skip to main content
10.1145/3292006.3300027acmconferencesArticle/Chapter ViewAbstractPublication PagescodaspyConference Proceedingsconference-collections
research-article

REAPER: Real-time App Analysis for Augmenting the Android Permission System

Published: 13 March 2019 Publication History

Abstract

Android's app ecosystem relies heavily on third-party libraries as they facilitate code development and provide a steady stream of revenue for developers. However, while Android has moved towards a more fine-grained run time permission system, users currently lack the required resources for deciding whether a specific permission request is actually intended for the app itself or is requested by possibly dangerous third-party libraries. In this paper we present Reaper, a novel dynamic analysis system that traces the permissions requested by apps in real time and distinguishes those requested by the app's core functionality from those requested by third-party libraries linked with the app. We implement a sophisticated UI automator and conduct an extensive evaluation of our system's performance and find that Reaper introduces negligible overhead, rendering it suitable both for end users (by integrating it in the OS) and for deployment as part of an official app vetting process. Our study on over 5K popular apps demonstrates the large extent to which personally identifiable information is being accessed by libraries and highlights the privacy risks that users face. We find that an impressive 65% of the permissions requested do not originate from the core app but are issued by linked third-party libraries, 37.3% of which are used for functionality related to ads, tracking, and analytics. Overall, Reaper enhances the functionality of Android's run time permission model without requiring OS or app modifications, and provides the necessary contextual information that can enable users to selectively deny permissions that are not part of an app's core functionality.

References

[1]
2012. Over half of 3rd party Android in-app ad libraries have privacy issues and possible security holes. https://bit.ly/2G3Vejl.
[2]
2013. Forbes - Google Users: You're The Product, Not The Customer. https: //bit.ly/2G7dDM9.
[3]
2013. ThreatPost - Unnamed Android Mobile Ad Library Poses Large-Scale Risk. https://bit.ly/2G5jUrM.
[4]
2014. PC World - Researchers: Mobile users at risk from lack of HTTPS use by mobile ad libraries. https://bit.ly/2BYbzC5.
[5]
2014. Xposed Hook Overhead. https://bit.ly/2BW1HZp.
[6]
2016. MobileAppScrutinator: A Simple yet Efficient Dynamic Analysis Approach for Detecting Privacy Leaks across Mobile OSs. https://bit.ly/2RHTxcC.
[7]
2016. A repository of Android libraries. https://bit.ly/2RCf5Y1.
[8]
2016. Root Detection Evasion on iOS and Android. https://bit.ly/2rpLHZH.
[9]
2016. The ultimate privacy manager for Android. https://bit.ly/2zMdd8a.
[10]
2017. The Google Play apps that say they don't collect your data, and then do. https://bit.ly/2L0CTCu.
[11]
2018. Android Distribution between Platform versions. https://bit.ly/1kjKifB.
[12]
2018. Android library statistics. https://bit.ly/2L1S5zd.
[13]
2018. Android View Class. https://bit.ly/1ZSHM2l.
[14]
2018. AppsFlyer - Mobile App Tracking & Attribution. https://bit.ly/1lMd3oa.
[15]
2018. AppsFlyer SDK Integration - Android. https://bit.ly/2QjPzKz.
[16]
2018. Axplorer. https://bit.ly/2L2XoP3.
[17]
2018. GMS, Google's most popular apps, all in one place. https://bit.ly/2L6cdk4.
[18]
2018. Permission Protection Level. https://bit.ly/2BWzhif.
[19]
2018. Raccoon - APK downloader. https://bit.ly/1yIT4bR.
[20]
2018. UI Automator - Android's UI testing framework. https://bit.ly/2B2ze2m.
[21]
2018. Window Layout - FLAG_SECURE. https://bit.ly/2QHEoLk.
[22]
Jagdish Prasad Achara, Gergely Acs, and Claude Castelluccia. 2015. On the Unicity of Smartphone Applications. In WPES '15.
[23]
Domenico Amalfitano, Anna Rita Fasolino, Porfirio Tramontana, Salvatore De Carmine, and Atif M. Memon. 2012. Using GUI Ripping for Automated Testing of Android Applications. In ASE '12.
[24]
Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In PLDI '14.
[25]
Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang, and David Lie. 2012. PScout: Analyzing the Android Permission Specification. In CCS '12.
[26]
Tanzirul Azim and Iulian Neamtiu. 2013. Targeted and Depth-first Exploration for Systematic Testing of Android Apps. In OOPSLA '13.
[27]
Michael Backes, Sven Bugiel, and Erik Derr. 2016. Reliable Third-Party Library Detection in Android and Its Security Applications. In CCS '16.
[28]
Michael Backes, Sven Bugiel, Erik Derr, Patrick McDaniel, Damien Octeau, and Sebastian Weisgerber. 2016. On Demystifying the Android Application Framework: Re-Visiting Android Permission Specification Analysis. In USENIX Security'16.
[29]
M. Backes, S. Bugiel, O. Schranz, P. v. Styp-Rekowsky, and S. Weisgerber. 2017. ARTist: The Android Runtime Instrumentation and Security Toolkit. In EuroSP'17.
[30]
Alastair R Beresford, Andrew Rice, Nicholas Skehin, and Ripduman Sohan. 2011. Mockdroid: trading privacy for application functionality on smartphones. In HotMobile '11.
[31]
Theodore Book, Adam Pridgen, and Dan S. Wallach. 2013. Longitudinal Analysis of Android Ad Library Permissions. In MoST '13.
[32]
Patrick Carter, Collin Mulliner, Martina Lindorfer, William Robertson, and Engin Kirda. 2016. CuriousDroid: Automated User Interface Interaction for Android Application Analysis Sandboxes. In FC '16.
[33]
Saksham Chitkara, Nishad Gothoskar, Suhas Harish, Jason I. Hong, and Yuvraj Agarwal. 2017. Does This App Really Need My Location?: Context-Aware Privacy Management for Smartphones. IMWUT '17 (2017).
[34]
S. R. Choudhary, A. Gorla, and A. Orso. 2015. Automated Test Input Generation for Android: Are We There Yet? (E). In ASE '15.
[35]
Andrea Continella, Yanick Fratantonio, Martina Lindorfer, Alessandro Puccetti, Ali Zand, Christopher Kruegel, and Giovanni Vigna. 2017. Obfuscation-resilient privacy leak detection for mobile apps through differential analysis. In NDSS '17.
[36]
Valerio Costamagna and Cong Zheng. 2016. ARTDroid: A Virtual-Method Hooking Framework on Android ART Runtime. In ESSoS '16.
[37]
Soteris Demetriou, Whitney Merrill, Wei Yang, Aston Zhang, and Carl A. Gunter. 2016. Free for All! Assessing User Data Exposure to Advertising Libraries on Android. In NDSS '16.
[38]
Nicole Eling, Siegfried Rasthofer, Max Kolhagen, Eric Bodden, and Peter Buxmann. 2016. Investigating Users' Reaction to Fine-Grained Data Requests: A Market Experiment. In HICSS '16.
[39]
William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. 2010. TaintDroid: An Information-flow Tracking System for Realtime Privacy Monitoring on Smartphones. In OSDI'10.
[40]
Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. 2011. Android Permissions Demystified. In CCS '11.
[41]
Jiaojiao Fu, Yangfan Zhou, Huan Liu, Yu Kang, and Xin Wang. 2017. Perman: Fine-Grained Permission Management for Android Applications. In ISSRE' 17.
[42]
Xing Gao, Dachuan Liu, HainingWang, and Kun Sun. 2015. PmDroid: Permission Supervision for Android Advertising. In SRDS '15.
[43]
Michael C Grace,Wu Zhou, Xuxian Jiang, and Ahmad Reza Sadeghi. 2012. Unsafe exposure analysis of mobile in-app advertisements. In WISEC '12'.
[44]
Shuai Hao, Bin Liu, Suman Nath, William G.J. Halfond, and Ramesh Govindan. 2014. PUMA: Programmable UI-automation for Large-scale Dynamic Analysis of Mobile Apps. In MobiSys '14.
[45]
Patrick Gage Kelley, Sunny Consolvo, Lorrie Faith Cranor, Jaeyeon Jung, Norman Sadeh, and David Wetherall. 2012. A Conundrum of Permissions: Installing Applications on an Android Smartphone. In FC'12.
[46]
Ilias Leontiadis, Christos Efstratiou, Marco Picone, and Cecilia Mascolo. 2012. Don'T Kill My Ads!: Balancing Privacy in an Ad-supported Mobile Application Market. In HotMobile '12.
[47]
Christophe Leung, Jingjing Ren, David Choffnes, and Christo Wilson. 2016. Should You Use the App for That?: Comparing the Privacy Implications of Appand Web-based Online Services. In IMC '16.
[48]
Li Li, Tegawendé F. Bissyandé, Jacques Klein, and Yves Le Traon. 2016. An Investigation into the Use of Common Libraries in Android Apps. In SANER '16.
[49]
Jialiu Lin, Shahriyar Amini, Jason I. Hong, Norman Sadeh, Janne Lindqvist, and Joy Zhang. 2012. Expectation and Purpose: Understanding Users' Mental Models of Mobile App Privacy Through Crowdsourcing. In UbiComp '12.
[50]
Bin Liu, Bin Liu, Hongxia Jin, and Ramesh Govindan. 2015. Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps. In MobiSys '15.
[51]
Xing Liu, Sencun Zhu, Wei Wang, and Jiqiang Liu. 2016. Alde: privacy risk analysis of analytics libraries in the android ecosystem. In SecureComm '16.
[52]
Aravind Machiry, Rohan Tahiliani, and Mayur Naik. 2013. Dynodroid: An Input Generation System for Android Apps. In ESEC/FSE '13.
[53]
Wei Meng, Ren Ding, Simon P. Chung, Steven Han, and Wenke Lee. 2016. The Price of Free: Privacy Leakage in Personalized Mobile In-Apps Ads. In NDSS '16.
[54]
Suman Nath. 2015. MAdScope: Characterizing Mobile In-App Targeted Ads. In MobiSys '15.
[55]
Elias P. Papadopoulos, Michalis Diamantaris, Panagiotis Papadopoulos, Thanasis Petsas, Sotiris Ioannidis, and Evangelos P. Markatos. 2017. The Long-Standing Privacy Debate: Mobile Websites vs Mobile Apps. In WWW '17.
[56]
Paul Pearce, Adrienne Porter Felt, Gabriel Nunez, and David Wagner. 2012. Ad- Droid: Privilege Separation for Applications and Advertisers in Android. In ASIACCS '12.
[57]
Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis, and Sotiris Ioannidis. 2014. Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware. In EuroSec '14.
[58]
Sebastian Poeplau, Yanick Fratantonio, Antonio Bianchi, Christopher Kruegel, and Giovanni Vigna. 2014. Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications. In NDSS '14.
[59]
Siegfried Rasthofer, Steven Arzt, Marc Miltenberger, and Eric Bodden. 2016. Harvesting runtime values in android applications that feature anti-analysis techniques. In NDSS '16.
[60]
Vaibhav Rastogi, Yan Chen, and William Enck. 2013. AppsPlayground: Automatic Security Analysis of Smartphone Applications. In CODASPY '13.
[61]
Vaibhav Rastogi, Rui Shao, Yan Chen, Xiang Pan, Shihong Zou, and Ryan Riley. 2016. Are these ads safe: Detecting hidden attacks through the mobile app-web interfaces. In NDSS '16.
[62]
Jingjing Ren, Ashwin Rao, Martina Lindorfer, Arnaud Legout, and David Choffnes. 2016. ReCon: Revealing and Controlling PII Leaks in Mobile Network Traffic. In MobiSys '16.
[63]
Suranga Seneviratne, Harini Kolamunna, and Aruna Seneviratne. 2015. A Measurement Study of Tracking in Paid Mobile Applications. In WiSec '15.
[64]
Jaebaek Seo, Daehyeok Kim, Donghyun Cho, Insik Shin, and Taesoo Kim. 2016. FLEXDROID: Enforcing In-App Privilege Separation in Android. In NDSS '16.
[65]
Shashi Shekhar, Michael Dietz, and Dan S. Wallach. 2012. AdSplit: Separating Smartphone Advertising from Applications. In USENIX Security '12.
[66]
Sooel Son, Daehyeok Kim, and Vitaly Shmatikov. 2016. What Mobile Ads Know About Mobile Users. In NDSS '16.
[67]
Yihang Song and Urs Hengartner. 2015. PrivacyGuard: A VPN-based Platform to Detect Information Leakage on Android Devices. In SPSM '15.
[68]
Michael Spreitzenbarth, Felix Freiling, Florian Echtler, Thomas Schreck, and Johannes Hoffmann. 2013. Mobile-sandbox: Having a Deeper Look into Android Applications. In SAC '13.
[69]
Ryan Stevens, Clint Gibler, Jon Crussell, Jeremy Erickson, and Hao Chen. 2012. Investigating user privacy in android ad libraries. In MoST '12.
[70]
Ting Su, Guozhu Meng, Yuting Chen, Ke Wu, Weiming Yang, Yao Yao, Geguang Pu, Yang Liu, and Zhendong Su. 2017. Guided, Stochastic Model-based GUI Testing of Android Apps. In ESEC/FSE '17.
[71]
Mengtao Sun and Gang Tan. 2014. NativeGuard: Protecting Android Applications from Third-party Native Libraries. In WiSec '14.
[72]
Mingshen Sun, Tao Wei, and John Lui. 2016. Taintart: A practical multi-level information-flow tracking system for android runtime. In CCS '16.
[73]
Kimberly Tam, Salahuddin J Khan, Aristide Fattori, and Lorenzo Cavallaro. 2015. CopperDroid: Automatic Reconstruction of Android Malware Behaviors. In NDSS '15.
[74]
Fabo Wang, Yuqing Zhang, Kai Wang, Peng Liu, and Wenjie Wang. 2016. Stay in Your Cage! A Sound Sandbox for Third-Party Libraries on Android. In ESORICS' 16.
[75]
Haoyu Wang, Jason Hong, and Yao Guo. 2015. Using Text Mining to Infer the Purpose of Permission Use in Mobile Apps. In UbiComp '15.
[76]
Haoyu Wang, Yuanchun Li, Yao Guo, Yuvraj Agarwal, and Jason I Hong. 2017. Understanding the Purpose of Permission Use in Mobile Apps. TOIS '17 (2017).
[77]
Na Wang, Pamela Wisniewski, Heng Xu, and Jens Grossklags. 2014. Designing the Default Privacy Settings for Facebook Applications. In CSCW '14'.
[78]
Dominik Wermke, Nicolas Huaman, Yasemin Acar, Bradley Reaves, Patrick Traynor, and Sascha Fahl. 2018. A Large Scale Investigation of Obfuscation Use in Google Play. (2018). http://arxiv.org/abs/1801.02742
[79]
Primal Wijesekera, Arjun Baokar, Ashkan Hosseini, Serge Egelman, David Wagner, and Konstantin Beznosov. 2015. Android Permissions Remystified: A Field Study on Contextual Integrity. In USENIX Security '15.
[80]
Michelle Y Wong and David Lie. 2016. Intellidroid: A targeted input generator for the dynamic analysis of android malware. In NDSS '16.
[81]
Xiao Zhang, Amit Ahlawat, and Wenliang Du. 2013. Aframe: Isolating advertisements from mobile applications in android. In ACSAC '13.
[82]
Yuan Zhang, Min Yang, Bingquan Xu, Zhemin Yang, Guofei Gu, Peng Ning, X. Sean Wang, and Binyu Zang. 2013. Vetting Undesirable Behaviors in Android Apps with Permission Use Analysis. In CCS '13.
[83]
Yury Zhauniarovich and Olga Gadyatskaya. 2016. Small changes, big changes: an updated view on the Android permission system. In RAID '16.
[84]
Cong Zheng, Shixiong Zhu, Shuaifu Dai, Guofei Gu, Xiaorui Gong, Xinhui Han, and Wei Zou. 2012. SmartDroid: An Automatic System for Revealing UI-based Trigger Conditions in Android Applications. In SPSM '12.
[85]
Chaoshun Zuo, Qingchuan Zhao, and Zhiqiang Lin. 2017. AUTHSCOPE: Towards Automatic Discovery of Vulnerable Authorizations in Online Services. In CCS'17.

Cited By

View all
  • (2024)Measuring and Characterizing (Mis)compliance of the Android Permission SystemIEEE Transactions on Software Engineering10.1109/TSE.2024.336292150:4(742-764)Online publication date: Apr-2024
  • (2024)Dynamic Security Analysis on Android: A Systematic Literature ReviewIEEE Access10.1109/ACCESS.2024.339061212(57261-57287)Online publication date: 2024
  • (2023)VEDRANDO: A Novel Way to Reveal Stealthy Attack Steps on Android through Memory ForensicsJournal of Cybersecurity and Privacy10.3390/jcp30300193:3(364-395)Online publication date: 10-Jul-2023
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CODASPY '19: Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy
March 2019
373 pages
ISBN:9781450360999
DOI:10.1145/3292006
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 March 2019

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. android
  2. dynamic analysis
  3. permission origin
  4. personally identifiable information
  5. third-party libraries

Qualifiers

  • Research-article

Funding Sources

Conference

CODASPY '19
Sponsor:

Acceptance Rates

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)49
  • Downloads (Last 6 weeks)5
Reflects downloads up to 13 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Measuring and Characterizing (Mis)compliance of the Android Permission SystemIEEE Transactions on Software Engineering10.1109/TSE.2024.336292150:4(742-764)Online publication date: Apr-2024
  • (2024)Dynamic Security Analysis on Android: A Systematic Literature ReviewIEEE Access10.1109/ACCESS.2024.339061212(57261-57287)Online publication date: 2024
  • (2023)VEDRANDO: A Novel Way to Reveal Stealthy Attack Steps on Android through Memory ForensicsJournal of Cybersecurity and Privacy10.3390/jcp30300193:3(364-395)Online publication date: 10-Jul-2023
  • (2023)Demand-driven Information Flow Analysis of WebView in Android Hybrid Apps2023 IEEE 34th International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE59848.2023.00020(415-426)Online publication date: 9-Oct-2023
  • (2023)App Permission Classification dynamic Model(APCM)2023 14th International Conference on Computing Communication and Networking Technologies (ICCCNT)10.1109/ICCCNT56998.2023.10307201(1-6)Online publication date: 6-Jul-2023
  • (2023)Devils in Your Apps: Vulnerabilities and User Privacy Exposure in Mobile Notification Systems2023 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)10.1109/DSN58367.2023.00017(28-41)Online publication date: Jun-2023
  • (2023)A Small Leak Will Sink Many Ships: Vulnerabilities Related to mini-programs Permissions2023 IEEE 47th Annual Computers, Software, and Applications Conference (COMPSAC)10.1109/COMPSAC57700.2023.00085(595-606)Online publication date: Jun-2023
  • (2022)An Android Malware Detection Leveraging Machine LearningWireless Communications & Mobile Computing10.1155/2022/18302012022Online publication date: 1-Jan-2022
  • (2022)Exploring the security and privacy risks of chatbots in messaging servicesProceedings of the 22nd ACM Internet Measurement Conference10.1145/3517745.3561433(581-588)Online publication date: 25-Oct-2022
  • (2022)AperProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510074(125-137)Online publication date: 21-May-2022
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media