On lightweight mobile phone application certification
Proceedings of the 16th ACM conference on Computer and communications security
Semantically Rich Application-Centric Security in Android
ACSAC '09 Proceedings of the 2009 Annual Computer Security Applications Conference
Proceedings of the 17th ACM conference on Computer and communications security
A study of android application security
SEC'11 Proceedings of the 20th USENIX conference on Security
Permission re-delegation: attacks and defenses
SEC'11 Proceedings of the 20th USENIX conference on Security
Android permissions demystified
Proceedings of the 18th ACM conference on Computer and communications security
Is this app safe?: a large scale study on application permissions and risk signals
Proceedings of the 21st international conference on World Wide Web
Dissecting Android Malware: Characterization and Evolution
SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
Android permissions: user attention, comprehension, and behavior
Proceedings of the Eighth Symposium on Usable Privacy and Security
AdDroid: privilege separation for applications and advertisers in Android
Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security
A multi-dimensional measure for intrusion: the intrusiveness quality attribute
Proceedings of the 9th international ACM Sigsoft conference on Quality of software architectures
Quantitative security risk assessment of android permissions and applications
DBSec'13 Proceedings of the 27th international conference on Data and Applications Security and Privacy XXVII
Hi-index | 0.00 |
Android uses a system of permissions to control how apps access sensitive devices and data stores. Unfortunately, we have little understanding of the evolution of Android permissions since their inception (2008). Is the permission model allowing the Android platform and apps to become more secure? In this paper, we present arguably the first long-term study that is centered around both permission evolution and usage, of the entire Android ecosystem (platform, third-party apps, and pre-installed apps). First, we study the Android platform to see how the set of permissions has evolved; we find that this set tends to grow, and the growth is not aimed towards providing finer-grained permissions but rather towards offering access to new hardware features; a particular concern is that the set of Dangerous permissions is increasing. Second, we study Android third-party and pre-installed apps to examine whether they follow the principle of least privilege. We find that this is not the case, as an increasing percentage of the popular apps we study are overprivileged. In addition, the apps tend to use more permissions over time. Third, we highlight some concerns with pre-installed apps, e.g., apps that vendors distribute with the phone; these apps have access to, and use, a larger set of higher-privileged permissions which pose security and privacy risks. At the risk of oversimplification, we state that the Android ecosystem is not becoming more secure from the user's point of view. Our study derives four recommendations for improving the Android security and suggests the need to revisit the practices and policies of the ecosystem.