Using text mining to infer the purpose of permission use in mobile apps

Understanding the purpose of why sensitive data is used could help improve privacy as well as enable new kinds of access control. In this paper, we introduce a new technique for inferring the purpose of sensitive data usage in the context of Android smartphone apps. We extract multiple kinds of features from decompiled code, focusing on app-specific features and text-based features. These features are then used to train a machine learning classifier. We have evaluated our approach in the context of two sensitive permissions, namely ACCESS_FINE_LOCATION and READ_CONTACT_LIST, and achieved an accuracy of about 85% and 94% respectively in inferring purposes. We have also found that text-based features alone are highly effective in inferring purposes.

[1]  Lorrie Faith Cranor,et al.  Your Location has been Shared 5,398 Times!: A Field Study on Mobile App Privacy Nudging , 2015, CHI.

[2]  Yajin Zhou,et al.  The impact of vendor customizations on android security , 2013, CCS.

[3]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[4]  Irina Shklovski,et al.  Leakiness and creepiness in app space: perceptions of privacy and mobile app use , 2014, CHI.

[5]  Lorrie Faith Cranor,et al.  "Little brothers watching you": raising awareness of data leaks on smartphones , 2013, SOUPS.

[6]  Gaël Varoquaux,et al.  Scikit-learn: Machine Learning in Python , 2011, J. Mach. Learn. Res..

[7]  Mario Linares Vásquez,et al.  Revisiting Android reuse studies in the context of code obfuscation and library usages , 2014, MSR 2014.

[8]  Michael K. Reiter,et al.  Crowdsourced Exploration of Security Configurations , 2015, CHI.

[9]  Ziming Zhao,et al.  RiskMon: continuous and automated risk assessment of mobile applications , 2014, CODASPY '14.

[10]  Norman M. Sadeh,et al.  Modeling Users' Mobile App Privacy Preferences: Restoring Usability in a Sea of Permission Settings , 2014, SOUPS.

[11]  Norman M. Sadeh,et al.  Expectation and purpose: understanding users' mental models of mobile app privacy through crowdsourcing , 2012, UbiComp.

[12]  Jason I. Hong,et al.  Mobile Application Evaluation Using Automation and Crowdsourcing , 2013 .

[13]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[14]  Yvonne Rogers,et al.  From spaces to places: emerging contexts in mobile privacy , 2009, UbiComp.

[15]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[16]  Lorrie Faith Cranor,et al.  Privacy as part of the app decision-making process , 2013, CHI.

[17]  David A. Wagner,et al.  Android permissions: user attention, comprehension, and behavior , 2012, SOUPS.

[18]  Yves Le Traon,et al.  Automatically securing permission-based software by reducing the attack surface: an application to Android , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[19]  Tao Xie,et al.  WHYPER: Towards Automating Risk Assessment of Mobile Applications , 2013, USENIX Security Symposium.

[20]  Vyas Sekar,et al.  Measuring user confidence in smartphone security and privacy , 2012, SOUPS.

[21]  Jiayu Wang,et al.  ASPG: Generating Android Semantic Permissions , 2014, 2014 IEEE 17th International Conference on Computational Science and Engineering.

[22]  Lorrie Faith Cranor,et al.  Empirical models of privacy in location sharing , 2010, UbiComp.

[23]  Seungyeop Han,et al.  Short paper: enhancing mobile application permissions with runtime feedback and constraints , 2012, SPSM '12.

[24]  Jacques Klein,et al.  Static Analysis for Extracting Permission Checks of a Large Scale Framework: The Challenges and Solutions for Analyzing Android , 2014, IEEE Transactions on Software Engineering.

[25]  Matthew Smith,et al.  Using personal examples to improve risk communication for security & privacy decisions , 2014, CHI.

[26]  David A. Wagner,et al.  Choice Architecture and Smartphone Privacy: There's a Price for That , 2012, WEIS.

[27]  Ilaria Liccardi,et al.  Privacy Tipping Points in Smartphones Privacy Preferences , 2015, CHI.

[28]  Alessandra Gorla,et al.  Checking app behavior against app descriptions , 2014, ICSE.

[29]  Yuan Zhang,et al.  AppIntent: analyzing sensitive data transmission in android for privacy leakage detection , 2013, CCS.

[30]  Zhong Chen,et al.  AutoCog: Measuring the Description-to-permission Fidelity in Android Applications , 2014, CCS.