What Permissions Should This Android App Request?

As Android is one of the most popular open source mobile platforms, ensuring security and privacy of Android applications is very important. Android provides a permission mechanism which requires developers to declare sensitive resources their applications need, and users need to agree with this request when they install (for Android API level 22 or lower) or run (for Android API level 23) these applications. Although Android provides very good official documents to explain how to properly use permissions, unfortunately misuses even for the most popular permissions have been reported. Recently, Karim et al. propose an association rule mining based approach to better infer permissions that an API needs. In this work, to improve the effectiveness of the prior work, we propose an approach which is based on collaborative filtering technique, one of popular techniques used to build recommendation systems. Our approach is designed based on the intuition that apps that have similar features - inferred from the APIs that they use - usually share similar permissions. We evaluate the proposed approaches on 936 Android apps from F-Droid, which is a repository of free and open source Android applications. The experimental results show that our proposed approaches achieve significant improvement in terms of the precision, recall, F1-score and MAP of the top-k results over Karim et al.'s approach.

[1]  Avinash C. Kak,et al.  Retrieval from software libraries for bug localization: a comparative study of generic and composite text models , 2011, MSR '11.

[2]  Jonathan I. Maletic,et al.  An XML-Based Lightweight C++ Fact Extractor , 2003, IWPC.

[3]  David Lo,et al.  How Android App Developers Manage Power Consumption? - An Empirical Study by Mining Power Management Commits , 2016, 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR).

[4]  Massimiliano Di Penta,et al.  Mining Android Apps to Recommend Permissions , 2016, 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER).

[5]  Yajin Zhou,et al.  Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets , 2012, NDSS.

[6]  David Lo,et al.  Cross-language bug localization , 2014, ICPC 2014.

[7]  Sahin Albayrak,et al.  Smartphone malware evolution revisited: Android next target? , 2009, 2009 4th International Conference on Malicious and Unwanted Software (MALWARE).

[8]  N. Cliff Ordinal methods for behavioral data analysis , 1996 .

[9]  Gerard Salton,et al.  Research and Development in Information Retrieval , 1982, Lecture Notes in Computer Science.

[10]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[11]  F. Wilcoxon Individual Comparisons by Ranking Methods , 1945 .

[12]  David A. Wagner,et al.  Android permissions: user attention, comprehension, and behavior , 2012, SOUPS.

[13]  Premkumar T. Devanbu,et al.  Asking for (and about) permissions used by Android apps , 2013, 2013 10th Working Conference on Mining Software Repositories (MSR).

[14]  Lior Rokach,et al.  Introduction to Recommender Systems Handbook , 2011, Recommender Systems Handbook.

[15]  Ellen M. Voorhees,et al.  Evaluating evaluation measure stability , 2000, SIGIR '00.

[16]  David Lo,et al.  Predicting Crashing Releases of Mobile Applications , 2016, ESEM.

[17]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[18]  Lior Rokach,et al.  Recommender Systems Handbook , 2010 .

[19]  Rakesh Agarwal,et al.  Fast Algorithms for Mining Association Rules , 1994, VLDB 1994.

[20]  Emine Yilmaz,et al.  The maximum entropy method for analyzing retrieval measures , 2005, SIGIR '05.

[21]  Peng Wang,et al.  AsDroid: detecting stealthy behaviors in Android applications by user interface and program behavior contradiction , 2014, ICSE.

[22]  Ferenc Bodon,et al.  A fast APRIORI implementation , 2003, FIMI.

[23]  Jian Zhou,et al.  Where should the bugs be fixed? More accurate information retrieval-based bug localization based on bug reports , 2012, 2012 34th International Conference on Software Engineering (ICSE).