Abstract
The Android ecosystem is dynamic and diverse. Controls have been set in place to allow mobile device users to regulate exchanged data and restrict apps from accessing sensitive personal information and system resources. Modern versions of the operating system implement the run-time permission model which prompts users to allow access to protected resources the moment an app attempts to utilize them. It is assumed that, in general, the run-time permission model, compared to its predecessor, enhances users’ security awareness. In this paper we show that installed apps on Android devices are able to employ the systems’ public assets and extract users’ permission settings. Then we utilize permission data from 71 Android devices to create privacy profiles based on users’ interaction with permission dialogues initiated by the system during run-time. Therefore, we demonstrate that any installed app that runs on the foreground can perform an endemic live digital forensic analysis on the device and derive similar privacy profiles of the user. Moreover, focusing on the human factors of security, we show that although in theory users can control the resources they make accessible to apps, they eventually fail to successfully recall these settings, even for the apps that they regularly use. Finally, we briefly discuss our findings derived from a pen-and-paper exercise showcasing that users are more likely to allow apps to access their location data on contemporary mobile devices (running version Android 10).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The dataset can be found at the UWE Research Repository: Output ID: 5296390.
References
Andriotis, P., Sasse, M.A., Stringhini, G.: Permissions snapshots: assessing users’ adaptation to the android runtime permission model. In: 2016 IEEE International Workshop on Information Forensics and Security (WIFS), pp. 1–6, December 2016. https://doi.org/10.1109/WIFS.2016.7823922
Andriotis, P., Li, S., Spyridopoulos, T., Stringhini, G.: A comparative study of android users’ privacy preferences under the runtime permission model. In: Tryfonas, T. (ed.) HAS 2017. LNCS, vol. 10292, pp. 604–622. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-58460-7_42
Andriotis, P., Stringhini, G., Sasse, M.A.: Studying users’ adaptation to android’s run-time fine-grained access control system. J. Inf. Secur. Appl. 40, 31–43 (2018). https://doi.org/10.1016/j.jisa.2018.02.004
Android Developers: Distribution dashboard (2019). https://developer.android.com/about/dashboards. Accessed 13 Oct 2019
AOSP: Tristate Location Permissions (2020). https://source.android.com/devices/tech/config/tristate-perms. Accessed 31 Jan 2020
Bonné, B., Peddinti, S.T., Bilogrevic, I., Taft, N.: Exploring decision making with android’s runtime permission dialogs using in-context surveys. In: Thirteenth Symposium on Usable Privacy and Security (\(\{\)SOUPS\(\}\) 2017), pp. 195–210 (2017)
Diamantaris, M., Papadopoulos, E.P., Markatos, E.P., Ioannidis, S., Polakis, J.: REAPER: real-time app analysis for augmenting the android permission system. In: Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy, pp. 37–48. ACM (2019). https://doi.org/10.1145/3292006.3300027
Felt, A.P., Egelman, S., Wagner, D.: I’ve got 99 problems, but vibration ain’t one: a survey of smartphone users’ concerns. In: Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices, pp. 33–44. ACM (2012). https://doi.org/10.1145/2381934.2381943
Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS 2012, pp. 3:1–3:14. ACM, New York (2012). https://doi.org/10.1145/2335356.2335360
Hossen, M.Z., Mannan, M.: On understanding permission usage contextuality in android apps. In: Kerschbaum, F., Paraboschi, S. (eds.) DBSec 2018. LNCS, vol. 10980, pp. 232–242. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-319-95729-6_15
Iqbal, M.S., Zulkernine, M.: Droid mood swing (DMS): automatic security modes based on contexts. In: Nguyen, P., Zhou, J. (eds.) ISC 2017. LNCS, vol. 10599, pp. 329–347. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-319-69659-1_18
Likert, R.: A technique for the measurement of attitudes. Arch. Psychol. (1932)
Lin, J., Liu, B., Sadeh, N., Hong, J.I.: Modeling users mobile app privacy preferences: restoring usability in a sea of permission settings. In: 10th Symposium On Usable Privacy and Security (\(\{\)SOUPS\(\}\) 2014), pp. 199–212 (2014)
Liu, B., et al.: Follow my recommendations: a personalized privacy assistant for mobile app permissions. In: Symposium on Usable Privacy and Security (2016)
Pedregosa, F., et al.: Scikit-learn: machine learning in Python. J. Mach. Learn. Res. 12, 2825–2830 (2011)
Raval, N., Razeen, A., Machanavajjhala, A., Cox, L.P., Warfield, A.: Permissions plugins as android apps. In: Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services, pp. 180–192. ACM (2019). https://doi.org/10.1145/3307334.3326095
Reardon, J., Feal, Á., Wijesekera, P., Elazari Bar On, A., Vallina-Rodriguez, N., Egelman, S.: 50 ways to leak your data: an exploration of apps’ circumvention of the android permissions systems. In: 28th USENIX Security Symposium (2019)
Reinfelder, L., Schankin, A., Russ, S., Benenson, Z.: An inquiry into perception and usage of smartphone permission models. In: Furnell, S., Mouratidis, H., Pernul, G. (eds.) TrustBus 2018. LNCS, vol. 11033, pp. 9–22. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98385-1_2
Scoccia, G.L., Ruberto, S., Malavolta, I., Autili, M., Inverardi, P.: An investigation into android run-time permissions from the end users’ perspective. In: Proceedings of the 5th International Conference on Mobile Software Engineering and Systems, pp. 45–55. ACM (2018). https://doi.org/10.1145/3197231.3197236
Thompson, C., Johnson, M., Egelman, S., Wagner, D., King, J.: When it’s better to ask forgiveness than get permission: attribution mechanisms for smartphone resources. In: Proceedings of the Ninth Symposium on Usable Privacy and Security, p. 1. ACM (2013). https://doi.org/10.1145/2501604.2501605
Votipka, D., Rabin, S.M., Micinski, K., Gilray, T., Mazurek, M.L., Foster, J.S.: User comfort with android background resource accesses in different contexts. In: Fourteenth Symposium on Usable Privacy and Security (\(\{\)SOUPS\(\}\) 2018), pp. 235–250 (2018)
Wijesekera, P., et al.: The feasibility of dynamically granted permissions: aligning mobile privacy with user preferences. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 1077–1093, May 2017. https://doi.org/10.1109/SP.2017.51
Wijesekera, P., et al.: Contextualizing privacy decisions for better prediction (and protection). In: Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, p. 268. ACM (2018). https://doi.org/10.1145/3173574.3173842
Acknowledgment
This work has been supported by the UWE Bristol Vice-Chancellor’s Early Career Researcher Awards 2017–2018 and the Great Britain Sasakawa Foundation (No. 5303/2017).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Andriotis, P., Takasu, A. (2020). To Allow, or Deny? That is the Question. In: Moallem, A. (eds) HCI for Cybersecurity, Privacy and Trust. HCII 2020. Lecture Notes in Computer Science(), vol 12210. Springer, Cham. https://doi.org/10.1007/978-3-030-50309-3_20
Download citation
DOI: https://doi.org/10.1007/978-3-030-50309-3_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-50308-6
Online ISBN: 978-3-030-50309-3
eBook Packages: Computer ScienceComputer Science (R0)