A Framework for Permission Recommendation and Risk Evaluation Based on Skewness-Based Filtering

Android mobile ecosystem has penetrated into people's every aspect of life. Since more and more sensitive and valuable information is stored in mobile ecosystem, how to configure the permission system to guarantee the security becomes an important issue for the whole community. In order to solve the permission over-privilege problem, a skewness-based permission recommendation framework is presented to identify the over-privilege permission and evaluate the risk for the Android Apps. Specially, the topic model Latent Dirichlet Allocation is employed to build the mapping between functionality and permission. Considering the fact that even the popular applications violate the least privilege principle, a collaborative filtering variant method in which high risk applications and permissions are identified is presented to recommend required permissions. Finally, the permission over-privilege based ap-proach is presented to evaluate the risk of the application. The experiments based on the Apps from Google Play shows that our approach is effective to identify the unexpected permissions for both popular and malicious Apps.

[1]  Jiannong Cao,et al.  PriWe: Recommendation for Privacy Settings of Mobile Apps Based on Crowdsourced Users' Expectations , 2015, 2015 IEEE International Conference on Mobile Services.

[2]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[3]  Tao Xie,et al.  WHYPER: Towards Automating Risk Assessment of Mobile Applications , 2013, USENIX Security Symposium.

[4]  Haoyu Wang,et al.  Using text mining to infer the purpose of permission use in mobile apps , 2015, UbiComp.

[5]  Alessandra Gorla,et al.  Checking app behavior against app descriptions , 2014, ICSE.

[6]  Sam Ransbotham,et al.  Are Markets for Vulnerabilities Effective? , 2012, MIS Q..

[7]  Jason Nieh,et al.  A measurement study of google play , 2014, SIGMETRICS '14.

[8]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[9]  Michael I. Jordan,et al.  Latent Dirichlet Allocation , 2001, J. Mach. Learn. Res..

[10]  Zhong Chen,et al.  AutoCog: Measuring the Description-to-permission Fidelity in Android Applications , 2014, CCS.

[11]  P. Rousseeuw Silhouettes: a graphical aid to the interpretation and validation of cluster analysis , 1987 .

[12]  Yajin Zhou,et al.  The impact of vendor customizations on android security , 2013, CCS.

[13]  Úlfar Erlingsson,et al.  Apples and Oranges: Detecting Least-Privilege Violators with Peer Group Analysis , 2015, ArXiv.

[14]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.