CISPA
Browse
cispa_all_3300.pdf (1 MB)

Automatically Granted Permissions in Android apps: An Empirical Study on their Prevalence and on the Potential Threats for Privacy

Download (1 MB)
conference contribution
posted on 2023-11-29, 18:14 authored by Paolo Calciati, Konstantin KuznetsovKonstantin Kuznetsov, Alessandra Gorla, Andreas ZellerAndreas Zeller
Developers continuously update their Android apps to keep up with competitors in the market. Such constant updates do not bother end users, since by default the Android platform automatically pushes the most recent compatible release on the device, unless there are major changes in the list of requested permissions that users have to explicitly grant. The lack of explicit user's approval for each application update, however, may lead to significant risks for the end user, as the new release may include new subtle behaviors which may be privacy-invasive. The introduction of permission groups in the Android permission model makes this problem even worse: if a user gives a single permission within a group, the application can silently request further permissions in this group with each update---without having to ask the user. In this paper, we explain the threat that permission groups may pose for the privacy of Android users. We run an empirical study on 2,865,553 app releases, and we show that in a representative app store more than ~17% of apps request at least once in their lifetime new dangerous permissions that the operating system grants without any user's approval. Our analyses show that apps actually use over 56% of such automatically granted permissions, although most of their descriptions do not explicitly explain for what purposes. Finally, our manual inspection reveals clear abuses of apps that leak sensitive data such as user's accurate location, list of contacts, history of phone calls, and emails which are protected by permissions that the user never explicitly acknowledges.

History

Preferred Citation

Paolo Calciati, Konstantin Kuznetsov, Alessandra Gorla and Andreas Zeller. Automatically Granted Permissions in Android apps: An Empirical Study on their Prevalence and on the Potential Threats for Privacy. In: The International Conference on Mining Software Repositories (MSR). 2020.

Primary Research Area

  • Secure Connected and Mobile Systems

Secondary Research Area

  • Threat Detection and Defenses

Name of Conference

The International Conference on Mining Software Repositories (MSR)

Legacy Posted Date

2020-11-30

Open Access Type

  • Unknown

BibTeX

@inproceedings{cispa_all_3300, title = "Automatically Granted Permissions in Android apps: An Empirical Study on their Prevalence and on the Potential Threats for Privacy", author = "Calciati, Paolo and Kuznetsov, Konstantin and Gorla, Alessandra and Zeller, Andreas", booktitle="{The International Conference on Mining Software Repositories (MSR)}", year="2020", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC