Publication | Closed Access
Android permissions demystified
1.3K
Citations
14
References
2011
Year
Unknown Venue
Mobile SecurityEngineeringInformation SecuritySoftware EngineeringAndroid ApiSoftware AnalysisOpen ApiHardware SecurityAndroid PermissionsExtensive ApiPhone HardwareOperating System SecurityData PrivacyMobile MalwareMobile ComputingComputer ScienceData SecuritySoftware SecurityProgram AnalysisSoftware Testing
Android offers third‑party apps extensive APIs for hardware, settings, and user data, with access regulated by an install‑time permission system. The study examines whether Android developers adhere to least privilege when requesting permissions. The authors developed Stowaway, a tool that maps an app’s API calls to permissions using automated testing of the Android API to detect overprivilege. In 940 apps, roughly one‑third were overprivileged, and developers’ attempts at least privilege often failed because of unclear API documentation.
Android provides third-party applications with an extensive API that includes access to phone hardware, settings, and user data. Access to privacy- and security-relevant parts of the API is controlled with an install-time application permission system. We study Android applications to determine whether Android developers follow least privilege with their permission requests. We built Stowaway, a tool that detects overprivilege in compiled Android applications. Stowaway determines the set of API calls that an application uses and then maps those API calls to permissions. We used automated testing tools on the Android API in order to build the permission map that is necessary for detecting overprivilege. We apply Stowaway to a set of 940 applications and find that about one-third are overprivileged. We investigate the causes of overprivilege and find evidence that developers are trying to follow least privilege but sometimes fail due to insufficient API documentation.
| Year | Citations | |
|---|---|---|
Page 1
Page 1