Automatic, highly accurate app permission recommendation

To ensure security and privacy, Android employs a permission mechanism which requires developers to explicitly declare the permissions needed by their applications (apps). Users must grant those permissions before they install apps or during runtime. This mechanism protects users’ private data, but also imposes additional requirements on developers. For permission declaration, developers need knowledge about what permissions are necessary to implement various features of their apps, which is difficult to acquire due to the incompleteness of Android documentation. To address this problem, we present a novel permission recommendation system named PerRec for Android apps. PerRec leverages mining-based techniques and data fusion methods to recommend permissions for given apps according to their used APIs and API descriptions. The recommendation scores of potential permissions are calculated by a composition of two techniques which are implemented as two components of PerRec: a collaborative filtering component which measures similarities between apps based on semantic similarities between APIs; and a content-based recommendation component which automatically constructs profiles for potential permissions from existing apps. The two components are combined in PerRec for better performance. We have evaluated PerRec on 730 apps collected from Google Play and F-Droid, a repository of free and open source Android apps. Experimental results show that our approach significantly improves the state-of-the-art approaches $$APRec^{CF_{correlation}}$$APRecCFcorrelation, $$APRec^{TEXT}$$APRecTEXT and Axplorer.

[1]  Yves Le Traon,et al.  Automatically securing permission-based software by reducing the attack surface: an application to Android , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[2]  Edward A. Fox,et al.  Combining Evidence from Multiple Searches , 1992, TREC.

[3]  Hinrich Schütze,et al.  Introduction to information retrieval , 2008 .

[4]  Jeannette M. Wing,et al.  An Attack Surface Metric , 2011, IEEE Transactions on Software Engineering.

[5]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[6]  Javed A. Aslam,et al.  Models for metasearch , 2001, SIGIR '01.

[7]  Anthony Desnos Android: From Reversing to Decompilation , 2011 .

[8]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[9]  Zhenchang Xing,et al.  Predicting semantically linkable knowledge in developer online forums via convolutional neural network , 2016, 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE).

[10]  David A. Wagner,et al.  Android permissions: user attention, comprehension, and behavior , 2012, SOUPS.

[11]  K. Goulden,et al.  Effect Sizes for Research: A Broad Practical Approach , 2006 .

[12]  L. Cranor,et al.  Curbing Android Permission Creep , 2011 .

[13]  Zhong Chen,et al.  AutoCog: Measuring the Description-to-permission Fidelity in Android Applications , 2014, CCS.

[14]  Hahn-Ming Lee,et al.  DroidMat: Android Malware Detection through Manifest and API Calls Tracing , 2012, 2012 Seventh Asia Joint Conference on Information Security.

[15]  Shengli Wu,et al.  Ranking-Based Fusion , 2012 .

[16]  David Lo,et al.  Automated Android application permission recommendation , 2016, Science China Information Sciences.

[17]  Jeffrey Pennington,et al.  GloVe: Global Vectors for Word Representation , 2014, EMNLP.

[18]  Gaël Varoquaux,et al.  Scikit-learn: Machine Learning in Python , 2011, J. Mach. Learn. Res..

[19]  Edward A. Fox,et al.  Combination of Multiple Searches , 1993, TREC.

[20]  David Lo,et al.  What Permissions Should This Android App Request? , 2016, 2016 International Conference on Software Analysis, Testing and Evolution (SATE).

[21]  Massimiliano Di Penta,et al.  Mining Android Apps to Recommend Permissions , 2016, 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER).

[22]  Xiao Ma,et al.  From Word Embeddings to Document Similarities for Improved Information Retrieval in Software Engineering , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[23]  Georgios Gousios,et al.  GHTorrent: Github's data from a firehose , 2012, 2012 9th IEEE Working Conference on Mining Software Repositories (MSR).

[24]  David Lo,et al.  Cross-language bug localization , 2014, ICPC 2014.

[25]  Guy Shani,et al.  A Survey of Accuracy Evaluation Metrics of Recommendation Tasks , 2009, J. Mach. Learn. Res..

[26]  Meiyappan Nagappan,et al.  Curating GitHub for engineered software projects , 2016, PeerJ Prepr..

[27]  Carlo Strapparava,et al.  Corpus-based and Knowledge-based Measures of Text Semantic Similarity , 2006, AAAI.

[28]  Jonathan I. Maletic,et al.  An XML-Based Lightweight C++ Fact Extractor , 2003, IWPC.

[29]  Erik Derr,et al.  On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis , 2016, USENIX Security Symposium.

[30]  David Lo,et al.  Fusion fault localizers , 2014, ASE.