Team for Research in
Ubiquitous Secure Technology

Android Permissions Demystified
Adrienne Porter Felt, Dawn Song, David Wagner, Steve Hanna

Citation
Adrienne Porter Felt, Dawn Song, David Wagner, Steve Hanna. "Android Permissions Demystified". 18th ACM conference on Computer and communications security, ACM, 2012.

Abstract
Android provides third-party applications with an extensive API that includes access to phone hardware, settings, and user data. Access to privacy- and security-relevant parts of the API is controlled with an install-time application permission system. We study Android applications to determine whether Android developers follow least privilege with their permission requests. We built Stowaway, a tool that detects overprivilege in compiled Android applications. Stowaway determines the set of API calls that an application uses and then maps those API calls to permissions. We used automated testing tools on the Android API in order to build the permission map that is necessary for detecting overprivilege. We apply Stowaway to a set of 940 applications and find that about one-third are overprivileged. We investigate the causes of overprivilege and find evidence that developers are trying to follow least privilege but sometimes fail due to insufficient API documentation.

Electronic downloads

Citation formats  
  • HTML
    Adrienne Porter Felt, Dawn Song, David Wagner, Steve Hanna.
    <a href="http://www.truststc.org/pubs/848.html"
    >Android Permissions Demystified</a>, 18th ACM
    conference on Computer and communications security, ACM,
    2012.
  • Plain text
    Adrienne Porter Felt, Dawn Song, David Wagner, Steve Hanna.
    "Android Permissions Demystified". 18th ACM
    conference on Computer and communications security, ACM,
    2012.
  • BibTeX
    @inproceedings{FeltSongWagnerHanna12_AndroidPermissionsDemystified,
        author = {Adrienne Porter Felt and Dawn Song and David
                  Wagner and Steve Hanna},
        title = {Android Permissions Demystified},
        booktitle = {18th ACM conference on Computer and communications
                  security},
        organization = {ACM},
        year = {2012},
        abstract = {Android provides third-party applications with an
                  extensive API that includes access to phone
                  hardware, settings, and user data. Access to
                  privacy- and security-relevant parts of the API is
                  controlled with an install-time application
                  permission system. We study Android applications
                  to determine whether Android developers follow
                  least privilege with their permission requests. We
                  built Stowaway, a tool that detects overprivilege
                  in compiled Android applications. Stowaway
                  determines the set of API calls that an
                  application uses and then maps those API calls to
                  permissions. We used automated testing tools on
                  the Android API in order to build the permission
                  map that is necessary for detecting overprivilege.
                  We apply Stowaway to a set of 940 applications and
                  find that about one-third are overprivileged. We
                  investigate the causes of overprivilege and find
                  evidence that developers are trying to follow
                  least privilege but sometimes fail due to
                  insufficient API documentation.},
        URL = {http://www.truststc.org/pubs/848.html}
    }
    

Posted by Mary Stewart on 4 Apr 2012.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.