Springer Nature is making Coronavirus research free. View research | View latest news | Sign up for updates

Automated Android application permission recommendation

Abstract

The number of Android applications has increased rapidly as Android is becoming the dominant platform in the smartphone market. Security and privacy are key factors for an Android application to be successful. Android provides a permission mechanism to ensure security and privacy. This permission mechanism requires that developers declare the sensitive resources required by their applications. On installation or during runtime, users are required to agree with the permission request. However, in practice, there are numerous popular permission misuses, despite Android introducing official documents stating how to use these permissions properly. Some data mining techniques (e.g., association rule mining) have been proposed to help better recommend permissions required by an API. In this paper, based on popular techniques used to build recommendation systems, we propose two novel approaches to improve the effectiveness of the prior work. The first approach utilizes a collaborative filtering technique, which is inspired by the intuition that apps that have similar features — inferred from their APIs — usually share similar permissions. The second approach recommends permissions based on a text mining technique that uses a naive Bayes multinomial classification algorithm to build a prediction model by analyzing descriptions of apps. To evaluate these two approaches, we use 936 Android apps from F-Droid, which is a repository of free and open source Android applications. We find that our proposed approaches yield a significant improvement in terms of precision, recall, F1-score, and MAP of the top-k results over the baseline approach.

This is a preview of subscription content, log in to check access.

References

  1. 1

    Felt A P, Chin E, Hanna S, et al. Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security. New York: ACM, 2011. 627–638

  2. 2

    Au K W Y, Zhou Y F, Huang Z, et al. Pscout: analyzing the android permission specification. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security. New York: ACM, 2012. 217–228

  3. 3

    Stevens R, Ganz J, Filkov V, et al. Asking for (and about) permissions used by android apps. In: Proceedings of the 10th Working Conference on Mining Software Repositories. Piscataway: IEEE Press, 2013. 31–40

  4. 4

    Karim M Y, Kagdi H, Di Penta M. Mining android apps to recommend permissions. In: Proceedings of the 23th IEEE/ACM International Conference on Software Analysis, Evolution, and Reengineering. Piscataway: IEEE Press, 2016. 427–437

  5. 5

    Ricci F, Rokach L, Shapira B. Introduction to Recommender Systems Handbook. Berlin: Springer, 2011

  6. 6

    Su X Y, Khoshgoftaar T M. A survey of collaborative filtering techniques. Adv Artif Intell, 2009, 2009: 1–19

  7. 7

    Agrawal R, Srikant R. Mining sequential patterns. In: Proceedings of the 11th International Conference on Data Engineering. Piscataway: IEEE Press, 1995. 3–14

  8. 8

    McCallum A, Nigam K. A comparison of event models for naive bayes text classification. In: Proceedings of AAAI-98 Workshop on Learning for Text Categorization, Madison, 1998. 41–48

  9. 9

    Han J W, Kamber M, Pei J. Data Mining: Concepts and Techniques. Waltham: Elsevier, 2011. 744

  10. 10

    Collard M L, Kagdi H H, Maletic J I. An xml-based lightweight C++ fact extractor. In: Proceedings of the 11th IEEE International Workshop on Program Comprehension. Piscataway: IEEE Press, 2003. 134–143

  11. 11

    Baeza-Yates R, Ribeiro-Neto B. Modern Information Retrieval. New York: ACM, 1999

  12. 12

    Agrawal R, Srikant R. Fast algorithms for mining association rules. In: Proceedings of the 20th International Conference on Very Large Data Bases. San Francisco: Morgan Kaufmann Publishers Inc., 1994. 487–499

  13. 13

    Bodon F. A fast apriori implementation. In: Proceedings of the IEEE ICDM Workshop on Frequent Itemset Mining Implementations (FIMI’03). Piscataway: IEEE Press, 2003

  14. 14

    Rao S, Kak A. Retrieval from software libraries for bug localization: a comparative study of generic and composite text models. In: Proceedings of the 8th Working Conference on Mining Software Repositories. Piscataway: IEEE Press, 2011. 43–52

  15. 15

    Xia X, Lo D, Wang X, et al. Cross-language bug localization. In: Proceedings of the 22nd International Conference on Program Comprehension. New York: ACM, 2014. 275–278

  16. 16

    Zhou J, Zhang H, Lo D. Where should the bugs be fixed? more accurate information retrieval-based bug localization based on bug reports. In: Proceedings of the 34th International Conference Software Engineering (ICSE). Piscataway: IEEE Press, 2012. 14–24

  17. 17

    Buckley C, Voorhees E M. Evaluating evaluation measure stability. In: Proceedings of the 23rd Annual International ACM SIGIR Conference on Research and Development in Information Retrieval. New York: ACM, 2000. 33–40

  18. 18

    Aslam J A, Yilmaz E, Pavlu V. The maximum entropy method for analyzing retrieval measures. In: Proceedings of the 28th Annual International ACM SIGIR Conference on Research and Development in Information Retrieval. New York: ACM, 2005. 27–34

  19. 19

    Wilcoxon F. Individual comparisons by ranking methods. Biometrics Bull, 1945, 1: 80–83

  20. 20

    Cliff N. Ordinal Methods for Behavioral Data Analysis. London: Psychology Press, 2014

  21. 21

    Qu Z, Rastogi V, Zhang X, et al. Autocog: measuring the description-to-permission fidelity in Android applications. In: Proceedings of the ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2014. 1354–1365

  22. 22

    Vidas T, Christin N, Cranor L. Curbing android permission creep. In: Proceedings of IEEE Web 2.0 Security and Privacy Workshop, Oakland, 2011. 91–96

  23. 23

    Felt A P, Ha E, Egelman S, et al. Android permissions: user attention, comprehension, and behavior. In: Proceedings of the 8th Symposium on Usable Privacy and Security. New York: ACM, 2012.

  24. 24

    Huang J, Zhang X, Tan L, et al. Asdroid: detecting stealthy behaviors in android applications by user interface and program behavior contradiction. In: Proceedings of the 36th International Conference on Software Engineering. New York: ACM, 2014. 1036–1046

  25. 25

    Schmidt A D, Schmidt H G, Batyuk L, et al. Smartphone malware evolution revisited: Android next target? In: Proceedings of the 4th International Conference on Malicious and Unwanted Software (MALWARE). New York: ACM, 2009. 1–7

  26. 26

    Bläsing T, Batyuk L, Schmidt A D, et al. An android application sandbox system for suspicious software detection. In: Proceedings of the 5th International Conference on Malicious and Unwanted Software (MALWARE). Piscataway: IEEE Press, 2010. 55–62

  27. 27

    Zhou Y J, Wang Z, Zhou W, et al. Hey, you, get off of my market: detecting malicious apps in official and alternative android markets. In: Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, 2012. 25: 50–52

  28. 28

    Chan P P, Hui L C, Yiu S M. Droidchecker: analyzing android applications for capability leak. In: Proceedings of the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks. New York: ACM, 2012. 125–136

  29. 29

    Wu D J, Mao C H, Wei T E, et al. Droidmat: Android malware detection through manifest and API calls tracing. In: Proceedings of the 7th Asia Joint Conference on Information Security (Asia JCIS). Piscataway: IEEE Press, 2012. 62–69

Download references

Acknowledgements

This work was supported by National Natural Science Foundation of China (Grant Nos. 61602403, 61572426), and National Key Technology R&D Program of the Ministry of Science and Technology of China (Grant No. 2015BAH17F01).

Author information

Correspondence to Xin Xia.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Bao, L., Lo, D., Xia, X. et al. Automated Android application permission recommendation. Sci. China Inf. Sci. 60, 092110 (2017). https://doi.org/10.1007/s11432-016-9072-3

Download citation

Keywords

  • Android
  • permission recommendation
  • association rule
  • collaborative filtering
  • text mining