Advertisement

A Light-Weight Framework for Pre-submission Vetting of Android Applications in App Stores

  • Boya Li
  • Guojun WangEmail author
  • Haroon Elahi
  • Guihua Duan
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 1123)

Abstract

In general, smartphone apps are rolled-out under a data over-collection based business model. Under this model, users can download and use the apps free of cost, but a large number of permissions are asked from users to access data and resources on their smartphones. Apps collect user data and sell them to interested third-parties for making profits, or abuse smartphone resources for financial gains. This phenomenon introduces privacy and trust issues. Existing vetting mechanisms in the app stores mainly depend on user feedback and expert reviews and only target malicious apps. Permission abusive apps are not included in this list yet. In this paper, we propose a light-weight framework for pre-submission vetting of Android apps by app stores. We generate functional signatures of an app from its description and analyze them to build a profile that contains different permission usage scores, or suggests whether an app is suspicious. This framework can be used in the first line of defense in app stores to vet newly submitted apps.

Keywords

Android permissions App vetting Privacy Trust 

Notes

Acknowledgements

This work was supported in part by the National Natural Science Foundation of China under Grant 61632009, in part by the Guangdong Provincial Natural Science Foundation under Grant 2017A030308006, and in part by the High-Level Talents Program of Higher Education in Guangdong Province under Grant 2016ZJ01.

References

  1. 1.
    Schneier, B.: It’s not just Facebook. Thousands of companies are spying on you. https://bit.ly/2ro89mx. Accessed 10 Apr 2018
  2. 2.
    Ramos, D.: Uber crunches user data to determine where the most ‘one-night stands’ come from. https://tinyurl.com/y5qd6agd. Accessed 10 Apr 2018
  3. 3.
    Graham-Harrison, E., Cadwalladr, C., Osborne, H.: Cambridge analytica boasts of dirty tricks to swing elections (2018). https://tinyurl.com/y23bgenk
  4. 4.
    Dao, T.A., Singh, I., Madhyastha, H.V., Krishnamurthy, S.V., Cao, G., Mohapatra, P.: TIDE: a user-centric tool for identifying energy hungry applications on smartphones. IEEE/ACM Trans. Netw. 25, 1459–1474 (2017)CrossRefGoogle Scholar
  5. 5.
    Rahman, S., et al.: Internet data budget allocation policies for diverse smartphone applications. EURASIP J. Wirel. Commun. Netw. 2016, 226 (2016)CrossRefGoogle Scholar
  6. 6.
    Zhang, S., Wang, G., Bhuiyan, M.Z.A., Liu, Q.: A dual privacy preserving scheme in continuous location-based services. IEEE Internet Things J. 5, 4191–4200 (2018)CrossRefGoogle Scholar
  7. 7.
    Zhang, S., Li, X., Tan, Z., Peng, T., Wang, G.: A caching and spatial K-anonymity driven privacy enhancement scheme in continuous location-based services. Future Gener. Comput. Syst. 94, 40–50 (2019)CrossRefGoogle Scholar
  8. 8.
    Elahi, H., Wang, G., Li, X.: Smartphone bloatware: an overlooked privacy problem. In: Wang, G., Atiquzzaman, M., Yan, Z., Choo, K.-K.R. (eds.) SpaCCS 2017. LNCS, vol. 10656, pp. 169–185. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-72389-1_15CrossRefGoogle Scholar
  9. 9.
    Phung, P.H., Mohanty, A., Rachapalli, R., Sridhar, M.: Hybridguard: a principal-based permission and fine-grained policy enforcement framework for web-based mobile applications. In: IEEE Security and Privacy Workshops (SPW), pp. 147–156. IEEE (2017)Google Scholar
  10. 10.
    Fragkaki, E., Bauer, L., Jia, L., Swasey, D.: Modeling and enhancing Android’s permission system. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 1–18. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-33167-1_1CrossRefGoogle Scholar
  11. 11.
    Mylonas, A., Kastania, A., Gritzalis, D.: Delegate the smartphone user? Security awareness in smartphone platforms. Comput. Secur. 34, 47–66 (2013)CrossRefGoogle Scholar
  12. 12.
    Welch, C.: Google took down over 700,000 bad Android apps in 2017, The Verge (2018). https://tinyurl.com/yco84en2. Accessed 10 Sep 2019
  13. 13.
    Stefanko, L.: First-of-its-kind spyware sneaks into Google Play, Welivesecurity (2019). https://tinyurl.com/y6gq2z2v. Accessed 10 Sep 2019
  14. 14.
    Elahi, H., Wang, G., Xie, D.: Assessing privacy behaviors of smartphone users in the context of data over-collection problem: an exploratory study. In: IEEE SmartWorld, Ubiquitous Intelligence & Computing, Advanced & Trusted Computed, Scalable Computing & Communications, Cloud & Big Data Computing, Internet of People and Smart City Innovation (SmartWorld/SCALCOM/UIC/ATC/CBDCom/IOP/SCI), pp. 1–8. IEEE (2017)Google Scholar
  15. 15.
    Martens, D., Maalej, W.: Towards understanding and detecting fake reviews in app stores. Empir. Softw. Eng. 1–40 (2019).  https://doi.org/10.1007/s10664-019-09706-9. ISSN: 1573-7616
  16. 16.
    Google: Permissions Overview. https://bit.ly/2HcAcye
  17. 17.
    Fu, H., Lindqvist, J.: General area or approximate location? In: Proceedings of the 13th Workshop on Privacy in the Electronic Society - WPES 2014, pp. 117–120. ACM Press, New York (2014)Google Scholar
  18. 18.
    Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, Washington DC, pp. 1–14. ACM, New York (2012)Google Scholar
  19. 19.
    Fife, E., Orjuela, J.: The privacy calculus: mobile apps and user perceptions of privacy and security. Int. J. Eng. Bus. Manag. 4, 1–10 (2012)CrossRefGoogle Scholar
  20. 20.
    Google: App Permissions (Usage Notes). https://bit.ly/2LQoE61
  21. 21.
    Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, Chicago, Illinois, USA, pp. 627–638. ACM, New York (2011)Google Scholar
  22. 22.
    Stevens, R., Ganz, J., Filkov, V., Devanbu, P., Chen, H.: Asking for (and about) permissions used by Android apps. In: 10th IEEE Working Conference on Mining Software Repositories (MSR), San Francisco, CA, pp. 31–40. IEEE (2013)Google Scholar
  23. 23.
    Wang, J., Cheng, H., Xue, M., Hei, X.: Revisiting localization attacks in mobile app people-nearby services. In: Wang, G., Atiquzzaman, M., Yan, Z., Choo, K.-K.R. (eds.) SpaCCS 2017. LNCS, vol. 10656, pp. 17–30. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-72389-1_2CrossRefGoogle Scholar
  24. 24.
    Bartel, A., Klein, J., Le Traon, Y., Monperrus, M.: Automatically securing permission-based software by reducing the attack surface: an application to Android. In: Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering - ASE 2012, p. 274. ACM Press, New York (2012)Google Scholar
  25. 25.
    Seneviratne, S., Seneviratne, A., Mohapatra, P., Mahanti, A.: Predicting user traits from a snapshot of apps installed on a smartphone. Mob. Comput. Commun. Rev. 18, 1–8 (2014)CrossRefGoogle Scholar
  26. 26.
    Dimitriadis, A., Efraimidis, P.S., Katos, V.: Malevolent app pairs: an Android permission overpassing scheme. In: Proceedings of the ACM International Conference on Computing Frontiers - CF 2016, pp. 431–436. ACM Press, New York (2016)Google Scholar
  27. 27.
    Tang, J., Li, R., Han, H., Zhang, H., Gu, X.: Detecting permission over-claim of Android applications with static and semantic analysis approach. In: IEEE Trustcom/BigDataSE/ICESS, pp. 706–713. IEEE (2017)Google Scholar
  28. 28.
    Segura, J.: Drive-by cryptomining campaign targets millions of Android users. https://tinyurl.com/y6pnjdob
  29. 29.
    Kang, Y., Miao, X., Liu, H., Ma, Q., Liu, K., Liu, Y.: Learning resource management specifications in smartphones. In: Proceedings of the International Conference on Parallel and Distributed Systems - ICPADS, January 2016, pp. 100–107 (2016)Google Scholar
  30. 30.
    Banerjee, A., Chong, L.K., Ballabriga, C., Roychoudhury, A.: EnergyPatch: repairing resource leaks to improve energy-efficiency of Android apps. IEEE Trans. Softw. Eng. 44, 470–490 (2017). Kindly check the edits made in Ref [30]CrossRefGoogle Scholar
  31. 31.
    Prochkova, I., Singh, V., Nurminen, J.K.: Energy cost of advertisements in mobile games on the Android platform. In: Proceedings of the 6th International Conference on Next Generation Mobile Applications, Services and Technologies, NGMAST 2012, pp. 147–152 (2012)Google Scholar
  32. 32.
    Sun, L., Li, Z., Yan, Q., Srisa-an, W., Pan, Y.: SigPID: significant permission identification for Android malware detection. In: 11th International Conference on Malicious and Unwanted Software (MALWARE), pp. 59–66. IEEE (2016)Google Scholar
  33. 33.
    Bugiel, S., et al.: Xmandroid : a new Android evolution to mitigate privilege escalation attacks. Center for Advanced Security Research Darmstadt, Darmstadt (2011)Google Scholar
  34. 34.
    Google: Privacy, Security, and Deception, Google Play (2018). https://tinyurl.com/y63o8qbb. Accessed 18 Apr 2018
  35. 35.
    Hamed, A., Ben Ayed, H.K.: Privacy risk assessment and users’ awareness for mobile apps permissions. In: IEEE/ACS 13th International Conference of Computer Systems and Applications (AICCSA), pp. 1–8. IEEE (2016)Google Scholar
  36. 36.
    Han, W., Wang, W., Zhang, X., Peng, W., Fang, Z.: APP vetting based on the consistency of description and APK. In: Yung, M., Zhu, L., Yang, Y. (eds.) INTRUST 2014. LNCS, vol. 9473, pp. 259–277. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-27998-5_17CrossRefGoogle Scholar
  37. 37.
    Taylor, V.F., Martinovic, I.: SecuRank: starving permission-hungry apps using contextual permission analysis. In: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices - SPSM 2016, pp. 43–52. ACM Press, New York (2016)Google Scholar
  38. 38.
    Wu, J., Yang, M., Luo, T.: PACS: permission abuse checking system for Android applications based on review mining. In: IEEE Conference on Dependable and Secure Computing, pp. 251–258. IEEE (2017)Google Scholar
  39. 39.
    Slavin, R., et al.: Toward a framework for detecting privacy policy violations in Android application code. In: Proceedings of the 38th International Conference on Software Engineering - ICSE 2016, pp. 25–36. ACM Press, New York (2016)Google Scholar
  40. 40.
    Calciati, P., Gorla, A.: How do apps evolve in their permission requests? A preliminary study. In: IEEE/ACM 14th International Conference on Mining Software Repositories (MSR), pp. 37–41. IEEE (2017)Google Scholar
  41. 41.
    Cheng, Y., Yan, Z.: PerRec: a permission configuration recommender system for mobile apps. In: Ibrahim, S., Choo, K.-K.R., Yan, Z., Pedrycz, W. (eds.) ICA3PP 2017. LNCS, vol. 10393, pp. 476–485. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-65482-9_34CrossRefGoogle Scholar

Copyright information

© Springer Nature Singapore Pte Ltd. 2019

Authors and Affiliations

  1. 1.School of Computer ScienceGuangzhou UniversityGuangzhouChina
  2. 2.School of Computer Science and EngineeringCentral South UniversityChangshaChina

Personalised recommendations