On Understanding Permission Usage Contextuality in Android Apps

In the runtime permission model, the context in which a permission is requested/used the first time may change later without the user’s knowledge. Our goal is to understand how permissions are requested and used in different contexts in the runtime permission model, and compare them to identify potential inconsistencies. We present ContextDroid, a static analysis tool to identify the contexts of permission request/use, and analyze 6,790 apps (chosen from an initial set of 10062 apps from the Google Play Store). Our preliminary results show that apps often use permissions in dissimilar contexts: 15% of the apps use the permissions in contexts where users are not prompted and may be unaware; 46% of the apps use the permissions in multiple contexts while only 20% of the apps request permissions in multiple contexts. We hope our study will attract more research into non-contextual usage (and possible abuse) of permissions in the runtime model, and may spur further work in the design of finer-grained permission control.

[1]  Tao Xie,et al.  AppContext: Differentiating Malicious and Benign Mobile App Behaviors Using Context , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[2]  Dawn Xiaodong Song,et al.  Contextual Policy Enforcement in Android Applications with Permission Event Graphs , 2013, NDSS.

[3]  David A. Wagner,et al.  I've got 99 problems, but vibration ain't one: a survey of smartphone users' concerns , 2012, SPSM '12.

[4]  Daniel Votipka,et al.  User Interactions and Permission Use on Android , 2017, CHI.

[5]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[6]  David A. Wagner,et al.  The Feasibility of Dynamically Granted Permissions: Aligning Mobile Privacy with User Preferences , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[7]  Erik Derr,et al.  On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis , 2016, USENIX Security Symposium.

[8]  Yang Wang,et al.  Quantitative Security Risk Assessment of Android Permissions and Applications , 2013, DBSec.

[9]  Alessio Merlo,et al.  RiskInDroid: Machine Learning-Based Risk Analysis on Android , 2017, SEC.

[10]  Jacques Klein,et al.  AndroZoo: Collecting Millions of Android Apps for the Research Community , 2016, 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR).

[11]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[12]  Ivan Martinovic,et al.  SecuRank: Starving Permission-Hungry Apps Using Contextual Permission Analysis , 2016, SPSM@CCS.

[13]  David A. Wagner,et al.  Android Permissions Remystified: A Field Study on Contextual Integrity , 2015, USENIX Security Symposium.

[14]  Erik Derr,et al.  R-Droid: Leveraging Android App Analysis with Static Slice Optimization , 2016, AsiaCCS.