You've been warned: an empirical study of the effectiveness of web browser phishing warnings
Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
On lightweight mobile phone application certification
Proceedings of the 16th ACM conference on Computer and communications security
Proceedings of the Sixth Symposium on Usable Privacy and Security
Crying wolf: an empirical study of SSL warning effectiveness
SSYM'09 Proceedings of the 18th conference on USENIX security symposium
Proceedings of the 17th ACM conference on Computer and communications security
TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones
OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
Verified Security for Browser Extensions
SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
A survey of mobile malware in the wild
Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices
Short paper: a look at smartphone permission models
Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices
Android permissions demystified
Proceedings of the 18th ACM conference on Computer and communications security
Don't kill my ads!: balancing privacy in an ad-supported mobile application market
Proceedings of the Twelfth Workshop on Mobile Computing Systems & Applications
Defending users against smartphone apps: techniques and future directions
ICISS'11 Proceedings of the 7th international conference on Information Systems Security
Is this app safe?: a large scale study on application permissions and risk signals
Proceedings of the 21st international conference on World Wide Web
Runtime verification meets android security
NFM'12 Proceedings of the 4th international conference on NASA Formal Methods
Android permissions: a perspective combining risks and benefits
Proceedings of the 17th ACM symposium on Access Control Models and Technologies
Android permissions: user attention, comprehension, and behavior
Proceedings of the Eighth Symposium on Usable Privacy and Security
User-aware privacy control via extended static-information-flow analysis
Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering
Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering
An evaluation of the Google Chrome extension security architecture
Security'12 Proceedings of the 21st USENIX conference on Security symposium
Privilege separation in HTML5 applications
Security'12 Proceedings of the 21st USENIX conference on Security symposium
HotSec'12 Proceedings of the 7th USENIX conference on Hot Topics in Security
Short paper: rethinking permissions for mobile web apps: barriers and the road ahead
Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices
Short paper: enhancing users' comprehension of android permissions
Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices
Short paper: location privacy: user behavior in the field
Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices
PScout: analyzing the Android permission specification
Proceedings of the 2012 ACM conference on Computer and communications security
Using probabilistic generative models for ranking risks of Android apps
Proceedings of the 2012 ACM conference on Computer and communications security
Security add-ons for mobile platforms
NordSec'12 Proceedings of the 17th Nordic conference on Secure IT Systems
Proceedings of the third ACM conference on Data and application security and privacy
An online experiment of privacy authorization dialogues for social applications
Proceedings of the 2013 conference on Computer supported cooperative work
Towards an understanding of the impact of advertising on data leaks
International Journal of Security and Networks
A multi-dimensional measure for intrusion: the intrusiveness quality attribute
Proceedings of the 9th international ACM Sigsoft conference on Quality of software architectures
Fine-grained disclosure control for app ecosystems
Proceedings of the 2013 ACM SIGMOD International Conference on Management of Data
Touchjacking attacks on web in android, iOS, and windows phone
FPS'12 Proceedings of the 5th international conference on Foundations and Practice of Security
Toward principled browser security
HotOS'13 Proceedings of the 14th USENIX conference on Hot Topics in Operating Systems
Proceedings of the Ninth Symposium on Usable Privacy and Security
Modifying smartphone user locking behavior
Proceedings of the Ninth Symposium on Usable Privacy and Security
Preventing accidental data disclosure in modern operating systems
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Vetting undesirable behaviors in android apps with permission use analysis
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Quantitative security risk assessment of android permissions and applications
DBSec'13 Proceedings of the 27th international conference on Data and Applications Security and Privacy XXVII
SMS-based one-time passwords: attacks and defense
DIMVA'13 Proceedings of the 10th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Breaking cell phone authentication: vulnerabilities in AKA, IMS and Android
WOOT'13 Proceedings of the 7th USENIX conference on Offensive Technologies
WHYPER: towards automating risk assessment of mobile applications
SEC'13 Proceedings of the 22nd USENIX conference on Security
SEC'13 Proceedings of the 22nd USENIX conference on Security
Hi-index | 0.00 |
Traditional user-based permission systems assign the user's full privileges to all applications. Modern platforms are transitioning to a new model, in which each application has a different set of permissions based on its requirements. Application permissions offer several advantages over traditional user-based permissions, but these benefits rely on the assumption that applications generally require less than full privileges. We explore whether that assumption is realistic, which provides insight into the value of application permissions. We perform case studies on two platforms with application permissions, the Google Chrome extension system and the Android OS. We collect the permission requirements of a large set of Google Chrome extensions and Android applications. From this data, we evaluate whether application permissions are effective at protecting users. Our results indicate that application permissions can have a positive impact on system security when applications' permission requirements are declared up-front by the developer, but can be improved.