Is this app safe?: a large scale study on application permissions and risk signals

Authors:
Pern Hui Chia;Yusuke Yamamoto;N. Asokan
Affiliations:
Norwegian University of Science and Technology, Trondheim, Norway;Kyoto University, Kyoto, Japan;Nokia Research Center, Helsinki, Finland
Venue:
Proceedings of the 21st international conference on World Wide Web
Year:
2012

Citing 13
Cited 13

A technique for computer detection and correction of spelling errors

Communications of the ACM
Strong regularities in online peer production

Proceedings of the 9th ACM conference on Electronic commerce
Privacy suites: shared privacy for social networks

Proceedings of the 5th Symposium on Usable Privacy and Security
On lightweight mobile phone application certification

Proceedings of the 16th ACM conference on Computer and communications security
A methodology for empirical analysis of permission-based security models and its application to android

Proceedings of the 17th ACM conference on Computer and communications security
Old, new, borrowed, blue --: a perspective on the evolution of mobile platform security architectures

Proceedings of the first ACM conference on Data and application security and privacy
The effectiveness of application permissions

WebApps'11 Proceedings of the 2nd USENIX conference on Web application development
Android permissions demystified

Proceedings of the 18th ACM conference on Computer and communications security
Privacy: is there an app for that?

Proceedings of the Seventh Symposium on Usable Privacy and Security
Measuring the perpetrators and funders of typosquatting

FC'10 Proceedings of the 14th international conference on Financial Cryptography and Data Security
Imagined communities: awareness, information sharing, and privacy on the facebook

PET'06 Proceedings of the 6th international conference on Privacy Enhancing Technologies
Re-evaluating the wisdom of crowds in assessing web security

FC'11 Proceedings of the 15th international conference on Financial Cryptography and Data Security
Use of ratings from personalized communities for trustworthy application installation

NordSec'10 Proceedings of the 15th Nordic conference on Information Security Technology for Applications

Understanding and improving app installation security mechanisms through empirical analysis of android

Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices
Permission evolution in the Android ecosystem

Proceedings of the 28th Annual Computer Security Applications Conference
Towards unified authorization for android

ESSoS'13 Proceedings of the 5th international conference on Engineering Secure Software and Systems
A multi-dimensional measure for intrusion: the intrusiveness quality attribute

Proceedings of the 9th international ACM Sigsoft conference on Quality of software architectures
My profile is my password, verify me!: the privacy/convenience tradeoff of facebook connect

Proceedings of the SIGCHI Conference on Human Factors in Computing Systems
Is this app safe for children?: a comparison study of maturity ratings on Android and iOS applications

Proceedings of the 22nd international conference on World Wide Web
On mining mobile apps usage behavior for predicting apps usage in smartphones

Proceedings of the 22nd ACM international conference on Conference on information & knowledge management
Appinspect: large-scale evaluation of social networking apps

Proceedings of the first ACM conference on Online social networks
Sleeping android: the danger of dormant permissions

Proceedings of the Third ACM workshop on Security and privacy in smartphones & mobile devices
Quantitative security risk assessment of android permissions and applications

DBSec'13 Proceedings of the 27th international conference on Data and Applications Security and Privacy XXVII
RiskMon: continuous and automated risk assessment of mobile applications

Proceedings of the 4th ACM conference on Data and application security and privacy
The company you keep: mobile malware infection rates and inexpensive risk indicators

Proceedings of the 23rd international conference on World wide web
DECAF: detecting and characterizing ad fraud in mobile apps

NSDI'14 Proceedings of the 11th USENIX Conference on Networked Systems Design and Implementation

Quantified Score

Hi-index	0.00

Visualization

Abstract

Third-party applications (apps) drive the attractiveness of web and mobile application platforms. Many of these platforms adopt a decentralized control strategy, relying on explicit user consent for granting permissions that the apps request. Users have to rely primarily on community ratings as the signals to identify the potentially harmful and inappropriate apps even though community ratings typically reflect opinions about perceived functionality or performance rather than about risks. With the arrival of HTML5 web apps, such user-consent permission systems will become more widespread. We study the effectiveness of user-consent permission systems through a large scale data collection of Facebook apps, Chrome extensions and Android apps. Our analysis confirms that the current forms of community ratings used in app markets today are not reliable indicators of privacy risks of an app. We find some evidence indicating attempts to mislead or entice users into granting permissions: free applications and applications with mature content request more permissions than is typical; 'look-alike' applications which have names similar to popular applications also request more permissions than is typical. We also find that across all three platforms popular applications request more permissions than average.