Enhancing Users’ Comprehension of Android Permissions

Liu Yang, Nader Boushehrinejad, Pallab Roy, Vinod Ganapathy, Liviu Iftode

Department of Computer ScienceRutgers University

Android Apps

Social networking

Gaming

Entertainment

Communication

Transportation

Sports…

Online shopping

Resources on Android

App-based Permission Model: An Example

This app requests the following resources:Your accounts, your locations, your messages, network communication, your personal information, phone calls, system tools, …(39 permission in total)

App installed if user approves the request

No install if user rejects the request

Users Puzzled by Permissions

• 3% of users correctly answer three permission questions [Felt. et al. SOUPS’12, Kelly et al., USEC’12]– A lot of permissions defined (134, Android 2.2)– Not always self-explanatory, e.g.,

SUBSCRIBED_FEEDS_READ, WRITE_SYN_SETTINGS, …

• Confusion exists for developers [Felt et al. CCS’11]

Permission Misuse

LocationsIMEI ContactsIMEI

Phone number

com.antivirus com.kayak.android com.taskos com.kakao.talk com.myyearbook.m

[Hornyack et al., AppFence, CCS’11]

[Lin et al., Ubicom’12]

Locations: 45/110 apps

IMEI: 31/110 apps

Contacts: 7/110 apps

Phone#: 5/110 apps

com.facebook

Contacts

Our Contribution

• Enhancing users’ comprehension of permissions using crowdsourcing– Permission usage commented by app users– Permission comments shared among users

• Designing Droidganger which provides clues of permission usage– Record/replay + permission suppression

• Feasibility study

Architecture Overview

Permission comments

Permission comments

Permission comments

Comments Processing Server (CPS)

Droidganger

Droidganger

Droidganger

Permission comments aggregation and presentation

Internet

Crowdsourcing

• Users of same apps form user communities• Users use Droidganger to help permission

understanding• Each user reviews one permission (small task)• More users

– more permissions covered– more execution paths covered– more apps covered

Intuition of Droidganger

Permission changes

Capability changes

App behavior changes

Q: Behavior changes visible or understandable?

Q: How to capture changes? A: Record/replay + permission suppression

Overview of Droidganger

Record(all permissions

granted)

Replay(a permission suppressed)

Deviation Detection

User inputs permission comments

Execution trace

To Comment Processing Server

Record and Replay

• Record app execution– non-deterministic inputs and events, e.g.,

keystrokes, touches/drags, etc. (saved as a trace)– outputs, e.g., screenshots, etc.

• Replay a trace– each time a different permission suppressed– snapshots taken for comparison

Deviation Detection

SnapshotsSnapshotsSnapshots

SnapshotsSnapshotsSnapshots

Record phase Replay phase

Difference detector

User comments on detected difference

Comment Processing Server

Comments grouped by apps and permissions

Comments aggregation

Comments presented for pubic access

Feasibility Study

• Implementation of Droidganger– Android 4.0 + Emulator– Record: Intercepting KeyEvents and MotionEvents– Compiling events to Python scripts– Replaying scripts with Monkeyrunner

• Data Sets– AngryBirds Rio (6 permissions)– Antivirus (39 permissions)

Observations

Pairs of screenshots of AngryBirds

(a) Record stage (all requested permissions granted)

(b) Replay stage (INTERNET permission suppressed)

Observations (cont.)

Record Replay

(all requested permissions granted)

WRITE_SYNC_SETTINGS permission suppressed

Observations (cont.)Summary of observed effects with replay + permission suppression

Meaningful: permission suppression provides helpful clues of purposes of permissionsCrashed: app crashed due to permission suppressionSyslog only: execution deviation was only captured by syslogNone: no difference was observed with permission suppression

Challenges

• Network proxy: recording network traffic• Randomness, e.g., card games, etc.• Non-repeatable execution, e.g., online

payments, etc.• Application failure when permission

suppressed• User incentives

Comparison to Privacy as Expectations (PAE) [Lin et al., Ubicomp’12]

capturing users’ expectations on privacy

PAE Our work

Goals: improving users’ comprehension of permissions

Objects: Access to privacy related resources

Permissions requested by apps

Techs: CrowdsourcingTaintDroidNew interfaces

CrowdsourcingRecord/replay +Permission suppression

Related Work

• Information flow and permission misuse– AppFence [Hornyack et al., CCS’11]– TaintDroid [Enck et al., OSDI’10]– Permission demystified [Felt et al., CCS’11]

• Privacy-preserving– Apex [Nauman et al., AsiaCCS’10]– MockDroid [Beresford et al., Hotmobile’11]

• Permission comprehension and attention– [Felt et al., SOUPS’12], [Kelley et al., USEC’12]– [Lin et al., Ubicom’12]

Conclusion

• Crowdsourcing– Collections of users help each other on permission

understanding• Record/replay + permission suppression:

– Changes of app behavior provide clues of permission usage

• Feasibility study– Droidganger providing helpful clues on permission

usage