research-article

Droid M+: Developer Support for Imbibing Android's New Permission Model

Authors:

Ioannis Gasparis,

Srikanth V. Krishnamurthy,

Edward ColbertAuthors Info & Claims

ASIACCS '18: Proceedings of the 2018 on Asia Conference on Computer and Communications Security

Pages 765 - 776

https://doi.org/10.1145/3196494.3196533

Published: 29 May 2018 Publication History

Abstract

In Android 6.0, Google revamped its long criticized permission model to prompt the user during runtime, and allow her to dynamically revoke granted permissions. Towards steering developers to this new model and improve user experience, Google also provides guidelines on (a) how permission requests should be formulated (b) how to educate users on why a permission is needed and (c) how to provide feedback when a permission is denied. In this paper we perform, to the best of our knowledge, the first measurement study on the adoption of Android's new model on recently updated apps from the official Google Play Store. We find that, unfortunately, (1) most apps have not been migrated to this new model and (2) for those that do support the model, many do not adhere to Google's guidelines. We attribute this unsatisfying status quo to the lack of automated transformation tools that can help developers refactor their code; via an IRB approved study we find that developers felt that there was a non-trivial effort involved in migrating their apps to the new model. Towards solving this problem, we develop Droid M+, a system that helps developers to easily retrofit their legacy code to support the new permission model and adhere to Google's guidelines. We believe that Droid M+ offers a significant step in preserving user privacy and improving user experience.

References

[1]

Y. Acar, M. Backes, S. Fahl, S. Garfinkel, D. Kim, M. Mazurek, and C. Stransky. 2017. Comparing the usability of cryptographic APIs. IEEE S&P.

[2]

P. Andriotis, M. Sasse, and G. Stringhini. 2016. Permissions snapshots: Assessing users' adaptation to the Android runtime permission model IEEE Workshop on Information Forensics and Security (WIFS).

[3]

Androguard. 2016. Tool to play with apk files. (2016). https://goo.gl/edcClw

[4]

Android. 2017. Android Share. (2017). https://goo.gl/9kiCgg

[5]

Any.do. 2016. To-do list, Task List. (2016). https://goo.gl/rPpZq8

[6]

AOP. {n. d.}. Aspect Oriented Programming. (. {n. d.}). http://goo.gl/1UnkGS

[7]

Apktool. 2016. Reverse engineering apk files. (2016). https://goo.gl/JCh7U7

[8]

K. Au, Y. Zhou, Z. Huang, and D. Lie. 2012. Pscout: analyzing the android permission specification ACM CCS.

Digital Library

[9]

B.Liu, M.S. Andersen, F.Schaub, H.Almuhimedi, S.Zhang, N.Sadeh, Y.Agarwal, and A.Acquisti. 2016. Follow My Recommendations: A Personalized Privacy Assistant for Mobile App Permissions ACM SOUPS.

[10]

Google Developers. 2016. Improving Code Inspection with Annotations. (2016). http://goo.gl/qSE9dh

[11]

W. Enck, P. Gilbert, S. Han, V. Tendulkar, B. Chun, L. Cox, J. Jung, P. McDaniel, and A Sheth. 2014. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (2014).

Digital Library

[12]

Z. Fang, W. Han, D. Li, Z. Guo, D. Guo, X. Wang, Z. Qian, and H. Chen. 2016. revDroid: Code Analysis of the Side Effects after Dynamic Permission Revocation of Android Apps ACM ASIACCS.

Digital Library

[13]

A. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. 2011. Android permissions demystified. In ACM CCS.

Digital Library

[14]

A. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner. 2012. Android permissions: User attention, comprehension, and behavior ACM SOUPS.

Digital Library

[15]

Patrice Godefroid, Michael Y Levin, and David Molnar. 2012. SAGE: whitebox fuzzing for security testing. Queue, Vol. 10, 1 (2012), 20.

Digital Library

[16]

Google. 2016 a. Material Design Patterns. (2016). https://goo.gl/QQcfEv

[17]

Google. 2016 b. Requesting Runtime Permissions. (2016). https://goo.gl/0enMi9

[18]

Google. 2016 c. Runtime Permissions Basic Sample. (2016). https://goo.gl/t59Dw9

[19]

Google. 2017. Google Play Store. (2017). https://goo.gl/kN0Nhz

[20]

Google. 2018. Play Store Top Charts. (2018). https://goo.gl/uPr4nj

[21]

A. Gorla, I. Tavecchia, F. Gross, and A. Zeller. 2014. Checking app behavior against app descriptions. In ICSE.

Digital Library

[22]

Q. Ismail, T. Ahmed, A. Kapadia, and M. Reiter. 2015. Crowdsourced exploration of security configurations ACM CHI.

Digital Library

[23]

J. Jung, S. Han, and D. Wetherall. 2012. Short paper: Enhancing mobile application permissions with runtime feedback and constraints. In ACM workshop on Security and privacy in smartphones and mobile devices.

Digital Library

[24]

P. Kelley, S. Consolvo, L. Cranor, J. Jung, N. Sadeh, and D. Wetherall. 2012. A conundrum of permissions: installing applications on an android smartphone International Conference on Financial Cryptography and Data Security (FC).

Digital Library

[25]

J. Lin, S. Amini, J. Hong, N. Sadeh, J. Lindqvist, and J. Zhang. 2012. Expectation and purpose: understanding users' mental models of mobile app privacy through crowdsourcing. In ACM UBICOMP.

Digital Library

[26]

B. Livshits and J. Jung. 2013. Automatic mediation of privacy-sensitive resource access in smartphone applications USENIX Security.

Digital Library

[27]

N. Nikzad, O. Chipara, and W. Griswold. 2014. APE: an annotation language and middleware for energy-efficient mobile application development ICSE.

Digital Library

[28]

H. Nissenbaum. 2004. Privacy as contextual integrity. Wash. L. Rev. (2004).

[29]

K. Olmstead and M. Atkinson. 2015. Apps Permissions in the Google Play Store. (2015). http://goo.gl/ph7KGk

[30]

Oracle. 2016. Java SE Annotations. (2016). http://goo.gl/g9b0Dh

[31]

R. Pandita, X. Xiao, W. Yang, W. Enck, and T. Xie. 2013. Whyper: Towards automating risk assessment of mobile applications USENIX Security.

Digital Library

[32]

Zhengyang Qu, Vaibhav Rastogi, Xinyi Zhang, Yan Chen, Tiantian Zhu, and Zhong Chen. 2014. Autocog: Measuring the description-to-permission fidelity in android applications Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1354--1365.

Digital Library

[33]

Ringdroid. 2016. Ringdroid. (2016). https://goo.gl/MhLqGW

[34]

R. Schlegel, K. Zhang, X. Zhou, M. Intwala, A. Kapadia, and X. Wang. 2011. Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones. NDSS.

[35]

Y. Shao, J. Ott, Q.Chen, Z. Qian, and Z. M. Mao. 2016. Kratos: Discovering Inconsistent Security Policy Enforcement in the Android Framework NDSS.

[36]

Y. Smaragdakis, G. Balatsouras, G. Kastrinis, and M. Bravenboer. 2015. More sound static handling of Java reflection. In Asian Symposium on Programming Languages and Systems. Springer.

[37]

J. Tan, K. Nguyen, M. Theodorides, H. Negrón-Arroyo, C. Thompson, S. Egelman, and D. Wagner. 2014. The effect of developer-specified explanations for permission requests on smartphone user behavior ACM CHI.

Digital Library

[38]

Z. Templeman, R and. Rahman, D. Crandall, and A. Kapadia. 2012. PlaceRaider: Virtual theft in physical spaces with smartphones. arXiv:1209.5982 (2012).

[39]

Christopher Thompson, Maritza Johnson, Serge Egelman, David Wagner, and Jennifer King. 2013. When it's better to ask forgiveness than get permission: attribution mechanisms for smartphone resources. In ACM SOUPS.

Digital Library

[40]

X. Wei, L. Gomez, I. Neamtiu, and M. Faloutsos. 2012. Permission evolution in the android ecosystem. In ACSAC.

Digital Library

[41]

P. Wijesekera, A. Baokar, A. Hosseini, S. Egelman, D. Wagner, and K. Beznosov. 2015. Android permissions remystified: A field study on contextual integrity USENIX Security.

Digital Library

[42]

W. Xu, F. Zhang, and S. Zhu. 2013. Permlyzer: Analyzing permission usage in android applications IEEE Symposium on Software Reliability Engineering (ISSRE).

Cited By

Wang SWang YZhan XWang YLiu YLuo XCheung SDwyer MDamian DZeller A(2022)AperProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510074(125-137)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510003.3510074
Baalous RPoet R(2020)Factors Affecting Users' Disclosure Decisions in Android Runtime Permissions Model2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom50675.2020.00147(1113-1118)Online publication date: Dec-2020
https://doi.org/10.1109/TrustCom50675.2020.00147
Nobakht MSui YSeneviratne AHu W(2020) PGFitJournal of Network and Computer Applications10.1016/j.jnca.2019.102509152:COnline publication date: 15-Feb-2020
https://dl.acm.org/doi/10.1016/j.jnca.2019.102509
Show More Cited By

Index Terms

Droid M+: Developer Support for Imbibing Android's New Permission Model
1. Security and privacy
  1. Software and application security
    1. Software security engineering
  2. Systems security
    1. Operating systems security
      1. Mobile platform security

Recommendations

An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide Web

With the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
R-Droid: Leveraging Android App Analysis with Static Slice Optimization
ASIA CCS '16: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security

Today's feature-rich smartphone apps intensively rely on access to highly sensitive (personal) data. This puts the user's privacy at risk of being violated by overly curious apps or libraries (like advertisements). Central app markets conceptually ...
My DROID: (Covers DROID 3/Milestone 3, DROID Pro, DROID X2, DROID Incredible 2/Incredible S, and DROID CHARGE) (2nd Edition)

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIACCS '18: Proceedings of the 2018 on Asia Conference on Computer and Communications Security

May 2018

866 pages

ISBN:9781450355766

DOI:10.1145/3196494

General Chairs:
Jong Kim
Pohang University of Science and Technology, South Korea
,
Gail-Joon Ahn
Arizona State University, USA &Samsung Electronics, South Korea
,
Seungjoo Kim
Korea University, South Korea
,
Program Chairs:
Yongdae Kim
KAIST, South Korea
,
Javier Lopez
University of Malaga, Spain
,
Taesoo Kim
Georgia Tech, USA

Copyright © 2018 ACM.

© 2018 Association for Computing Machinery. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of the United States government. As such, the United States Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 May 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Army Research Laboratory

Conference

ASIA CCS '18

Sponsor:

SIGSAC

ASIA CCS '18: ACM Asia Conference on Computer and Communications Security

June 4, 2018

Incheon, Republic of Korea

Acceptance Rates

ASIACCS '18 Paper Acceptance Rate 52 of 310 submissions, 17%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
268
Total Downloads

Downloads (Last 12 months)13
Downloads (Last 6 weeks)0

Reflects downloads up to 28 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Wang SWang YZhan XWang YLiu YLuo XCheung SDwyer MDamian DZeller A(2022)AperProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510074(125-137)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510003.3510074
Baalous RPoet R(2020)Factors Affecting Users' Disclosure Decisions in Android Runtime Permissions Model2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom50675.2020.00147(1113-1118)Online publication date: Dec-2020
https://doi.org/10.1109/TrustCom50675.2020.00147
Nobakht MSui YSeneviratne AHu W(2020) PGFitJournal of Network and Computer Applications10.1016/j.jnca.2019.102509152:COnline publication date: 15-Feb-2020
https://dl.acm.org/doi/10.1016/j.jnca.2019.102509
Gasparis IQian ZSong CKrishnamurthy SGupta RYu P(2019)Figment: Fine-grained Permission Management for Mobile AppsIEEE INFOCOM 2019 - IEEE Conference on Computer Communications10.1109/INFOCOM.2019.8737436(1405-1413)Online publication date: Apr-2019
https://doi.org/10.1109/INFOCOM.2019.8737436

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten