research-article

Using text mining to infer the purpose of permission use in mobile apps

Authors:

Yao GuoAuthors Info & Claims

UbiComp '15: Proceedings of the 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing

Pages 1107 - 1118

https://doi.org/10.1145/2750858.2805833

Published: 07 September 2015 Publication History

Abstract

Understanding the purpose of why sensitive data is used could help improve privacy as well as enable new kinds of access control. In this paper, we introduce a new technique for inferring the purpose of sensitive data usage in the context of Android smartphone apps. We extract multiple kinds of features from decompiled code, focusing on app-specific features and text-based features. These features are then used to train a machine learning classifier. We have evaluated our approach in the context of two sensitive permissions, namely ACCESS_FINE_LOCATION and READ_CONTACT_LIST, and achieved an accuracy of about 85% and 94% respectively in inferring purposes. We have also found that text-based features alone are highly effective in inferring purposes.

References

[1]

PrivacyGrade: Grading The Privacy of Smartphone Apps. http://privacygrade.org/.

[2]

Almuhimedi, H., Schaub, F., Sadeh, N., Adjerid, I., Acquisti, A., Gluck, J., Cranor, L. F., and Agarwal, Y. Your location has been shared 5,398 times!: A field study on mobile app privacy nudging. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI '15) (2015), 787--796.

Digital Library

[3]

Amini, S., Lin, J., Hong, J. I., Lindqvist, J., and Zhang, J. Mobile application evaluation using automation and crowdsourcing. In Proceedings of the PETools (2013).

[4]

Apktool: a tool for reverse engineering Android apk files. https://code.google.com/p/android-apktool/.

[5]

Wikipedia App Store (iOS). http://en.wikipedia.org/wiki/App_Store_%28iOS%29.

[6]

Au, K. W. Y., Zhou, Y. F., Huang, Z., and Lie, D. Pscout: Analyzing the Android permission specification. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS '12) (2012), 217--228.

Digital Library

[7]

Balebako, R., Jung, J., Lu, W., Cranor, L. F., and Nguyen, C. "little brothers watching you": Raising awareness of data leaks on smartphones. In Proceedings of the Ninth Symposium on Usable Privacy and Security (SOUPS '13) (2013), 12:1--12:11.

Digital Library

[8]

Bartel, A., Klein, J., Le Traon, Y., and Monperrus, M. Automatically securing permission-based software by reducing the attack surface: An application to Android. In the 27th IEEE/ACM Intl Conf on Automated Software Engineering (ASE '12) (2012).

Digital Library

[9]

Bartel, A., Klein, J., Monperrus, M., and Le Traon, Y. Static analysis for extracting permission checks of a large scale framework: The challenges and solutions for analyzing Android. IEEE Transactions on Software Engineering (TSE) (2014).

[10]

Wikipedia C4.5 Algorithm. http://en.wikipedia.org/wiki/C4.5_algorithm.

[11]

Chin, E., Felt, A. P., Sekar, V., and Wagner, D. Measuring user confidence in smartphone security and privacy. In Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS '12) (2012).

Digital Library

[12]

Wikipedia Cross-validation. http://en.wikipedia.org/wiki/Cross-validation_%28statistics%29#k-fold_cross-validation.

[13]

dex2jar. https://code.google.com/p/dex2jar/.

[14]

Egelman, S., Felt, A. P., and Wagner, D. Choice architecture and smartphone privacy: Theres a price for that. In Workshop on the Economics of Information Security (WEIS) (2012).

[15]

Enck, W., Octeau, D., McDaniel, P., and Chaudhuri, S. A study of Android application security. In Proceedings of the 20th USENIX Conference on Security (SEC '11) (2011).

Digital Library

[16]

Felt, A. P., Chin, E., Hanna, S., Song, D., and Wagner, D. Android permissions demystified. In the 18th ACM Conference on Computer and Communications Security (CCS '11) (2011), 627--638.

Digital Library

[17]

Felt, A. P., Ha, E., Egelman, S., Haney, A., Chin, E., and Wagner, D. Android permissions: User attention, comprehension, and behavior. In Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS '12) (2012), 3:1--3:14.

Digital Library

[18]

Wikipedia Google Play. http://en.wikipedia.org/wiki/Google_Play.

[19]

Gorla, A., Tavecchia, I., Gross, F., and Zeller, A. Checking app behavior against app descriptions. In Proceedings of the 36th International Conference on Software Engineering (ICSE '14) (2014), 1025--1035.

Digital Library

[20]

Harbach, M., Hettig, M., Weber, S., and Smith, M. Using personal examples to improve risk communication for security and privacy decisions. In Proceedings of the 32Nd Annual ACM Conference on Human Factors in Computing Systems (CHI '14) (2014).

Digital Library

[21]

Ismail, Q., Ahmed, T., Kapadia, A., and Reiter, M. Crowdsourced exploration of security configurations. In Proceedings of the ACM SIGCHI Conference on Human Factors in Computing Systems (CHI '15) (2015).

Digital Library

[22]

JD-Core-Java. http://jd.benow.ca/.

[23]

Jing, Y., Ahn, G.-J., Zhao, Z., and Hu, H. Riskmon: Continuous and automated risk assessment of mobile applications. In Proceedings of the 4th ACM Conference on Data and Application Security and Privacy (CODASPY '14) (2014), 99--110.

Digital Library

[24]

Jung, J., Han, S., and Wetherall, D. Short paper: Enhancing mobile application permissions with runtime feedback and constraints. In Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM '12) (2012), 45--50.

Digital Library

[25]

Kelley, P. G., Cranor, L. F., and Sadeh, N. Privacy as part of the app decision-making process. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '13) (2013), 3393--3402.

Digital Library

[26]

Lin, J., Amini, S., Hong, J. I., Sadeh, N., Lindqvist, J., and Zhang, J. Expectation and purpose: Understanding users' mental models of mobile app privacy through crowdsourcing. In Proceedings of the 2012 ACM Conference on Ubiquitous Computing (UbiComp '12) (2012), 501--510.

Digital Library

[27]

Lin, J., Liu, B., Sadeh, N., and Hong, J. I. Modeling users' mobile app privacy preferences: Restoring usability in a sea of permission settings. In Proceedings of the 2014 Symposium On Usable Privacy and Security (SOUPS '14) (2014).

[28]

Linares-Vásquez, M., Holtzhauer, A., Bernal-Cárdenas, C., and Poshyvanyk, D. Revisiting Android reuse studies in the context of code obfuscation and library usages. In Proceedings of the 11th Working Conference on Mining Software Repositories (MSR '14) (2014), 242--251.

Digital Library

[29]

Mallet: machine learning for language toolkit. http://mallet.cs.umass.edu/.

[30]

Mancini, C., Thomas, K., Rogers, Y., Price, B. A., Jedrzejczyk, L., Bandara, A. K., Joinson, A. N., and Nuseibeh, B. From spaces to places: Emerging contexts in mobile privacy. In Proceedings of the 11th International Conference on Ubiquitous Computing (UbiComp '09) (2009), 1--10.

Digital Library

[31]

Wikipedia Maximum Entropy. http://en.wikipedia.org/wiki/Maximum_entropy.

[32]

Evaluation methods in text categorization. http://datamin.ubbcluj.ro/wiki/index.php/Evaluation_methods_in_text_categorization.

[33]

Macro- and micro-averaged evaluation measures. http://digitalcommons.library.tmc.edu/cgi/viewcontent.cgi?article=1026&context=uthshis_dissertations.

[34]

Pandita, R., Xiao, X., Yang, W., Enck, W., and Xie, T. Whyper: Towards automating risk assessment of mobile applications. In Proceedings of the 22Nd USENIX Conference on Security (SEC '13) (2013), 527--542.

Digital Library

[35]

Permission Mappings. http://pscout.csl.toronto.edu/.

[36]

The porter stemming algorithm. http://tartarus.org/martin/PorterStemmer/.

[37]

Documented api calls mappings. http://pscout.csl.toronto.edu/download.php?file=results/jellybean_publishedapimapping.

[38]

Content provider (uri strings) with permissions. http://pscout.csl.toronto.edu/download.php?file=results/jellybean_contentproviderpermission.

[39]

Intents with permissions. http://pscout.csl.toronto.edu/download.php?file=results/jellybean_intentpermissions.

[40]

Qu, Z., Rastogi, V., Zhang, X., Chen, Y., Zhu, T., and Chen, Z. Autocog: Measuring the description-to-permission fidelity in Android applications. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS '14) (2014), 1354--1365.

Digital Library

[41]

Scikit-learn machine learning in python. http://scikit-learn.org/stable/index.html.

[42]

Shih, F., Liccardi, I., and Weitzner, D. Privacy tipping points in smartphones privacy preferences. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI '15) (2015), 807--816.

Digital Library

[43]

Shklovski, I., Mainwaring, S. D., Skúladóttir, H. H., and Borgthorsson, H. Leakiness and creepiness in app space: Perceptions of privacy and mobile app use. In Proceedings of the 32Nd Annual ACM Conference on Human Factors in Computing Systems (CHI '14) (2014), 2347--2356.

Digital Library

[44]

Wikipedia Approximate String Matching. http://en.wikipedia.org/wiki/Approximate_string_matching.

[45]

Supervised Learning. http://en.wikipedia.org/wiki/Supervised_learning.

[46]

Wikipedia Support Vector Machine. http://en.wikipedia.org/wiki/Support_vector_machine.

[47]

Toch, E., Cranshaw, J., Drielsma, P. H., Tsai, J. Y., Kelley, P. G., Springfield, J., Cranor, L., Hong, J., and Sadeh, N. Empirical models of privacy in location sharing. In Proceedings of the 12th ACM International Conference on Ubiquitous Computing (UbiComp '10) (2010), 129--138.

Digital Library

[48]

Wang, J., and Chen, Q. Aspg: Generating Android semantic permissions. In Proceedings of the IEEE 17th International Conference on Computational Science and Engineering (2014), 591--598.

Digital Library

[49]

English Wordlist. http://www-personal.umich.edu/~jlawler/wordlist.

[50]

Wu, L., Grace, M., Zhou, Y., Wu, C., and Jiang, X. The impact of vendor customizations on Android security. In the 2013 ACM SIGSAC Conference on Computer Communications Security (CCS '13) (2013), 623--634.

Digital Library

[51]

Yang, Z., Yang, M., Zhang, Y., Gu, G., Ning, P., and Wang, X. S. Appintent: analyzing sensitive data transmission in Android for privacy leakage detection. In Proceedings of the 2013 ACM SIGSAC conference on Computer and communications security (CCS '13) (2013), 1043--1054.

Digital Library

Cited By

Zhao YYu LSun YLiu QLuo BBaysal OLinares-Vasquez MMoran KSteinmacher I(2024)No Source Code? No Problem! Demystifying and Detecting Mask Apps in iOSProceedings of the 32nd IEEE/ACM International Conference on Program Comprehension10.1145/3643916.3644419(358-369)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643916.3644419
Li TCranor LAgarwal YHong J(2024)MatchaProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/36435448:1(1-38)Online publication date: 6-Mar-2024
https://dl.acm.org/doi/10.1145/3643544
Du JMamo YFloyd CKarthikeyan NJames J(2023)Machine Learning in Sport Social Media Research: Practical Uses and OpportunitiesInternational Journal of Sport Communication10.1123/ijsc.2023-0151(1-10)Online publication date: 2023
https://doi.org/10.1123/ijsc.2023-0151
Show More Cited By

Index Terms

Using text mining to infer the purpose of permission use in mobile apps
1. Human-centered computing

Recommendations

Understanding the Purpose of Permission Use in Mobile Apps
Special issue: Search, Mining and their Applications on Mobile Devices

Mobile apps frequently request access to sensitive data, such as location and contacts. Understanding the purpose of why sensitive data is accessed could help improve privacy as well as enable new kinds of access control. In this article, we propose a ...
Messing with Android's Permission Model
TRUSTCOM '12: Proceedings of the 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications

Permission models have become very common on smartphone operating systems to control the rights granted to installed third party applications (apps). Prior to installing an app, the user is typically presented with a dialog box showing the permissions ...
SecuRank: Starving Permission-Hungry Apps Using Contextual Permission Analysis
SPSM '16: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices

Competition among app developers has caused app stores to be permeated with many groups of general-purpose apps that are functionally-similar. Examples are the many flashlight or alarm clock apps to choose from. Within groups of functionally-similar ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

UbiComp '15: Proceedings of the 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing

September 2015

1302 pages

ISBN:9781450335744

DOI:10.1145/2750858

General Chairs:
Kenji Mase
Nagoya University, JP
,
Marc Langheinrich
Università della Svizzera italiana (USI), CH
,
Daniel Gatica-Perez
IDIAP-EPFL, CH
,
Program Chairs:
Hans Gellersen
Lancaster University, UK
,
Tanzeem Choudhury
Cornell University
,
Koji Yatani
Univerisity of Tokyo, JP

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Yahoo! Japan: Yahoo! Japan
SIGMOBILE: ACM Special Interest Group on Mobility of Systems, Users, Data and Computing
FX Palo Alto Laboratory, Inc.: FX Palo Alto Laboratory, Inc.
Google Inc.
ACM: Association for Computing Machinery
Rakuten Institute of Technology: Rakuten Institute of Technology
Microsoft: Microsoft
Bell Labs: Bell Laboratories
SIGCHI: ACM Special Interest Group on Computer-Human Interaction
KDDI
Panasonic: Panasonic Corporation
NTT DoCoMo
Telefónica: Telefónica
ISTC-PC: Intel Science and Technology Center for Pervasive Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 September 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

High-Tech Research and Development Program (863) of China
National Natural Science Foundation of China
National Science Foundation

Conference

UbiComp '15

Sponsor:

Yahoo! Japan
SIGMOBILE
FX Palo Alto Laboratory, Inc.
ACM
Rakuten Institute of Technology
Microsoft
Bell Labs
SIGCHI
Panasonic
Telefónica
ISTC-PC

UbiComp '15: The 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing

September 7 - 11, 2015

Osaka, Japan

Acceptance Rates

UbiComp '15 Paper Acceptance Rate 101 of 394 submissions, 26%;

Overall Acceptance Rate 764 of 2,912 submissions, 26%

Upcoming Conference

UbiComp '24

Sponsor:
sigchi
sigchi

The 2024 ACM International Joint Conference on Pervasive and Ubiquitous Computing

October 5 - 9, 2024

Melbourne , VIC , Australia

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

47
Total Citations
View Citations
805
Total Downloads

Downloads (Last 12 months)18
Downloads (Last 6 weeks)1

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhao YYu LSun YLiu QLuo BBaysal OLinares-Vasquez MMoran KSteinmacher I(2024)No Source Code? No Problem! Demystifying and Detecting Mask Apps in iOSProceedings of the 32nd IEEE/ACM International Conference on Program Comprehension10.1145/3643916.3644419(358-369)Online publication date: 15-Apr-2024
https://dl.acm.org/doi/10.1145/3643916.3644419
Li TCranor LAgarwal YHong J(2024)MatchaProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/36435448:1(1-38)Online publication date: 6-Mar-2024
https://dl.acm.org/doi/10.1145/3643544
Du JMamo YFloyd CKarthikeyan NJames J(2023)Machine Learning in Sport Social Media Research: Practical Uses and OpportunitiesInternational Journal of Sport Communication10.1123/ijsc.2023-0151(1-10)Online publication date: 2023
https://doi.org/10.1123/ijsc.2023-0151
Zhang SLei HWang YLi DGuo YChen X(2023)APIMind: API-driven Assessment of Runtime Description-to-permission Fidelity in Android Apps2023 IEEE 34th International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE59848.2023.00057(427-438)Online publication date: 9-Oct-2023
https://doi.org/10.1109/ISSRE59848.2023.00057
Zhang SLei HWang YLi DGuo YChen X(2023)How Android Apps Break the Data Minimization Principle: An Empirical Study2023 38th IEEE/ACM International Conference on Automated Software Engineering (ASE)10.1109/ASE56229.2023.00141(1238-1250)Online publication date: 11-Sep-2023
https://doi.org/10.1109/ASE56229.2023.00141
Yang SWang YYao YWang HYe YXiao XDwyer MDamian DZeller A(2022)DescribeCtxProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510058(685-697)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510003.3510058
Xu GLi SZhou HLiu STang YLi LLuo XXiao XXu GWang H(2022)Lie to Me: Abusing the Mobile Content Sharing Service for Fun and ProfitProceedings of the ACM Web Conference 202210.1145/3485447.3512151(3327-3335)Online publication date: 25-Apr-2022
https://dl.acm.org/doi/10.1145/3485447.3512151
Autili MMalavolta IPerucci AScoccia GVerdecchia R(2021)Software engineering techniques for statically analyzing mobile apps: research trends, characteristics, and potential for industrial adoptionJournal of Internet Services and Applications10.1186/s13174-021-00134-x12:1Online publication date: 23-Jul-2021
https://doi.org/10.1186/s13174-021-00134-x
Bian SZhao WZhou KChen XCai JHe YLuo XWen J(2021)A Novel Macro-Micro Fusion Network for User Representation Learning on Mobile AppsProceedings of the Web Conference 202110.1145/3442381.3450109(3199-3209)Online publication date: 19-Apr-2021
https://dl.acm.org/doi/10.1145/3442381.3450109
Lin FWang HWang LLiu X(2021)A Longitudinal Study of Removed Apps in iOS App StoreProceedings of the Web Conference 202110.1145/3442381.3449990(1435-1446)Online publication date: 19-Apr-2021
https://dl.acm.org/doi/10.1145/3442381.3449990
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents