Abstract
Android operating system has seen phenomenal growth, and Android Applications (Apps) have proliferated into mainstream usage across the globe. Are users informed by the developers about everything an App does when they consent to install an App from Google’s Play Store? In this paper, we propose a technique called MAPPER which aggregates the App permissions with the textual description for more precise App permissions enumeration. We focus on whether the application description fully describes permissions an App will ask and whether the user is made aware of those possible capabilities to take informed decision to install or not to install the App. We investigate permissions inferred from application descriptions and permissions declared in the Android manifest files of 1100+ Android applications. MAPPER prototype finds a large number of Apps live on Google’s Play Store which do not inform users about permissions, more than three-fourths of them are over-privileged from this perspective, and their application descriptions need revision. Our work can be used by App developers also to educate users in a better way.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Usage of Apps. https://mindsea.com/app-stats/. Accessed 01 May 2019
Android Open Source Project. https://source.android.com
Number of Android Apps. https://www.statista.com/statistics/276623/number-of-apps-available-in-leading-app-stores/. Accessed 01 May 2019
Gartner Report (2018). https://www.gartner.com/newsroom/id/3859963
Project Strobe by Google. https://www.blog.google/technology/safety-security/project-strobe/. Accessed 01 May 2019
Facebook-Cambridge Analytica Data Scandal. https://en.wikipedia.org/wiki/Face book%E2%80%93Cambridge_Analytica_data_scandal. Accessed 01 May 2019
Organizations updating Privacy Policy. https://www.popsci.com/gdpr-privacy-policy-update-notices. Accessed 01 May 2019
GDPR. https://eugdpr.org/
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS 2011), Chicago, Illinois, USA, pp. 627–638 (2011)
Vidas, T., Christin, N., Cranor, L.F.: Curbing Android permission creep. In: W2SP 2011, CMU, USA (2011)
Au, K.W.Y., Zhou, Y.F., Huang, Z., Lie, D.: PScout: analyzing the Android permission specification. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS 2012), Raleigh, North Carolina, USA, pp. 217–228 (2012)
Pandita, R., Xiao, X., Yang, W., Enck, W., Xie, T.: WHYPER: towards automating risk assessment of mobile applications. In: Proceedings of 22nd USENIX Security Symposium, pp. 527–542 (2013)
Gorla, A., Tavecchia, I., Gross, F., Zeller, A.: Checking app behavior against app descriptions. In: Proceedings of the 36th International Conference on Software Engineering (ICSE 2014), Hyderabad, India, pp. 1025–1035 (2014)
Geneiatakis, D., Fovino, I.N., Kounelis, I., Stirparo, P.: A permission verification approach for Android mobile applications. Comput. Secur. 49, 192–205 (2014)
Wei, M., Gong, X., Wang, W.: Claim what you need: a text-mining approach on Android permission request authorization. In: 2015 IEEE Global Communications Conference (GLOBECOM), San Diego, CA, USA (2015)
Wijesekera, P., Baokar, A., Hosseini, A., Egelman, S., Wagner, D., Beznosov, K.: Android permissions re-mystified: a field study on contextual integrity. In: Proceedings of the 24th USENIX Security Symposium, pp. 499–514 (2015)
Gerber, P., Volkamer, M., Renaud, K.: The simpler, the better? Presenting the COPING Android permission-granting interface for better privacy-related decisions. J. Inf. Secur. Appl. 34(Part 1), 8–26 (2017)
Chrome Driver. http://chromedriver.chromium.org/
Manifest Permissions. https://developer.android.com/reference/android/Manifest.permission.html. Accessed 30 Apr 2019
Permission Groups. https://developer.android.com/reference/android/Manifest.permission_group. Accessed 30 Apr 2019
Protection Levels. https://developer.android.com/guide/topics/manifest/permission-element.html. Accessed 30 Apr 2019
Requesting Permissions. https://developer.android.com/training/permissions/requesting. Accessed 30 Apr 2019
AOSP source for Manifest XML. https://github.com/aosp-mirror/platform_frameworks_base/blob/master/core/res/AndroidManifest.xml
NLTK. https://www.nltk.org/
APK Pure Archive. https://apkpure.com
APK Tool for reverse engineering APK files. https://ibotpeaches.github.io/Apktool
Android Asset Packaging Tool (AAPT). https://elinux.org/Android_aapt
Precision and Recall. https://en.wikipedia.org/wiki/Precision_and_recall
AndroGuard. https://github.com/androguard
Google Play Store. https://play.google.com/store
Android Essentials Toolbox from EnSoft. https://github.com/EnSoftCorp/android-essentials-toolbox
Stanford typed dependency. https://nlp.stanford.edu/software/stanford-dependencies.html. Accessed 18 May 2019
de Marneffe, M.-C., Manning, C.D.: The Stanford typed dependencies representation. In: Proceedings of the Workshop in COLING 2008, pp. 1–8 (2008)
Android API 23 changes. https://developer.android.com/sdk/api_diff/23/changes/android.Manifest.permission.html. Accessed 01 May 2019
Acknowledgments
We acknowledge reviewers and researchers at MNIT Jaipur, who helped us to refine the problem statement, and provided valuable inputs during discussions. We acknowledge assistance from Shaikh Mamun Hoque, a sophomore at IIT Jammu who helped us in two scripts for getting lists of URLs and downloading APK files. We thank Marcello Lins for his insight on how a web-based App crawler works and how to build an extensive URL list.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Solanki, R.K., Laxmi, V., Gaur, M.S. (2020). MAPPER: Mapping Application Description to Permissions. In: Kallel, S., Cuppens, F., Cuppens-Boulahia, N., Hadj Kacem, A. (eds) Risks and Security of Internet and Systems. CRiSIS 2019. Lecture Notes in Computer Science(), vol 12026. Springer, Cham. https://doi.org/10.1007/978-3-030-41568-6_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-41568-6_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-41567-9
Online ISBN: 978-3-030-41568-6
eBook Packages: Computer ScienceComputer Science (R0)