permission evolution in the android ecosystem
DESCRIPTION
Permission Evolution in the Android Ecosystem. Xuetao Wei, Lorenzo Gomez, Iulian Neamtiu , Michalis Faloutsos Department of Computer Science and Engineering University of California, Riverside. Outline. The A ndroid P latform Basics Dataset Description Platform Permission Evolution - PowerPoint PPT PresentationTRANSCRIPT
Permission Evolution in the Android EcosystemXuetao Wei, Lorenzo Gomez, Iulian Neamtiu, Michalis FaloutsosDepartment of Computer Science and EngineeringUniversity of California, Riverside
Outline The Android Platform Basics Dataset Description Platform Permission Evolution Third-Party Apps Pre-Installed Apps Suggestions Conclusion
Android Platform In this paper we studied all major API
levels, from level 3 (April 2009) to level 15 (December 2011).
Android Apps Third-party
apps are available for download from Google Play and other app stores.
Pre-installed apps come along with the devices from
the vendors.
Android Permissions Protection Level
Normal Dangerous Signature SignatureOrSystem
Functionality categories Cost Money, Message, Personal Info, Location,
Network, Accounts, Hard-ware Controls, Phone Calls, Storage, System Tools and Development Tools.
Apps Permissions Dataset Third-Party Apps (237 apps with 1,703
versions)1. 1,420 apps with 4,857 versions2. we selected only those apps that had at
least one version each year between 2009 and 2012.
3. we obtained the stable dataset of 237 apps with 1,703 versions, with each app's evolution spanning at least three years.
Apps Permissions Dataset (Cont.) Pre-Installed App (346 apps with 1,714
versions)1. We gathered the firmware of multiple
phone vendors - HTC, Motorola, Samsung, and LG - from various online sources.
2. we unpacked the firmware and extracted the pre-installed apps inside.
3. we collected 69 firmware over the years which contained 346 pre-installed apps with 1,714 versions.
Apps Permissions Dataset (Cont.) Permission collection
use the tool aapt on each app version to extract the AndroidManifest.xml file.
parse the manifest files to get the full list of the permissions used by each app version.
The List of Permissions is Growing
The List of Permissions is Growing (Cont.) we find that the Default, System_Tools
and Development_Tools categories contribute to most of the increases.
Dangerous Group is Largest and Growing Most of them are from personal data-
related categories, e.g., PERSONAL_INFO, STORAGE and ACCOUNTS.
Why are Permissions Added or Deleted? Because new functionality
NFC, WiMAX, 4G… Accommodate new smartphone features
READ_PROFILE and READ_SOCIAL_STREAM replace READ_OWNER_DATA.
Some permissions are made available to public without manifest-declared. BACKUP_DATA
Why are Permissions Added or Deleted? (Cont.)
No Tendency Toward Finer-grained Permissions
Third-Party Apps Permission Additions Dominate
What is the primary cause for the permission additions? Android apps became more aggressive
in asking for resources, by asking for new permissions.
Apps Want More Dangerous Permissions 66.11% of permission increases in apps
required at least one more Dangerous permission.
Macro Evolution Patterns For all apps have any permission change
Micro Evolution Patterns Location Permission
ACCESS_COARSE_LOCATION ACCESS_FINE_LOCATION
Permission Trajectories
Apps Are Becoming Over privileged To detect over privilege, we ran the
Stowaway tool on the stable dataset (1,703 app versions).
Apps Are Becoming Over privileged (Cont.)
Pre-Installed Apps 62.61% of pre-installed apps do not
change their permissions at all.
Pre-Installed Apps (Cont.) the vendors also have the ability to
dene their own permissions inside the platform when they customize the Android platform for their devices. HTC_APP_UPDATE
66.1% of pre-installed apps were over privileged
HTCLogger
Suggestions Securing the ecosystem must start at
the Android platform. App certification should enforce checks
against over-privileged requests. App permission evolution and
fluctuation indicate developer confusion in selecting legitimate permissions.
Pre-installed apps need more security.
Conclusion We have investigated how Android
permission and their use evolve in the Android ecosystem.
The number of permissions defined in Android platform tends to increase.
Permissions cater to hardware manufacturers and their apps, rather than third-party developers.