Skip to main content

PriApp-Install: Learning User Privacy Preferences on Mobile Apps’ Installation

  • 295 Accesses

Part of the Lecture Notes in Computer Science book series (LNCS,volume 13620)


It is undeniable that smartphones play a vital role in our lives, as their applications (apps) can be used to access various services anytime and anywhere. Despite the benefits provided by mobile apps, there are risks connected to the release of personal and sensitive data. Understanding the potential privacy risks of installing an app based on its description or privacy policy could be challenging, especially for non-skilled users. In this paper, to assist users in their app selection process, we propose PriApp-Install, a privacy-aware app installation recommendation system. It leverages semi-supervised learning to learn individual privacy preferences w.r.t mobile app installation. Learning is done based on a rich set of features modelling both the app behavior w.r.t. personal data consumption and the benefits a user can get in installing the app. We tested four learning strategies on a real dataset by exploiting three participant groups: security and privacy experts, IT workers, and crowd workers. The obtained results show the effectiveness of our proposal.


  • Mobile apps
  • Privacy preferences and policies
  • Static analysis
  • Semi-supervised learning

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-031-21280-2_17
  • Chapter length: 18 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   84.99
Price excludes VAT (USA)
  • ISBN: 978-3-031-21280-2
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   109.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.


  1. 1.

  2. 2.

  3. 3.

  4. 4.

    Implementation is available at

  5. 5.

    Android app store:

  6. 6.

  7. 7.

    We presented the APIs list and dangerous permissions at

  8. 8.

    Arrays for the other personal data types can be similarly defined.

  9. 9.

    pp contains \(not\_specified\) if the policy does not specify any purpose.

  10. 10.

    If shared data are not specified in the privacy policy, 3pt is set to \(not\_specified\).

  11. 11.

    \(\theta \) parameters aim at optimizing the label probability.

  12. 12.

    argmax is used for finding the label (i.e., Y, N, MB) with the highest probability.

  13. 13.

    Failure to decompile was primarily due to code obfuscation.

  14. 14.

    On average, in our dataset, an app uses 6 APIs, 48 classes, and 238 functions/constants to collect personal data.

  15. 15.


  1. Alecakir, H., Can, B., Sen, S.: Attention: there is an inconsistency between Android permissions and application metadata! Int. J. Inf. Secur. 20, 797–815 (2021)

    CrossRef  Google Scholar 

  2. Borman, S.: The expectation maximization algorithm-a short tutorial. Submitted for Publication 41 (2004)

    Google Scholar 

  3. Feng, Y., et al.: AC-Net: assessing the consistency of description and permission in Android apps. IEEE Access 7, 57829–57842 (2019)

    CrossRef  Google Scholar 

  4. John, O.P., Srivastava, S., et al.: The Big-Five Trait Taxonomy: History, Measurement, and Theoretical Perspectives, vol. 2. University of California Berkeley (1999)

    Google Scholar 

  5. Jones, K.S., et al.: Readings in Information Retrieval. Morgan Kaufmann (1997)

    Google Scholar 

  6. Lin, J., et al.: Expectation and purpose: understanding users’ mental models of mobile app privacy through crowdsourcing. In: Proceedings of the 2012 ACM Conference on Ubiquitous Computing, pp. 501–510 (2012)

    Google Scholar 

  7. Martin, K., Shilton, K.: Putting mobile application privacy in context: an empirical study of user privacy expectations for mobile devices. Inf. Soc. 32(3), 200–216 (2016)

    CrossRef  Google Scholar 

  8. Nguyen, T.T., et al.: Measuring user perception for detecting unexpected access to sensitive resource in mobile apps. In: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, pp. 578–592 (2021)

    Google Scholar 

  9. Nigam, K., Ghani, R.: Analyzing the effectiveness and applicability of co-training. In: Proceedings of the Ninth International Conference on Information and Knowledge Management, pp. 86–93 (2000)

    Google Scholar 

  10. Olukoya, O., et al.: Security-oriented view of app behaviour using textual descriptions and user-granted permission requests. Comput. Secur. 89 (2020)

    Google Scholar 

  11. Polikar, R.: Ensemble based systems in decision making. IEEE Circuits Syst. Mag. 6(3), 21–45 (2006)

    CrossRef  Google Scholar 

  12. Polikar, R.: Ensemble learning. In: Zhang, C., Ma, Y. (eds.) Ensemble Machine Learning, pp. 1–34. Springer, Boston (2012).

    CrossRef  Google Scholar 

  13. Singh, A.K., et al.: Experimental analysis of Android malware detection based on combinations of permissions and API-calls. J. Comput. Virol. Hacking Tech. 15, 209–218 (2019)

    CrossRef  Google Scholar 

  14. Singh, B.C., Carminati, B., Ferrari, E.: Privacy-aware personal data storage (P-PDS): learning how to protect user privacy from external applications. IEEE Trans. Dependable Secure Comput. 18, 889–903 (2019)

    CrossRef  Google Scholar 

  15. Son, H.X., Carminati, B., Ferrari, E.: A risk assessment mechanism for Android apps. In: 2021 IEEE International Conference on Smart Internet of Things (SmartIoT), pp. 237–244. IEEE (2021)

    Google Scholar 

  16. Son, H.X., Carminati, B., Ferrari, E.: A risk estimation mechanism for Android apps based on hybrid analysis. Data Sci. Eng. 7, 242–252 (2022)

    CrossRef  Google Scholar 

  17. Taylor, V.F., Martinovic, I.: SecuRank: starving permission-hungry apps using contextual permission analysis. In: Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 43–52 (2016)

    Google Scholar 

  18. Taylor, V.F., et al.: There are many apps for that: quantifying the availability of privacy-preserving apps. In: ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 247–252 (2017)

    Google Scholar 

  19. Triguero, I., García, S., Herrera, F.: Self-labeled techniques for semi-supervised learning: taxonomy, software and empirical study. Knowl. Inf. Syst. 42(2), 245–284 (2015)

    CrossRef  Google Scholar 

  20. Van Engelen, J.E., Hoos, H.H.: A survey on semi-supervised learning. Mach. Learn. 109(2), 373–440 (2020)

    CrossRef  MathSciNet  MATH  Google Scholar 

  21. Van Kleek, M., et al.: Better the devil you know: exposing the data sharing practices of smartphone apps. In: Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, pp. 5208–5220 (2017)

    Google Scholar 

  22. Wilson, S., et al.: The creation and analysis of a website privacy policy corpus. In: Proceedings of the 54th Annual Meeting of the Association for Computational Linguistics, pp. 1330–1340 (2016)

    Google Scholar 

  23. Wu, T., et al.: Catering to your concerns: automatic generation of personalised security-centric descriptions for Android apps. ACM Trans. Cyber-Phys. Syst. 3(4), 1–21 (2019)

    CrossRef  Google Scholar 

  24. Wu, Z., et al.: Enhancing fidelity of description in Android apps with category-based common permissions. IEEE Access 9, 105493–105505 (2021)

    CrossRef  Google Scholar 

  25. Xiao, J., et al.: An Android application risk evaluation framework based on minimum permission set identification. J. Syst. Softw. 163 (2020)

    Google Scholar 

  26. Zhang, L.L., et al.: Characterizing privacy risks of mobile apps with sensitivity analysis. IEEE Trans. Mob. Comput. 17(2), 279–292 (2017)

    CrossRef  Google Scholar 

Download references


This work has received funding from RAIS (Real-time analytics for the Internet of Sports), Marie Skłodowska-Curie Innovative Training Networks (ITN), under grant agreement No 813162 and from CONCORDIA, (Cybersecurity Competence Network) supported by H2020 Research and Innovation program under grant agreement No 830927. The content of this paper reflects only the authors’ view and the Agency and the Commission are not responsible for any use that may be made of the information it contains.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Ha Xuan Son .

Editor information

Editors and Affiliations

Appendix A: Metrics

Appendix A: Metrics

We use conventional measures to measure the effectiveness of the proposed learning approaches. In particular, since we have classes with three labels (Y, N, and M), we exploit a \(3\times 3\) confusion matrix, see Table 5, where columns represent predicted labels, rows possible actual value and cells denote error value (E) or true positive value (TP). From the confusion matrix, we define the evaluation metrics given in Table 6.

Table 5. Confusion matrix
Table 6. Metrics definition

Rights and permissions

Reprints and Permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Son, H.X., Carminati, B., Ferrari, E. (2022). PriApp-Install: Learning User Privacy Preferences on Mobile Apps’ Installation. In: Su, C., Gritzalis, D., Piuri, V. (eds) Information Security Practice and Experience. ISPEC 2022. Lecture Notes in Computer Science, vol 13620. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-21279-6

  • Online ISBN: 978-3-031-21280-2

  • eBook Packages: Computer ScienceComputer Science (R0)