research-article

Android permissions demystified

Authors:

Adrienne Porter Felt,

David WagnerAuthors Info & Claims

CCS '11: Proceedings of the 18th ACM conference on Computer and communications security

Pages 627 - 638

https://doi.org/10.1145/2046707.2046779

Published: 17 October 2011 Publication History

Abstract

Android provides third-party applications with an extensive API that includes access to phone hardware, settings, and user data. Access to privacy- and security-relevant parts of the API is controlled with an install-time application permission system. We study Android applications to determine whether Android developers follow least privilege with their permission requests. We built Stowaway, a tool that detects overprivilege in compiled Android applications. Stowaway determines the set of API calls that an application uses and then maps those API calls to permissions. We used automated testing tools on the Android API in order to build the permission map that is necessary for detecting overprivilege. We apply Stowaway to a set of 940 applications and find that about one-third are overprivileged. We investigate the causes of overprivilege and find evidence that developers are trying to follow least privilege but sometimes fail due to insufficient API documentation.

References

[1]

Amazon Appstore for Android. http://www.amazon.com/mobile-apps/b?ie=UTF8&node=2350149011.

[2]

Android Developers Reference. http://developer.android.com/reference/.

[3]

Android Market. http://www.android.com/market/.

[4]

Artzi, S., Ernst, M., Kiezun, A., Pacheco, C., and Perkins, J. Finding the needles in the haystack: Generating legal test inputs for object-oriented programs. In Workshop on Model-Based Testing and Object-Oriented Systems (2006).

[5]

Barrera, D., Kayacik, H., van Oorschot, P., and Somayaji, A. A methodology for empirical analysis of permission-based security models and its application to android. In Proc. of the ACM conference on Computer and Communications Security (2010).

Digital Library

[6]

Bodden, E., Sewe, A., Sinschek, J., and Mezini, M. Taming reflection: Static analysis in the presence of reflection and custom class loaders. Tech. Rep. TUD-CS-2010-0066, CASED, Mar. 2010.

[7]

Boyapati, C., Khurshid, S., and Marinov, D. Korat: Automated testing based on Java predicates. In Proc. of the 2002 ACM SIGSOFT International Symposium on Software Testing and Analysis (2002).

Digital Library

[8]

Chin, E., Felt, A. P., Greenwood, K., and Wagner, D. Analyzing Inter-Application Communication in Android. In Proc. of the Annual International Conference on Mobile Systems, Applications, and Services (2011).

Digital Library

[9]

Csallner, C., and Smaragdakis, Y. JCrasher: an automatic robustness tester for Java. Software: Practice and Experience 34, 11 (2004).

Digital Library

[10]

Distimo. The battle for the most content and the emerging tablet market. http://www.distimo.com/blog/2011_04_the-battle-for-the-most-content-and-the-emerging-tablet-market.

[11]

Enck, W., Octeau, D., McDaniel, P., and Chaudhuri, S. A Study of Android Application Security. In USENIX Security (2011).

Digital Library

[12]

Enck, W., Ongtang, M., and McDaniel, P. On lightweight mobile phone application certification. In Proc. of the ACM conference on Computer and Communications Security (2009).

Digital Library

[13]

Enck, W., Ongtang, M., and McDaniel, P. Understanding Android security. IEEE Security and Privacy 7, 1 (2009).

Digital Library

[14]

Enhanced JUnit. http://www.silvermark.com/Product/java/enhancedjunit/index.html.

[15]

Felt, A. P., Greenwood, K., and Wagner, D. The Effectiveness of Application Permissions. In Proc. of the USENIX Conference on Web Application Development (2011).

Digital Library

[16]

Gibler, C., Crussell, J., Erickson, J., and Chen, H. AndroidLeaks: Detecting Privacy Leaks in Android Applications. Tech. rep., UC Davis, 2011.

[17]

Hackborn, D. Re: List of private / hidden / system APIs? http://groups.google.com/group/android-developers/msg/a9248b18cba59f5a.

[18]

Livshits, B., Whaley, J., and Lam, M. S. Reflection Analysis for Java. In Asian Symposium on Programming Languages and Systems (2005).

Digital Library

[19]

McCluskey, G. Using Java Reflection. http://java.sun.com/developer/technicalArticles/ALT/Reflection/, 1998.

[20]

Pacheco, C., and Ernst, M. Randoop. http://code.google.com/p/randoop/.

[21]

Pacheco, C., and Ernst, M. Eclat: Automatic generation and classification of test inputs. European Conference on Object-Oriented Programming (2005).

Digital Library

[22]

Pacheco, C., Lahiri, S., Ernst, M., and Ball, T. Feedback-directed random test generation. In Proc. of the International Conference on Software Engineering (2007).

Digital Library

[23]

Paller, G. Dedexer. http://dedexer.sourceforge.net.

[24]

Sawin, J., and Rountev, A. Improving static resolution of dynamic class loading in java using dynamically gathered environment information. Automated Software Eng. 16 (June 2009), 357--381.

Digital Library

[25]

Stack Overflow. Broadcast Intent when network state has changend. http://stackoverflow.com/questions/2676044/broadcast-intent-when-network-state-has-changend.

[26]

Vennon, T., and Stroop, D. Threat Analysis of the Android Market. Tech. rep., SMobile Systems, 2010.

[27]

Vidas, T., Christin, N., and Cranor, L. Curbing Android Permission Creep. In W2SP (2011).

Cited By

McAmis RDurak BChase MLaine KRoesner FKohno T(2025)Handling Identity and Fraud in the MetaverseIEEE Security & Privacy10.1109/MSEC.2024.339969923:1(27-37)Online publication date: Jan-2025
https://doi.org/10.1109/MSEC.2024.3399699
Horne D(2025)Permissions: Access Control FundamentalsEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_786(1796-1800)Online publication date: 8-Jan-2025
https://doi.org/10.1007/978-3-030-71522-9_786
Akgul OPeddinti STaft NMazurek MHarkous HSrivastava ASeguin BBalzarotti DXu W(2024)A decade of privacy-relevant android app reviewsProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699185(5089-5106)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699185
Show More Cited By

Index Terms

Android permissions demystified
1. Security and privacy
  1. Security services
    1. Access control
  2. Systems security
    1. Operating systems security

Recommendations

MAPPER: Mapping Application Description to Permissions
Risks and Security of Internet and Systems
Abstract
Android operating system has seen phenomenal growth, and Android Applications (Apps) have proliferated into mainstream usage across the globe. Are users informed by the developers about everything an App does when they consent to install an App ...
SecuRank: Starving Permission-Hungry Apps Using Contextual Permission Analysis
SPSM '16: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices

Competition among app developers has caused app stores to be permeated with many groups of general-purpose apps that are functionally-similar. Examples are the many flashlight or alarm clock apps to choose from. Within groups of functionally-similar ...
PERMITME: integrating android permissioning support in the IDE
ETX '14: Proceedings of the 2014 Workshop on Eclipse Technology eXchange

One of the most common security & privacy issues concerning mobile applications is the unnecessary access to sensitive information and resources. In a mobile application platform like Android, where a permission mechanism is used to maintain access ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '11: Proceedings of the 18th ACM conference on Computer and communications security

October 2011

742 pages

ISBN:9781450309486

DOI:10.1145/2046707

General Chair:
Yan Chen
Northwestern University, USA
,
Program Chairs:
George Danezis
Microsoft Research Cambridge, UK
,
Vitaly Shmatikov
University of Texas at Austin, USA

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 October 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'11

Sponsor:

SIGSAC

CCS'11: the ACM Conference on Computer and Communications Security

October 17 - 21, 2011

Illinois, Chicago, USA

Acceptance Rates

CCS '11 Paper Acceptance Rate 60 of 429 submissions, 14%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

892
Total Citations
View Citations
7,937
Total Downloads

Downloads (Last 12 months)224
Downloads (Last 6 weeks)14

Reflects downloads up to 08 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

McAmis RDurak BChase MLaine KRoesner FKohno T(2025)Handling Identity and Fraud in the MetaverseIEEE Security & Privacy10.1109/MSEC.2024.339969923:1(27-37)Online publication date: Jan-2025
https://doi.org/10.1109/MSEC.2024.3399699
Horne D(2025)Permissions: Access Control FundamentalsEncyclopedia of Cryptography, Security and Privacy10.1007/978-3-030-71522-9_786(1796-1800)Online publication date: 8-Jan-2025
https://doi.org/10.1007/978-3-030-71522-9_786
Akgul OPeddinti STaft NMazurek MHarkous HSrivastava ASeguin BBalzarotti DXu W(2024)A decade of privacy-relevant android app reviewsProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699185(5089-5106)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699185
Lin YWong JLi XMa HGao DBalzarotti DXu W(2024)Peep with a mirrorProceedings of the 33rd USENIX Conference on Security Symposium10.5555/3698900.3699019(2119-2135)Online publication date: 14-Aug-2024
https://dl.acm.org/doi/10.5555/3698900.3699019
Chang KNiu HKim BBarber S(2024)IoT Privacy Risks RevealedEntropy10.3390/e2607056126:7(561)Online publication date: 29-Jun-2024
https://doi.org/10.3390/e26070561
Sosnovyy VLashchevska N(2024)DETECTION OF MALICIOUS ACTIVITY USING A NEURAL NETWORK FOR CONTINUOUS OPERATIONCybersecurity: Education, Science, Technique10.28925/2663-4023.2024.23.2132243:23(213-224)Online publication date: 2024
https://doi.org/10.28925/2663-4023.2024.23.213224
Albtosh LOmar M(2024)Improving mobile security: A study on android malware detection using LOFInternational Journal of Mathematics and Computer in Engineering10.2478/ijmce-2025-0018Online publication date: 18-Sep-2024
https://doi.org/10.2478/ijmce-2025-0018
Pathak AKumar TBarman U(2024)Static analysis framework for permission-based dataset generation and android malware detection using machine learningEURASIP Journal on Information Security10.1186/s13635-024-00182-32024:1Online publication date: 23-Oct-2024
https://doi.org/10.1186/s13635-024-00182-3
Zaidi SKhan SVyas PAafer YFilkov VRay BZhou M(2024)A Longitudinal Analysis Of Replicas in the Wild Wild AndroidProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695546(1821-1833)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695546
Wang YFan MZhou HWang HJin WLi JChen WLi SZhang YHan DLiu TFilkov VRay BZhou M(2024)MiniChecker: Detecting Data Privacy Risk of Abusive Permission Request Behavior in Mini-ProgramsProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695534(1667-1679)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695534
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten