Quantitative security risk assessment of android permissions and applications

Authors:
Yang Wang;Jun Zheng;Chen Sun;Srinivas Mukkamala
Affiliations:
Department of Computer Science and Engineering, New Mexico Institute of Mining and Technology, Socorro, NM;Department of Computer Science and Engineering, New Mexico Institute of Mining and Technology, Socorro, NM;Department of Computer Science and Engineering, New Mexico Institute of Mining and Technology, Socorro, NM;The Institute for Complex Additive Systems Analysis, New Mexico Institute of Mining and Technology, Socorro, NM and CAaNES, LLC, Albuquerque, NM
Venue:
DBSec'13 Proceedings of the 27th international conference on Data and Applications Security and Privacy XXVII
Year:
2013

Citing 13
Cited 1

An introduction to ROC analysis

Pattern Recognition Letters - Special issue: ROC analysis in pattern recognition
On lightweight mobile phone application certification

Proceedings of the 16th ACM conference on Computer and communications security
The use of the area under the ROC curve in the evaluation of machine learning algorithms

Pattern Recognition
A methodology for empirical analysis of permission-based security models and its application to android

Proceedings of the 17th ACM conference on Computer and communications security
The effectiveness of application permissions

WebApps'11 Proceedings of the 2nd USENIX conference on Web application development
Android permissions demystified

Proceedings of the 18th ACM conference on Computer and communications security
Is this app safe?: a large scale study on application permissions and risk signals

Proceedings of the 21st international conference on World Wide Web
Android permissions: a perspective combining risks and benefits

Proceedings of the 17th ACM symposium on Access Control Models and Technologies
Dissecting Android Malware: Characterization and Evolution

SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
Android permissions: user attention, comprehension, and behavior

Proceedings of the Eighth Symposium on Usable Privacy and Security
I've got 99 problems, but vibration ain't one: a survey of smartphone users' concerns

Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices
Permission evolution in the Android ecosystem

Proceedings of the 28th Annual Computer Security Applications Conference
Mining Permission Request Patterns from Android and Facebook Applications

ICDM '12 Proceedings of the 2012 IEEE 12th International Conference on Data Mining

RiskMon: continuous and automated risk assessment of mobile applications

Proceedings of the 4th ACM conference on Data and application security and privacy

Quantified Score

Hi-index	0.00

Visualization

Abstract

The booming of the Android platform in recent years has attracted the attention of malware developers. However, the permissions-based model used in Android system to prevent the spread of malware, has shown to be ineffective. In this paper, we propose DroidRisk, a framework for quantitative security risk assessment of both Android permissions and applications (apps) based on permission request patterns from benign apps and malware, which aims to improve the efficiency of Android permission system. Two data sets with 27,274 benign apps from Google Play and 1,260 Android malware samples were used to evaluate the effectiveness of DroidRisk. The results demonstrate that DroidRisk can generate more reliable risk signal for warning the potential malicious activities compared with existing methods. We show that DroidRisk can also be used to alleviate the overprivilege problem and improve the user attention to the risks of Android permissions and apps.