ABSTRACT
One of the most common security & privacy issues concerning mobile applications is the unnecessary access to sensitive information and resources. In a mobile application platform like Android, where a permission mechanism is used to maintain access control, the app developer dictates what permissions are necessary at install time. For various reasons however, including user confusion and lack of proper documentation, developers may overcompensate for the necessary permission. By this we mean developers often incorporate more permissions than are necessary for an app to function, thus undermining the access control mechanism and increasing the potential risk from a vulnerability exploit where sensitive user information is compromised. Even when developers intentionally include extra permissions, we believe it still the duty of a developer to at least be aware of what is at stake when it comes to collecting user information. In this paper we present PermitMe, a tool developed as a plugin for the Eclipse IDE, to interactively guide developers on the set of required permissions when creating Android applications. We conducted a between-groups user study in order to evaluate the effectiveness, efficiency, and usability of the PermitMe tool in enhancing the developer's experience when deciding to include Android permissions in their mobile applications.
- A. Acquisti and J. Grossklags. Privacy and rationality in individual decision making. Security & Privacy, IEEE, 3(1):26--33, 2005. Google ScholarDigital Library
- K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. Pscout: analyzing the android permission specification. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 217--228. ACM, 2012. Google ScholarDigital Library
- N. Ayewah, W. Pugh, J. D. Morgenthaler, J. Penix, and Y. Zhou. Evaluating static analysis defect warnings on production software. In Proceedings of the 7th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering, pages 1--8. ACM, 2007. Google ScholarDigital Library
- O. Consortium. ASM: a bytecode engineering library. http://asm.ow2.org/index.html, 12 Oct 2013.Google Scholar
- L. F. Cranor. Security and usability: Designing secure systems that people can use. O’reilly, 2007. Google ScholarDigital Library
- A. Developers. Android developers: Permissions. http://developer.android.com/guide/topics/security/permissions.html.Google Scholar
- A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In Proceedings of the 18th ACM conference on Computer and communications security, pages 627--638. ACM, 2011. Google ScholarDigital Library
- D. Hovemeyer and W. Pugh. Finding bugs is easy. ACM Sigplan Notices, 39(12):92--106, 2004. Google ScholarDigital Library
- D. Hovemeyer and W. Pugh. Finding more null pointer bugs, but not too many. In Proceedings of the 7th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering, pages 9--14. ACM, 2007. Google ScholarDigital Library
- N. Sadeh, L. F. Cranor, and P. G. Kelley. Privacy as part of the app decision-making process, 2013.Google Scholar
- J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278--1308, 1975.Google ScholarCross Ref
- R. Stevens, J. Ganz, V. Filkov, P. Devanbu, and H. Chen. Asking for (and about) permissions used by android apps. In Proceedings of the Tenth International Workshop on Mining Software Repositories, pages 31--40. IEEE Press, 2013. Google ScholarDigital Library
- T. Vidas, N. Christin, and L. Cranor. Curbing android permission creep. In Proceedings of the Web, volume 2, 2011.Google Scholar
- L. Vogel. Eclipse JDT - Abstract Syntax Tree (AST) and the Java Model. http://www.vogella.com/tutorials/EclipseJDT/article.html, 08 Aug 2012.Google Scholar
- X. Wei, L. Gomez, I. Neamtiu, and M. Faloutsos. Permission evolution in the android ecosystem. In Proceedings of the 28th Annual Computer Security Applications Conference, pages 31--40. ACM, 2012. Google ScholarDigital Library
- J. Xie, B. Chu, H. R. Lipford, and J. T. Melton. Aside: Ide support for web application security. In Proceedings of the 27th Annual Computer Security Applications Conference, pages 267--276. ACM, 2011. Google ScholarDigital Library
- J. Zhu, H. R. Lipford, and B. Chu. Interactive support for secure programming education. In Proceeding of the 44th ACM technical symposium on Computer science education, pages 687--692. ACM, 2013. Google ScholarDigital Library
Index Terms
- PERMITME: integrating android permissioning support in the IDE
Recommendations
Android permissions demystified
CCS '11: Proceedings of the 18th ACM conference on Computer and communications securityAndroid provides third-party applications with an extensive API that includes access to phone hardware, settings, and user data. Access to privacy- and security-relevant parts of the API is controlled with an install-time application permission system. ...
PScout: analyzing the Android permission specification
CCS '12: Proceedings of the 2012 ACM conference on Computer and communications securityModern smartphone operating systems (OSs) have been developed with a greater emphasis on security and protecting privacy. One of the mechanisms these systems use to protect users is a permission system, which requires developers to declare what ...
SecuRank: Starving Permission-Hungry Apps Using Contextual Permission Analysis
SPSM '16: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile DevicesCompetition among app developers has caused app stores to be permeated with many groups of general-purpose apps that are functionally-similar. Examples are the many flashlight or alarm clock apps to choose from. Within groups of functionally-similar ...
Comments