Skip to main content

To Allow, or Deny? That is the Question

  • Conference paper
  • First Online:
HCI for Cybersecurity, Privacy and Trust (HCII 2020)

Abstract

The Android ecosystem is dynamic and diverse. Controls have been set in place to allow mobile device users to regulate exchanged data and restrict apps from accessing sensitive personal information and system resources. Modern versions of the operating system implement the run-time permission model which prompts users to allow access to protected resources the moment an app attempts to utilize them. It is assumed that, in general, the run-time permission model, compared to its predecessor, enhances users’ security awareness. In this paper we show that installed apps on Android devices are able to employ the systems’ public assets and extract users’ permission settings. Then we utilize permission data from 71 Android devices to create privacy profiles based on users’ interaction with permission dialogues initiated by the system during run-time. Therefore, we demonstrate that any installed app that runs on the foreground can perform an endemic live digital forensic analysis on the device and derive similar privacy profiles of the user. Moreover, focusing on the human factors of security, we show that although in theory users can control the resources they make accessible to apps, they eventually fail to successfully recall these settings, even for the apps that they regularly use. Finally, we briefly discuss our findings derived from a pen-and-paper exercise showcasing that users are more likely to allow apps to access their location data on contemporary mobile devices (running version Android 10).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    The dataset can be found at the UWE Research Repository: Output ID: 5296390.

References

  1. Andriotis, P., Sasse, M.A., Stringhini, G.: Permissions snapshots: assessing users’ adaptation to the android runtime permission model. In: 2016 IEEE International Workshop on Information Forensics and Security (WIFS), pp. 1–6, December 2016. https://doi.org/10.1109/WIFS.2016.7823922

  2. Andriotis, P., Li, S., Spyridopoulos, T., Stringhini, G.: A comparative study of android users’ privacy preferences under the runtime permission model. In: Tryfonas, T. (ed.) HAS 2017. LNCS, vol. 10292, pp. 604–622. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-58460-7_42

    Chapter  Google Scholar 

  3. Andriotis, P., Stringhini, G., Sasse, M.A.: Studying users’ adaptation to android’s run-time fine-grained access control system. J. Inf. Secur. Appl. 40, 31–43 (2018). https://doi.org/10.1016/j.jisa.2018.02.004

    Article  Google Scholar 

  4. Android Developers: Distribution dashboard (2019). https://developer.android.com/about/dashboards. Accessed 13 Oct 2019

  5. AOSP: Tristate Location Permissions (2020). https://source.android.com/devices/tech/config/tristate-perms. Accessed 31 Jan 2020

  6. Bonné, B., Peddinti, S.T., Bilogrevic, I., Taft, N.: Exploring decision making with android’s runtime permission dialogs using in-context surveys. In: Thirteenth Symposium on Usable Privacy and Security (\(\{\)SOUPS\(\}\) 2017), pp. 195–210 (2017)

    Google Scholar 

  7. Diamantaris, M., Papadopoulos, E.P., Markatos, E.P., Ioannidis, S., Polakis, J.: REAPER: real-time app analysis for augmenting the android permission system. In: Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy, pp. 37–48. ACM (2019). https://doi.org/10.1145/3292006.3300027

  8. Felt, A.P., Egelman, S., Wagner, D.: I’ve got 99 problems, but vibration ain’t one: a survey of smartphone users’ concerns. In: Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices, pp. 33–44. ACM (2012). https://doi.org/10.1145/2381934.2381943

  9. Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS 2012, pp. 3:1–3:14. ACM, New York (2012). https://doi.org/10.1145/2335356.2335360

  10. Hossen, M.Z., Mannan, M.: On understanding permission usage contextuality in android apps. In: Kerschbaum, F., Paraboschi, S. (eds.) DBSec 2018. LNCS, vol. 10980, pp. 232–242. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-319-95729-6_15

    Chapter  Google Scholar 

  11. Iqbal, M.S., Zulkernine, M.: Droid mood swing (DMS): automatic security modes based on contexts. In: Nguyen, P., Zhou, J. (eds.) ISC 2017. LNCS, vol. 10599, pp. 329–347. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-319-69659-1_18

    Chapter  Google Scholar 

  12. Likert, R.: A technique for the measurement of attitudes. Arch. Psychol. (1932)

    Google Scholar 

  13. Lin, J., Liu, B., Sadeh, N., Hong, J.I.: Modeling users mobile app privacy preferences: restoring usability in a sea of permission settings. In: 10th Symposium On Usable Privacy and Security (\(\{\)SOUPS\(\}\) 2014), pp. 199–212 (2014)

    Google Scholar 

  14. Liu, B., et al.: Follow my recommendations: a personalized privacy assistant for mobile app permissions. In: Symposium on Usable Privacy and Security (2016)

    Google Scholar 

  15. Pedregosa, F., et al.: Scikit-learn: machine learning in Python. J. Mach. Learn. Res. 12, 2825–2830 (2011)

    MathSciNet  MATH  Google Scholar 

  16. Raval, N., Razeen, A., Machanavajjhala, A., Cox, L.P., Warfield, A.: Permissions plugins as android apps. In: Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services, pp. 180–192. ACM (2019). https://doi.org/10.1145/3307334.3326095

  17. Reardon, J., Feal, Á., Wijesekera, P., Elazari Bar On, A., Vallina-Rodriguez, N., Egelman, S.: 50 ways to leak your data: an exploration of apps’ circumvention of the android permissions systems. In: 28th USENIX Security Symposium (2019)

    Google Scholar 

  18. Reinfelder, L., Schankin, A., Russ, S., Benenson, Z.: An inquiry into perception and usage of smartphone permission models. In: Furnell, S., Mouratidis, H., Pernul, G. (eds.) TrustBus 2018. LNCS, vol. 11033, pp. 9–22. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98385-1_2

    Chapter  Google Scholar 

  19. Scoccia, G.L., Ruberto, S., Malavolta, I., Autili, M., Inverardi, P.: An investigation into android run-time permissions from the end users’ perspective. In: Proceedings of the 5th International Conference on Mobile Software Engineering and Systems, pp. 45–55. ACM (2018). https://doi.org/10.1145/3197231.3197236

  20. Thompson, C., Johnson, M., Egelman, S., Wagner, D., King, J.: When it’s better to ask forgiveness than get permission: attribution mechanisms for smartphone resources. In: Proceedings of the Ninth Symposium on Usable Privacy and Security, p. 1. ACM (2013). https://doi.org/10.1145/2501604.2501605

  21. Votipka, D., Rabin, S.M., Micinski, K., Gilray, T., Mazurek, M.L., Foster, J.S.: User comfort with android background resource accesses in different contexts. In: Fourteenth Symposium on Usable Privacy and Security (\(\{\)SOUPS\(\}\) 2018), pp. 235–250 (2018)

    Google Scholar 

  22. Wijesekera, P., et al.: The feasibility of dynamically granted permissions: aligning mobile privacy with user preferences. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 1077–1093, May 2017. https://doi.org/10.1109/SP.2017.51

  23. Wijesekera, P., et al.: Contextualizing privacy decisions for better prediction (and protection). In: Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, p. 268. ACM (2018). https://doi.org/10.1145/3173574.3173842

Download references

Acknowledgment

This work has been supported by the UWE Bristol Vice-Chancellor’s Early Career Researcher Awards 2017–2018 and the Great Britain Sasakawa Foundation (No. 5303/2017).

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Panagiotis Andriotis .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Andriotis, P., Takasu, A. (2020). To Allow, or Deny? That is the Question. In: Moallem, A. (eds) HCI for Cybersecurity, Privacy and Trust. HCII 2020. Lecture Notes in Computer Science(), vol 12210. Springer, Cham. https://doi.org/10.1007/978-3-030-50309-3_20

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-50309-3_20

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-50308-6

  • Online ISBN: 978-3-030-50309-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics