The effectiveness of application permissions

Authors:
Adrienne Porter Felt;Kate Greenwood;David Wagner
Affiliations:
University of California, Berkeley;University of California, Berkeley;University of California, Berkeley
Venue:
WebApps'11 Proceedings of the 2nd USENIX conference on Web application development
Year:
2011

Citing 7
Cited 36

You've been warned: an empirical study of the effectiveness of web browser phishing warnings

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
On lightweight mobile phone application certification

Proceedings of the 16th ACM conference on Computer and communications security
Do windows users follow the principle of least privilege?: investigating user account control practices

Proceedings of the Sixth Symposium on Usable Privacy and Security
Crying wolf: an empirical study of SSL warning effectiveness

SSYM'09 Proceedings of the 18th conference on USENIX security symposium
A methodology for empirical analysis of permission-based security models and its application to android

Proceedings of the 17th ACM conference on Computer and communications security
TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones

OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
Verified Security for Browser Extensions

SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy

A survey of mobile malware in the wild

Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices
Short paper: a look at smartphone permission models

Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices
Android permissions demystified

Proceedings of the 18th ACM conference on Computer and communications security
Don't kill my ads!: balancing privacy in an ad-supported mobile application market

Proceedings of the Twelfth Workshop on Mobile Computing Systems & Applications
Defending users against smartphone apps: techniques and future directions

ICISS'11 Proceedings of the 7th international conference on Information Systems Security
Is this app safe?: a large scale study on application permissions and risk signals

Proceedings of the 21st international conference on World Wide Web
Runtime verification meets android security

NFM'12 Proceedings of the 4th international conference on NASA Formal Methods
Android permissions: a perspective combining risks and benefits

Proceedings of the 17th ACM symposium on Access Control Models and Technologies
Android permissions: user attention, comprehension, and behavior

Proceedings of the Eighth Symposium on Usable Privacy and Security
User-aware privacy control via extended static-information-flow analysis

Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering
Automatically securing permission-based software by reducing the attack surface: an application to Android

Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering
An evaluation of the Google Chrome extension security architecture

Security'12 Proceedings of the 21st USENIX conference on Security symposium
Privilege separation in HTML5 applications

Security'12 Proceedings of the 21st USENIX conference on Security symposium
Context-centric security

HotSec'12 Proceedings of the 7th USENIX conference on Hot Topics in Security
Short paper: rethinking permissions for mobile web apps: barriers and the road ahead

Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices
Short paper: enhancing users' comprehension of android permissions

Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices
Short paper: location privacy: user behavior in the field

Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices
PScout: analyzing the Android permission specification

Proceedings of the 2012 ACM conference on Computer and communications security
Using probabilistic generative models for ranking risks of Android apps

Proceedings of the 2012 ACM conference on Computer and communications security
Security add-ons for mobile platforms

NordSec'12 Proceedings of the 17th Nordic conference on Secure IT Systems
AppProfiler: a flexible method of exposing privacy-related behavior in android applications to end users

Proceedings of the third ACM conference on Data and application security and privacy
An online experiment of privacy authorization dialogues for social applications

Proceedings of the 2013 conference on Computer supported cooperative work
Towards an understanding of the impact of advertising on data leaks

International Journal of Security and Networks
A multi-dimensional measure for intrusion: the intrusiveness quality attribute

Proceedings of the 9th international ACM Sigsoft conference on Quality of software architectures
Fine-grained disclosure control for app ecosystems

Proceedings of the 2013 ACM SIGMOD International Conference on Management of Data
Touchjacking attacks on web in android, iOS, and windows phone

FPS'12 Proceedings of the 5th international conference on Foundations and Practice of Security
Toward principled browser security

HotOS'13 Proceedings of the 14th USENIX conference on Hot Topics in Operating Systems
When it's better to ask forgiveness than get permission: attribution mechanisms for smartphone resources

Proceedings of the Ninth Symposium on Usable Privacy and Security
Modifying smartphone user locking behavior

Proceedings of the Ninth Symposium on Usable Privacy and Security
Preventing accidental data disclosure in modern operating systems

Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Vetting undesirable behaviors in android apps with permission use analysis

Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Quantitative security risk assessment of android permissions and applications

DBSec'13 Proceedings of the 27th international conference on Data and Applications Security and Privacy XXVII
SMS-based one-time passwords: attacks and defense

DIMVA'13 Proceedings of the 10th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Breaking cell phone authentication: vulnerabilities in AKA, IMS and Android

WOOT'13 Proceedings of the 7th USENIX conference on Offensive Technologies
WHYPER: towards automating risk assessment of mobile applications

SEC'13 Proceedings of the 22nd USENIX conference on Security
Effective inter-component communication mapping in Android with Epicc: an essential step towards holistic security analysis

SEC'13 Proceedings of the 22nd USENIX conference on Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

Traditional user-based permission systems assign the user's full privileges to all applications. Modern platforms are transitioning to a new model, in which each application has a different set of permissions based on its requirements. Application permissions offer several advantages over traditional user-based permissions, but these benefits rely on the assumption that applications generally require less than full privileges. We explore whether that assumption is realistic, which provides insight into the value of application permissions. We perform case studies on two platforms with application permissions, the Google Chrome extension system and the Android OS. We collect the permission requirements of a large set of Google Chrome extensions and Android applications. From this data, we evaluate whether application permissions are effective at protecting users. Our results indicate that application permissions can have a positive impact on system security when applications' permission requirements are declared up-front by the developer, but can be improved.