Skip to main content
SpringerLink
Log in

MAPPER: Mapping Application Description to Permissions

  • Conference paper
  • First Online:
Risks and Security of Internet and Systems (CRiSIS 2019)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 12026))

Included in the following conference series:

Abstract

Android operating system has seen phenomenal growth, and Android Applications (Apps) have proliferated into mainstream usage across the globe. Are users informed by the developers about everything an App does when they consent to install an App from Google’s Play Store? In this paper, we propose a technique called MAPPER which aggregates the App permissions with the textual description for more precise App permissions enumeration. We focus on whether the application description fully describes permissions an App will ask and whether the user is made aware of those possible capabilities to take informed decision to install or not to install the App. We investigate permissions inferred from application descriptions and permissions declared in the Android manifest files of 1100+ Android applications. MAPPER prototype finds a large number of Apps live on Google’s Play Store which do not inform users about permissions, more than three-fourths of them are over-privileged from this perspective, and their application descriptions need revision. Our work can be used by App developers also to educate users in a better way.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Usage of Apps. https://mindsea.com/app-stats/. Accessed 01 May 2019

  2. Android Open Source Project. https://source.android.com

  3. Number of Android Apps. https://www.statista.com/statistics/276623/number-of-apps-available-in-leading-app-stores/. Accessed 01 May 2019

  4. Gartner Report (2018). https://www.gartner.com/newsroom/id/3859963

  5. Project Strobe by Google. https://www.blog.google/technology/safety-security/project-strobe/. Accessed 01 May 2019

  6. Facebook-Cambridge Analytica Data Scandal. https://en.wikipedia.org/wiki/Face book%E2%80%93Cambridge_Analytica_data_scandal. Accessed 01 May 2019

  7. Organizations updating Privacy Policy. https://www.popsci.com/gdpr-privacy-policy-update-notices. Accessed 01 May 2019

  8. GDPR. https://eugdpr.org/

  9. Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS 2011), Chicago, Illinois, USA, pp. 627–638 (2011)

    Google Scholar 

  10. Vidas, T., Christin, N., Cranor, L.F.: Curbing Android permission creep. In: W2SP 2011, CMU, USA (2011)

    Google Scholar 

  11. Au, K.W.Y., Zhou, Y.F., Huang, Z., Lie, D.: PScout: analyzing the Android permission specification. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS 2012), Raleigh, North Carolina, USA, pp. 217–228 (2012)

    Google Scholar 

  12. Pandita, R., Xiao, X., Yang, W., Enck, W., Xie, T.: WHYPER: towards automating risk assessment of mobile applications. In: Proceedings of 22nd USENIX Security Symposium, pp. 527–542 (2013)

    Google Scholar 

  13. Gorla, A., Tavecchia, I., Gross, F., Zeller, A.: Checking app behavior against app descriptions. In: Proceedings of the 36th International Conference on Software Engineering (ICSE 2014), Hyderabad, India, pp. 1025–1035 (2014)

    Google Scholar 

  14. Geneiatakis, D., Fovino, I.N., Kounelis, I., Stirparo, P.: A permission verification approach for Android mobile applications. Comput. Secur. 49, 192–205 (2014)

    Google Scholar 

  15. Wei, M., Gong, X., Wang, W.: Claim what you need: a text-mining approach on Android permission request authorization. In: 2015 IEEE Global Communications Conference (GLOBECOM), San Diego, CA, USA (2015)

    Google Scholar 

  16. Wijesekera, P., Baokar, A., Hosseini, A., Egelman, S., Wagner, D., Beznosov, K.: Android permissions re-mystified: a field study on contextual integrity. In: Proceedings of the 24th USENIX Security Symposium, pp. 499–514 (2015)

    Google Scholar 

  17. Gerber, P., Volkamer, M., Renaud, K.: The simpler, the better? Presenting the COPING Android permission-granting interface for better privacy-related decisions. J. Inf. Secur. Appl. 34(Part 1), 8–26 (2017)

    Google Scholar 

  18. Chrome Driver. http://chromedriver.chromium.org/

  19. Manifest Permissions. https://developer.android.com/reference/android/Manifest.permission.html. Accessed 30 Apr 2019

  20. Permission Groups. https://developer.android.com/reference/android/Manifest.permission_group. Accessed 30 Apr 2019

  21. Protection Levels. https://developer.android.com/guide/topics/manifest/permission-element.html. Accessed 30 Apr 2019

  22. Requesting Permissions. https://developer.android.com/training/permissions/requesting. Accessed 30 Apr 2019

  23. AOSP source for Manifest XML. https://github.com/aosp-mirror/platform_frameworks_base/blob/master/core/res/AndroidManifest.xml

  24. Spacy. https://spacy.io/usage/linguistic-features

  25. NLTK. https://www.nltk.org/

  26. APK Pure Archive. https://apkpure.com

  27. APK Tool for reverse engineering APK files. https://ibotpeaches.github.io/Apktool

  28. Android Asset Packaging Tool (AAPT). https://elinux.org/Android_aapt

  29. Precision and Recall. https://en.wikipedia.org/wiki/Precision_and_recall

  30. AndroGuard. https://github.com/androguard

  31. Google Play Store. https://play.google.com/store

  32. Android Essentials Toolbox from EnSoft. https://github.com/EnSoftCorp/android-essentials-toolbox

  33. Stanford typed dependency. https://nlp.stanford.edu/software/stanford-dependencies.html. Accessed 18 May 2019

  34. de Marneffe, M.-C., Manning, C.D.: The Stanford typed dependencies representation. In: Proceedings of the Workshop in COLING 2008, pp. 1–8 (2008)

    Google Scholar 

  35. Android API 23 changes. https://developer.android.com/sdk/api_diff/23/changes/android.Manifest.permission.html. Accessed 01 May 2019

Download references

Acknowledgments

We acknowledge reviewers and researchers at MNIT Jaipur, who helped us to refine the problem statement, and provided valuable inputs during discussions. We acknowledge assistance from Shaikh Mamun Hoque, a sophomore at IIT Jammu who helped us in two scripts for getting lists of URLs and downloading APK files. We thank Marcello Lins for his insight on how a web-based App crawler works and how to build an extensive URL list.

Author information

Authors and Affiliations

  1. Malaviya National Institute of Technology Jaipur, Jaipur, India

    Rajendra Kumar Solanki, Vijay Laxmi & Manoj Singh Gaur

  2. Indian Institute of Technology Jammu, Jammu, India

    Manoj Singh Gaur

Authors
  1. Rajendra Kumar Solanki
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Vijay Laxmi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Manoj Singh Gaur
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Rajendra Kumar Solanki , Vijay Laxmi or Manoj Singh Gaur .

Editor information

Editors and Affiliations

  1. ReDCAD, University of Sfax, Sfax, Tunisia

    Slim Kallel

  2. IMT Atlantique, Lab-STICC, Université Bretagne Loire, Rennes, France

    Frédéric Cuppens

  3. IMT Atlantique, Lab-STICC, Université Bretagne Loire, Rennes, France

    Nora Cuppens-Boulahia

  4. ReDCAD, University of Sfax, Sfax, Tunisia

    Ahmed Hadj Kacem

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Solanki, R.K., Laxmi, V., Gaur, M.S. (2020). MAPPER: Mapping Application Description to Permissions. In: Kallel, S., Cuppens, F., Cuppens-Boulahia, N., Hadj Kacem, A. (eds) Risks and Security of Internet and Systems. CRiSIS 2019. Lecture Notes in Computer Science(), vol 12026. Springer, Cham. https://doi.org/10.1007/978-3-030-41568-6_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-41568-6_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-41567-9

  • Online ISBN: 978-3-030-41568-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation