Is this app safe?: a large scale study on application permissions and risk signals

Third-party applications (apps) drive the attractiveness of web and mobile application platforms. Many of these platforms adopt a decentralized control strategy, relying on explicit user consent for granting permissions that the apps request. Users have to rely primarily on community ratings as the signals to identify the potentially harmful and inappropriate apps even though community ratings typically reflect opinions about perceived functionality or performance rather than about risks. With the arrival of HTML5 web apps, such user-consent permission systems will become more widespread. We study the effectiveness of user-consent permission systems through a large scale data collection of Facebook apps, Chrome extensions and Android apps. Our analysis confirms that the current forms of community ratings used in app markets today are not reliable indicators of privacy risks of an app. We find some evidence indicating attempts to mislead or entice users into granting permissions: free applications and applications with mature content request more permissions than is typical; 'look-alike' applications which have names similar to popular applications also request more permissions than is typical. We also find that across all three platforms popular applications request more permissions than average.

[1]  Jennifer King,et al.  Privacy: is there an app for that? , 2011, SOUPS.

[2]  Fred J. Damerau,et al.  A technique for computer detection and correction of spelling errors , 1964, CACM.

[3]  Giuseppe A. Di Lucca,et al.  Web Application Testing , 2006, Web Engineering.

[4]  Vladimir I. Levenshtein,et al.  Binary codes capable of correcting deletions, insertions, and reversals , 1965 .

[5]  Svein J. Knapskog,et al.  Re-evaluating the Wisdom of Crowds in Assessing Web Security , 2011, Financial Cryptography.

[6]  Robert W. Reeder,et al.  I’m Allowing What? Disclosing the authority applications demand of users as a condition of installation , 2010 .

[7]  Michelle Fredette Will HTML5 Kill the Native App , 2013 .

[8]  Fred Cohen,et al.  Computational aspects of computer viruses , 1989, Comput. Secur..

[9]  Pern Hui Chia,et al.  Use of Ratings from Personalized Communities for Trustworthy Application Installation , 2010, NordSec.

[10]  Alessandro Acquisti,et al.  Imagined Communities: Awareness, Information Sharing, and Privacy on the Facebook , 2006, Privacy Enhancing Technologies.

[11]  David A. Wagner,et al.  The Effectiveness of Application Permissions , 2011, WebApps.

[12]  N. Asokan,et al.  Old, new, borrowed, blue --: a perspective on the evolution of mobile platform security architectures , 2011, CODASPY '11.

[13]  Luke Church,et al.  Privacy suites: shared privacy for social networks , 2009, SOUPS.

[14]  William Enck,et al.  Meteor: Seeding a Security-Enhancing Infrastructure for Multi-market Application Ecosystems , 2012 .

[15]  Dennis M. Wilkinson,et al.  Strong regularities in online peer production , 2008, EC '08.

[16]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[17]  Tyler Moore,et al.  Measuring the Perpetrators and Funders of Typosquatting , 2010, Financial Cryptography.

[18]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[19]  Paul C. van Oorschot,et al.  A methodology for empirical analysis of permission-based security models and its application to android , 2010, CCS '10.