Risk analysis of Android applications: A user-centric solution

Abstract Android applications (apps) pose many risks to their users, e.g., by including code that may threaten user privacy or system integrity. Most of the current security countermeasures for detecting dangerous apps show some weaknesses, mainly related to users’ understanding and acceptance. Hence, users would benefit from an effective but simple technique that indicates whether an app is safe or risky to be installed. In this paper, we present MAETROID (Multi-criteria App Evaluator of TRust for AndrOID), a framework to evaluate the trustworthiness of Android apps, i.e., the amount of risk they pose to users, e.g., in terms of confidentiality and integrity. MAETROID performs a multi-criteria analysis of an app at deploy-time and returns a single easy-to-understand evaluation of the app’s risk level (i.e., Trusted, Medium Risk, and High Risk), aimed at driving the user decision on whether or not installing a new app. The criteria include the set of requested permissions and a set of metadata retrieved from the marketplace, denoting the app quality and popularity. We have tested MAETROID on a set of 11,000 apps both coming from Google Play and from a database of known malicious apps. The results show a good accuracy in both identifying the malicious apps and in terms of false positive rate.

[1]  Gianluca Dini,et al.  MADAM: A Multi-level Anomaly Detector for Android Malware , 2012, MMM-ACNS.

[2]  Ninghui Li,et al.  Using probabilistic generative models for ranking risks of Android apps , 2012, CCS.

[3]  Xinwen Zhang,et al.  Apex: extending Android permission model and enforcement with user-defined runtime constraints , 2010, ASIACCS '10.

[4]  Jason Nieh,et al.  A measurement study of google play , 2014, SIGMETRICS '14.

[5]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[6]  Gianluca Dini,et al.  Introducing Probabilities in Contract-Based Approaches for Mobile Application Security , 2013, DPM/SETOP.

[7]  Gianluca Dini,et al.  A Multi-criteria-Based Evaluation of Android Applications , 2012, INTRUST.

[8]  Ahmad-Reza Sadeghi,et al.  Practical and lightweight domain isolation on Android , 2011, SPSM '11.

[9]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[10]  Gianluca Dini,et al.  Evaluating the Trust of Android Applications through an Adaptive and Distributed Multi-criteria Approach , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[11]  Michael Backes,et al.  AppGuard - Enforcing User Requirements on Android Apps , 2013, TACAS.

[12]  Gianluca Dini,et al.  MADAM: Effective and Efficient Behavior-based Android Malware Detection and Prevention , 2018, IEEE Transactions on Dependable and Secure Computing.

[13]  Steve Hanna,et al.  A survey of mobile malware in the wild , 2011, SPSM '11.

[14]  Thomas L. Saaty,et al.  Decision-making with the AHP: Why is the principal eigenvector necessary , 2003, Eur. J. Oper. Res..

[15]  Paul C. van Oorschot,et al.  A methodology for empirical analysis of permission-based security models and its application to android , 2010, CCS '10.

[16]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[17]  Thomas L. Saaty,et al.  How to Make a Decision: The Analytic Hierarchy Process , 1990 .

[18]  Yajin Zhou,et al.  Taming Information-Stealing Smartphone Applications (on Android) , 2011, TRUST.

[19]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[20]  David A. Wagner,et al.  Android permissions: user attention, comprehension, and behavior , 2012, SOUPS.