research-article

PERUIM: understanding mobile application privacy with permission-UI mapping

Authors:

Xiangqun ChenAuthors Info & Claims

UbiComp '16: Proceedings of the 2016 ACM International Joint Conference on Pervasive and Ubiquitous Computing

Pages 682 - 693

https://doi.org/10.1145/2971648.2971693

Published: 12 September 2016 Publication History

Abstract

Current mobile operating systems such as Android employ the permission-based access control mechanism, but it is difficult for users to understand how and why the permissions are used within a particular application. This paper introduces permission-UI mapping as an easy-to-understand representation to illustrate how permissions are used by different UI components within a given application. Connecting UI components to permissions helps users to understand the purpose of permission requests and also makes it possible to illustrate permission requests in a fine-grained manner. We propose PERUIM to extract the permission-UI mapping from an application based on both dynamic and static analysis, and represent the analysis results with a graphical representation. Experiments on popular mobile applications demonstrate the accuracy and applicability of the proposed approach.

References

[1]

Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI '14). ACM, New York, NY, USA, 259--269.

Digital Library

[2]

Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang, and David Lie. 2012. Pscout: analyzing the android permission specification. In Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 217--228.

Digital Library

[3]

Alexandre Bartel, John Klein, Martin Monperrus, and Yves Le Traon. 2014. Static analysis for extracting permission checks of a large scale framework: The challenges and solutions for analyzing Android. IEEE Transactions on Software Engineering 40, 6 (2014), 617--632.

[4]

Android Developers. 2016a. Android Debug Bridge. http://developer.android.com/tools/help/adb.html. (2016). Accessed: 2016-03-10.

[5]

Android Developers. 2016b. Optimizing Your UI. http://developer.android.com/tools/debugging/debugging-ui.html. (2016). Accessed: 2016-03-10.

[6]

Android Developers. 2016c. Requesting Permissions at Run Time. http://developer.android.com/intl/zh-cn/training/permissions/requesting.html. (2016). Accessed: 2016-03-10.

[7]

Android Developers. 2016d. UI overview in Android. http://developer.android.com/guide/topics/ui/overview.html. (2016). Accessed: 2016-03-10.

[8]

William Enck, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N Sheth. 2014. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS) 32, 2 (2014), 5.

Digital Library

[9]

Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. 2011. Android permissions demystified. In Proceedings of the 18th ACM conference on Computer and communications security. ACM, 627--638.

Digital Library

[10]

Adrienne Porter Felt, Elizabeth Ha, Serge Egelman, Ariel Haney, Erika Chin, and David Wagner. 2012. Android permissions: User attention, comprehension, and behavior. In Proceedings of the Eighth Symposium on Usable Privacy and Security. ACM, 3.

Digital Library

[11]

Jianjun Huang, Zhichun Li, Xusheng Xiao, Zhenyu Wu, Kangjie Lu, Xiangyu Zhang, and Guofei Jiang. 2015. SUPOR: precise and scalable sensitive user input detection for android apps. In 24th USENIX Security Symposium (USENIX Security 15). 977--992.

Digital Library

[12]

Jianjun Huang, Xiangyu Zhang, Lin Tan, Peng Wang, and Bin Liang. 2014. AsDroid: Detecting Stealthy Behaviors in Android Applications by User Interface and Program Behavior Contradiction. In Proceedings of the 36th International Conference on Software Engineering (ICSE 2014). ACM, New York, NY, USA, 1036--1046.

Digital Library

[13]

R Uday Kiran, Haichuan Shang, Masashi Toyoda, and Masaru Kitsuregawa. 2015. Discovering Recurring Patterns in Time Series. In EDBT. 97--108.

[14]

Jialiu Lin, Shahriyar Amini, Jason I Hong, Norman Sadeh, Janne Lindqvist, and Joy Zhang. 2012. Expectation and purpose: understanding users' mental models of mobile app privacy through crowdsourcing. In Proceedings of the 2012 ACM Conference on Ubiquitous Computing. ACM, 501--510.

Digital Library

[15]

Jialiu Lin, Bin Liu, Norman Sadeh, and Jason I Hong. 2014. Modeling usersâĂ&Zacute; mobile app privacy preferences: Restoring usability in a sea of permission settings. In Symposium On Usable Privacy and Security (SOUPS 2014). 199--212.

[16]

lynnlyc. 2016. DroidBot: Automatic testing of apps in DroidBox. https://github.com/lynnlyc/droidbot. (2016). Accessed: 2016-03-10.

[17]

Sheng Ma and Joseph L Hellerstein. 2001. Mining partially periodic event patterns with unknown periods. In Proceedings. 17th International Conference on Data Engineering, 2001. IEEE, 205--214.

Digital Library

[18]

Yuhong Nan, Min Yang, Zhemin Yang, Shunfan Zhou, Guofei Gu, and Xiaofeng Wang. 2015. Uipicker: User-input privacy identification in mobile applications. In 24th USENIX Security Symposium (USENIX Security 15). 993--1008.

Digital Library

[19]

Rahul Pandita, Xusheng Xiao, Wei Yang, William Enck, and Tao Xie. 2013. WHYPER: Towards Automating Risk Assessment of Mobile Applications. In USENIX Security, Vol. 13.

Digital Library

[20]

Paul Pearce, Adrienne Porter Felt, Gabriel Nunez, and David Wagner. 2012. Addroid: Privilege separation for applications and advertisers in android. In Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security. ACM, 71--72.

Digital Library

[21]

Zhengyang Qu, Vaibhav Rastogi, Xinyi Zhang, Yan Chen, Tiantian Zhu, and Zhong Chen. 2014. Autocog: Measuring the description-to-permission fidelity in android applications. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1354--1365.

Digital Library

[22]

Franziska Roesner, James Fogarty, and Tadayoshi Kohno. 2012a. User interface toolkit mechanisms for securing interface elements. In Proceedings of the 25th annual ACM symposium on User interface software and technology. ACM, 239--250.

Digital Library

[23]

Franziska Roesner and Tadayoshi Kohno. 2013. Securing Embedded User Interfaces: Android and Beyond. In USENIX Security. 97--112.

Digital Library

[24]

Franziska Roesner, Tohru Kohno, Alexander Moshchuk, Bryan Parno, Harry Jiannan Wang, and Crispin Cowan. 2012b. User-driven access control: Rethinking permission granting in modern operating systems. In 2012 IEEE Symposium on Security and privacy (S&P). IEEE, 224--238.

Digital Library

[25]

Julia Rubin, Michael I. Gordon, Nguyen Nguyen, and Martin Rinard. 2015. Covert Communication in Mobile Applications. In 30th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE.

[26]

Jaebaek Seo, Daehyeok Kim, Donghyun Cho, Taesoo Kim, and Insik Shin. 2016. FLEXDROID: Enforcing In-App Privilege Separation in Android. (2016), 21--24.

[27]

Shashi Shekhar, Michael Dietz, and Dan S Wallach. 2012. Adsplit: Separating smartphone advertising from applications. In USENIX Security. 553--567.

Digital Library

[28]

StevenArzt. 2016. Soot: A framework for analyzing and transforming Java and Android Applications. http://sable.github.io/soot/. (2016). Accessed: 2016-03-10.

[29]

Mengtao Sun and Gang Tan. 2014. NativeGuard: Protecting android applications from third-party native libraries. In Proceedings of the 2014 ACM conference on Security and privacy in wireless & mobile networks. ACM, 165--176.

Digital Library

[30]

Haoyu Wang, Jason Hong, and Yao Guo. 2015. Using text mining to infer the purpose of permission use in mobile apps. In Proceedings of the 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing. ACM, 1107--1118.

Digital Library

[31]

Yifei Wang, Srinivas Hariharan, Chenxi Zhao, Jiaming Liu, and Wenliang Du. 2014. Compac: Enforce component-level access control in Android. In Proceedings of the 4th ACM Conference on Data and Application Security and Privacy. ACM, 25--36.

Digital Library

[32]

Primal Wijesekera, Arjun Baokar, Ashkan Hosseini, Serge Egelman, David Wagner, and Konstantin Beznosov. 2015. Android permissions remystified: a field study on contextual integrity. In 24th USENIX Security Symposium (USENIX Security 15). 499--514.

Digital Library

[33]

Wikipedia. 2016a. App Store. https://en.wikipedia.org/wiki/App_Store_(iOS). (2016). Accessed: 2016-03-10.

[34]

Wikipedia. 2016b. Google Play. https://en.wikipedia.org/wiki/Google_Play. (2016). Accessed: 2016-03-10.

[35]

Wikipedia. 2016c. User interface. https://en.wikipedia.org/wiki/User_interface. (2016). Accessed: 2016-03-10.

[36]

Zhemin Yang, Min Yang, Yuan Zhang, Guofei Gu, Peng Ning, and X Sean Wang. 2013. Appintent: Analyzing sensitive data transmission in android for privacy leakage detection. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 1043--1054.

Digital Library

[37]

Mu Zhang, Yue Duan, Qian Feng, and Heng Yin. 2015. Towards Automatic Generation of Security-Centric Descriptions for Android Apps. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security. ACM, 518--529.

Digital Library

[38]

Xiao Zhang, Amit Ahlawat, and Wenliang Du. 2013. Aframe: Isolating advertisements from mobile applications in android. In Proceedings of the 29th Annual Computer Security Applications Conference. ACM, 9--18.

Digital Library

Cited By

Bemmann FStoll HMayer S(2024)Privacy Slider: Fine-Grain Privacy Control for SmartphonesProceedings of the ACM on Human-Computer Interaction10.1145/36765198:MHCI(1-31)Online publication date: 24-Sep-2024
https://dl.acm.org/doi/10.1145/3676519
Chen ZLiu JHu YWu LZhou YHe YLiao XWang KLi JQin ZJust RFraser G(2023)DeUEDroid: Detecting Underground Economy Apps Based on UTG SimilarityProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598051(223-235)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598051
Zhang SLei HWang YLi DGuo YChen X(2023)APIMind: API-driven Assessment of Runtime Description-to-permission Fidelity in Android Apps2023 IEEE 34th International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE59848.2023.00057(427-438)Online publication date: 9-Oct-2023
https://doi.org/10.1109/ISSRE59848.2023.00057
Show More Cited By

Index Terms

PERUIM: understanding mobile application privacy with permission-UI mapping
1. Human-centered computing
  1. Human computer interaction (HCI)
2. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

ChainDroid: Safe and Flexible Access to Protected Android Resources Based on Call Chain
TRUSTCOM '13: Proceedings of the 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications

Smartphone apps are usually unprivileged and need user permission to access protected system resources. Specifically, the existing Android permission system will check whether the calling app has the right permission to invoke sensitive system APIs. ...
Understanding the Purpose of Permission Use in Mobile Apps
Special issue: Search, Mining and their Applications on Mobile Devices

Mobile apps frequently request access to sensitive data, such as location and contacts. Understanding the purpose of why sensitive data is accessed could help improve privacy as well as enable new kinds of access control. In this article, we propose a ...
ASPG: Generating Android Semantic Permissions
CSE '14: Proceedings of the 2014 IEEE 17th International Conference on Computational Science and Engineering

Android system has been widely utilized in smartphones, but it also has many security threats. Android uses the permission system to notice the user during installation about what permissions it will receive. However, according to related research, most ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

UbiComp '16: Proceedings of the 2016 ACM International Joint Conference on Pervasive and Ubiquitous Computing

September 2016

1288 pages

ISBN:9781450344616

DOI:10.1145/2971648

General Chairs:
Paul Lukowicz
DFKI and University of Kaiserslautern
,
Antonio Krüger
DFKI and Saarland University
,
Program Chairs:
Andreas Bulling
Max Planck Institute for Informatics
,
Youn-Kyung Lim
KAIST
,
Shwetak N. Patel
University of Washington

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 September 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

UbiComp '16

Sponsor:

UbiComp '16: The 2016 ACM International Joint Conference on Pervasive and Ubiquitous Computing

September 12 - 16, 2016

Germany, Heidelberg

Acceptance Rates

UbiComp '16 Paper Acceptance Rate 101 of 389 submissions, 26%;

Overall Acceptance Rate 764 of 2,912 submissions, 26%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

22
Total Citations
View Citations
611
Total Downloads

Downloads (Last 12 months)14
Downloads (Last 6 weeks)0

Reflects downloads up to 27 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Bemmann FStoll HMayer S(2024)Privacy Slider: Fine-Grain Privacy Control for SmartphonesProceedings of the ACM on Human-Computer Interaction10.1145/36765198:MHCI(1-31)Online publication date: 24-Sep-2024
https://dl.acm.org/doi/10.1145/3676519
Chen ZLiu JHu YWu LZhou YHe YLiao XWang KLi JQin ZJust RFraser G(2023)DeUEDroid: Detecting Underground Economy Apps Based on UTG SimilarityProceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3597926.3598051(223-235)Online publication date: 12-Jul-2023
https://dl.acm.org/doi/10.1145/3597926.3598051
Zhang SLei HWang YLi DGuo YChen X(2023)APIMind: API-driven Assessment of Runtime Description-to-permission Fidelity in Android Apps2023 IEEE 34th International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE59848.2023.00057(427-438)Online publication date: 9-Oct-2023
https://doi.org/10.1109/ISSRE59848.2023.00057
Zhang SLei HWang YLi DGuo YChen XBissyandé TKlein JBird CSarro F(2023)How Android Apps Break the Data Minimization Principle: An Empirical StudyProceedings of the 38th IEEE/ACM International Conference on Automated Software Engineering10.1109/ASE56229.2023.00141(1238-1250)Online publication date: 11-Nov-2023
https://dl.acm.org/doi/10.1109/ASE56229.2023.00141
Levshun DChechulin AKotenko I(2022)Security and Privacy Analysis of Smartphone-Based Driver Monitoring Systems from the Developer’s Point of ViewSensors10.3390/s2213506322:13(5063)Online publication date: 5-Jul-2022
https://doi.org/10.3390/s22135063
Bian SZhao WZhou KChen XCai JHe YLuo XWen J(2021)A Novel Macro-Micro Fusion Network for User Representation Learning on Mobile AppsProceedings of the Web Conference 202110.1145/3442381.3450109(3199-3209)Online publication date: 19-Apr-2021
https://dl.acm.org/doi/10.1145/3442381.3450109
Nguyen TNguyen DSchilling MWang GBackes MCao JHo Au MLin ZYung M(2021)Measuring User Perception for Detecting Unexpected Access to Sensitive Resource in Mobile AppsProceedings of the 2021 ACM Asia Conference on Computer and Communications Security10.1145/3433210.3437511(578-592)Online publication date: 24-May-2021
https://dl.acm.org/doi/10.1145/3433210.3437511
Ma LZhu DZhang SZhang XPeng SLi Y(2020)UIDroid: User-Driven Based Hierarchical Access Control for Sensitive Information2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom50675.2020.00238(1733-1740)Online publication date: Dec-2020
https://doi.org/10.1109/TrustCom50675.2020.00238
Ma LZhu DZhang SZhang XPengi SLi Y(2020)ExpectDroid: User Expectation Based Authorization Management in Android2020 27th International Conference on Telecommunications (ICT)10.1109/ICT49546.2020.9239597(1-6)Online publication date: 5-Oct-2020
https://doi.org/10.1109/ICT49546.2020.9239597
Xi SYang SXiao XYao YXiong YXu FWang HGao PLiu ZXu FLu JCavallaro LKinder JWang XKatz J(2019)DeepIntentProceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security10.1145/3319535.3363193(2421-2436)Online publication date: 6-Nov-2019
https://dl.acm.org/doi/10.1145/3319535.3363193
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten