scholar
  4. 4.
    Arzt, S., Rasthofer, S., Fritz, C., et al.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language De-sign and Implementation (PLDI), pp. 259–269. ACM, New York (2014)Google Scholar
  5. 5.
    AndroBugs\(\_\)Framework. Accessed 4 Apr 2017
  6. 6.
    axplorer demystifying the Android Application Framework. Accessed 11 Oct 2017
  7. 7.
    PScout. Accessed 15 Apr 2017
  8. 8.
    AppBrain-Android library statistics. Accessed 4 Feb 2017
  9. 9.
  10. 10.
    Weixin Developer. Accessed 4 Feb 2017
  11. 11.
    Umeng. Accessed 4 Feb 2017
  12. 12.
  13. 13.
    Vidas, T., Christin, N., Cranor, L.: Curbing android permission creep. In: Proceedings of the Web 2.0 Security and Privacy 2011 Workshop (W2sp) (2011)Google Scholar
  14. 14.
    Bartel, A., Klein, J., Traon, Y. L., et al.: Automatically securing permission-based software by reducing the attack surface: an application to Android. In: Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering (ASE), pp. 274–277. ACM, New York (2012)Google Scholar
  15. 15.
    Grace, M.C., Zhou, W., Jiang, X., et al.: Unsafe exposure analysis of mobile in- app advertisements. In: Proceedings of the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), pp. 101–112. ACM, New York(2012)Google Scholar
  16. 16.
    Fuchs, A.P., Chaudhuri, A., Foster, J. S.: SCanDroid: automated security certification of android applications. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy (S&P). IEEE, Piscataway (2010)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Yemian Lu
    • 1
    Email author
  • Qi Li
    • 2
  • Purui Su
    • 3
  • Juan Pan
    • 1
  • Jia Yan
    • 3
  • Pengyi Zhan
    • 1
  • Wei Guo
    • 1
  1. 1.China Academy of Information and Communications TechnologyBeijingChina
  2. 2.Graduate School at ShenzhenTsinghua UniversityShenzhenChina
  3. 3.Institute of SoftwareChinese Academy of SciencesBeijingChina

Personalised recommendations