Advertisement

On Understanding Permission Usage Contextuality in Android Apps

  • Md Zakir Hossen
  • Mohammad Mannan
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10980)

Abstract

In the runtime permission model, the context in which a permission is requested/used the first time may change later without the user’s knowledge. Our goal is to understand how permissions are requested and used in different contexts in the runtime permission model, and compare them to identify potential inconsistencies. We present ContextDroid, a static analysis tool to identify the contexts of permission request/use, and analyze 6,790 apps (chosen from an initial set of 10062 apps from the Google Play Store). Our preliminary results show that apps often use permissions in dissimilar contexts: 15% of the apps use the permissions in contexts where users are not prompted and may be unaware; 46% of the apps use the permissions in multiple contexts while only 20% of the apps request permissions in multiple contexts. We hope our study will attract more research into non-contextual usage (and possible abuse) of permissions in the runtime model, and may spur further work in the design of finer-grained permission control.

Keywords

Android Smartphone Permission model App analysis 

Notes

Acknowledgements

We are grateful to anonymous reviewers for their comments and suggestions. The second author is supported in part by an NSERC Discovery Grant.

References

  1. 1.
  2. 2.
    Allix, K., Bissyandé, T.F., Klein, J., Le Traon, Y.: AndroZoo: collecting millions of Android apps for the research community. In: Conference on Mining Software Repositories. ACM (2016)Google Scholar
  3. 3.
    Android: App permissions best practices (2018). https://developer.android.com/training/permissions/usage-notes
  4. 4.
    Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. ACM Sigplan Not. (2014)CrossRefGoogle Scholar
  5. 5.
    Au, K.W.Y., Zhou, Y.F., Huang, Z., Lie, D.: PScout: analyzing the Android permission specification. In: CCS. ACM (2012)Google Scholar
  6. 6.
    Backes, M., Bugiel, S., Derr, E., McDaniel, P.D., Octeau, D., Weisgerber, S.: On demystifying the Android application framework: re-visiting Android permission specification analysis. In: USENIX Security (2016)Google Scholar
  7. 7.
    Chen, K.Z., Johnson, N.M., D’Silva, V., Dai, S., MacNamara, K., Magrino, T.R., Wu, E.X., Rinard, M., Song, D.X.: Contextual policy enforcement in Android applications with permission event graphs. In: NDSS (2013)Google Scholar
  8. 8.
    Felt, A.P., Egelman, S., Wagner, D.: I’ve got 99 problems, but vibration ain’t one: a survey of smartphone users’ concerns. In: SPSM. ACM (2012)Google Scholar
  9. 9.
    Merlo, A., Georgiu, G.C.: RiskInDroid: machine learning-based risk analysis on android. In: De Capitani di Vimercati, S., Martinelli, F. (eds.) SEC 2017. IFIP AICT, vol. 502, pp. 538–552. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-58469-0_36CrossRefGoogle Scholar
  10. 10.
    Micinski, K., Votipka, D., Stevens, R., Kofinas, N., Mazurek, M.L., Foster, J.S.: User interactions and permission use on Android. In: CHI. ACM (2017)Google Scholar
  11. 11.
    Taylor, V.F., Martinovic, I.: SecuRank: starving permission-hungry apps using contextual permission analysis. In: SPSM. ACM (2016)Google Scholar
  12. 12.
    Wang, Y., Zheng, J., Sun, C., Mukkamala, S.: Quantitative security risk assessment of android permissions and applications. In: Wang, L., Shafiq, B. (eds.) DBSec 2013. LNCS, vol. 7964, pp. 226–241. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-39256-6_15CrossRefGoogle Scholar
  13. 13.
    Wijesekera, P., Baokar, A., Hosseini, A., Egelman, S., Wagner, D., Beznosov, K.: Android permissions remystified: a field study on contextual integrity. In: USENIX Security (2015)Google Scholar
  14. 14.
    Wijesekera, P., Baokar, A., Tsai, L., Reardon, J., Egelman, S., Wagner, D., Beznosov, K.: The feasibility of dynamically granted permissions: aligning mobile privacy with user preferences. In: Security & Privacy Symposium. IEEE (2017)Google Scholar
  15. 15.
    Yang, W., Xiao, X., Andow, B., Li, S., Xie, T., Enck, W.: AppContext: differentiating malicious and benign mobile app behaviors using context. In: ICSE. IEEE (2015)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2018

Authors and Affiliations

  1. 1.Concordia Institute of Information Systems EngineeringConcordia UniversityMontrealCanada

Personalised recommendations