Android permissions: a perspective combining risks and benefits

Authors:
Bhaskar Pratim Sarma;Ninghui Li;Chris Gates;Rahul Potharaju;Cristina Nita-Rotaru;Ian Molloy
Affiliations:
Purdue University, West Lafayette, IN, USA;Purdue University, West Lafayette, IN, USA;Purdue University, West Lafayette, IN, USA;Purdue University, West Lafayette, IN, USA;Purdue University, West Lafayette, IN, USA;IBM Research TJ Watson, New York, NY, USA
Venue:
Proceedings of the 17th ACM symposium on Access Control Models and Technologies
Year:
2012

Citing 15
Cited 8

Least Squares Support Vector Machine Classifiers

Neural Processing Letters
The Art of Computer Virus Research and Defense

The Art of Computer Virus Research and Defense
On lightweight mobile phone application certification

Proceedings of the 16th ACM conference on Computer and communications security
Semantically Rich Application-Centric Security in Android

ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
Apex: extending Android permission model and enforcement with user-defined runtime constraints

ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
Do windows users follow the principle of least privilege?: investigating user account control practices

Proceedings of the Sixth Symposium on Usable Privacy and Security
A methodology for empirical analysis of permission-based security models and its application to android

Proceedings of the 17th ACM conference on Computer and communications security
Paranoid Android: versatile protection for smartphones

Proceedings of the 26th Annual Computer Security Applications Conference
TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones

OSDI'10 Proceedings of the 9th USENIX conference on Operating systems design and implementation
LIBSVM: A library for support vector machines

ACM Transactions on Intelligent Systems and Technology (TIST)
The effectiveness of application permissions

WebApps'11 Proceedings of the 2nd USENIX conference on Web application development
A study of android application security

SEC'11 Proceedings of the 20th USENIX conference on Security
A survey of mobile malware in the wild

Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices
Short paper: a look at smartphone permission models

Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices
Android permissions demystified

Proceedings of the 18th ACM conference on Computer and communications security

Using probabilistic generative models for ranking risks of Android apps

Proceedings of the 2012 ACM conference on Computer and communications security
MAST: triage for market-scale mobile malware analysis

Proceedings of the sixth ACM conference on Security and privacy in wireless and mobile networks
Role mining algorithm evaluation and improvement in large volume android applications

Proceedings of the first international workshop on Security in embedded systems and smartphones
The impact of vendor customizations on android security

Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Structural detection of android malware using embedded call graphs

Proceedings of the 2013 ACM workshop on Artificial intelligence and security
Quantitative security risk assessment of android permissions and applications

DBSec'13 Proceedings of the 27th international conference on Data and Applications Security and Privacy XXVII
RiskMon: continuous and automated risk assessment of mobile applications

Proceedings of the 4th ACM conference on Data and application security and privacy
PREC: practical root exploit containment for android devices

Proceedings of the 4th ACM conference on Data and application security and privacy

Quantified Score

Hi-index	0.00

Visualization

Abstract

The phenomenal growth of the Android platform in the past few years has made it a lucrative target of malicious application (app) developers. There are numerous instances of malware apps that send premium rate SMS messages, track users' private data, or apps that, even if not characterized as malware, conduct questionable actions affecting the user's privacy or costing them money. In this paper, we investigate the feasibility of using both the permissions an app requests, the category of the app, and what permissions are requested by other apps in the same category to better inform users whether the risks of installing an app is commensurate with its expected benefit. Existing approaches consider only the risks of the permissions requested by an app and ignore both the benefits and what permissions are requested by other apps, thus having a limited effect. We propose several risk signals that and evaluate them using two datasets, one consists of 158,062 Android apps from the Android Market, and another consists of 121 malicious apps. We demonstrate the effectiveness of our proposal through extensive data analysis.