Short paper: enhancing users' comprehension of android permissions

Android adopts a permission-based model to protect user's data and system resources. An application needs to explicitly request user's approval of the required permissions at the installation time. The utility of the permission model depends critically on end users' ability to comprehend them. However, a recent study has shown that Android users have poor comprehension on permissions. In this paper, we propose to help Android users better understand application permissions through crowdsourcing. In our approach, collections of users of the same application use our tool to help each other on permission understanding by sharing their permission reviews. We demonstrate the feasibility of our approach by implementing a proof-of-concept of our design, which can provide meaningful clues to users on what purposes a permission serves in an application. Our case study shows that the tool can provide helpful information of permission usage. It also exposes the limitations of the current implementation, and the challenges need to be addressed in our next step.

[1]  Norman M. Sadeh,et al.  Expectation and purpose: understanding users' mental models of mobile app privacy through crowdsourcing , 2012, UbiComp.

[2]  Songwu Lu,et al.  SmartSiren: virus detection and alert for smartphones , 2007, MobiSys '07.

[3]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[4]  Yajin Zhou,et al.  Systematic Detection of Capability Leaks in Stock Android Smartphones , 2012, NDSS.

[5]  Xinwen Zhang,et al.  Apex: extending Android permission model and enforcement with user-defined runtime constraints , 2010, ASIACCS '10.

[6]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[7]  Lorrie Faith Cranor,et al.  A Conundrum of Permissions: Installing Applications on an Android Smartphone , 2012, Financial Cryptography Workshops.

[8]  David A. Wagner,et al.  Android permissions: user attention, comprehension, and behavior , 2012, SOUPS.

[9]  Angelos D. Keromytis,et al.  Software Self-Healing Using Collaborative Application Communities , 2006, NDSS.

[10]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[11]  David A. Wagner,et al.  The Effectiveness of Application Permissions , 2011, WebApps.

[12]  Vinayak S. Naik,et al.  SMSAssassin: crowdsourcing driven mobile-based system for SMS spam filtering , 2011, HotMobile '11.

[13]  Alastair R. Beresford,et al.  MockDroid: trading privacy for application functionality on smartphones , 2011, HotMobile '11.

[14]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[15]  Umesh Shankar,et al.  Doppelganger: Better browser privacy without the bother , 2006, CCS '06.