Abstract
The booming of the Android platform in recent years has attracted the attention of malware developers. However, the permissions-based model used in Android system to prevent the spread of malware, has shown to be ineffective. In this paper, we propose DroidRisk, a framework for quantitative security risk assessment of both Android permissions and applications (apps) based on permission request patterns from benign apps and malware, which aims to improve the efficiency of Android permission system. Two data sets with 27,274 benign apps from Google Play and 1,260 Android malware samples were used to evaluate the effectiveness of DroidRisk. The results demonstrate that DroidRisk can generate more reliable risk signal for warning the potential malicious activities compared with existing methods. We show that DroidRisk can also be used to alleviate the overprivilege problem and improve the user attention to the risks of Android permissions and apps.
Chapter PDF
Similar content being viewed by others
References
Android and security, http://googlemobile.blogspot.com/2012/02/android-and-security.html
Android enesoluty - fake antivirus, spyware, http://contagiominidump.blogspot.com/2012/11/android-enesoluty-fake-antivirus-spyware.html
Android races past apple in smartphone market share, http://money.cnn.com/2012/08/08/technology/smartphone-market-share/index.html
Aptoide, http://www.aptoide.com
Drioddream malware has now claimed 260,000 devices, http://androidjournalist.wordpress.com/2011/03/10/droiddream-malware-has-now-claimed-260000-devices/
Google play, https://play.google.com
Google play hits 25 billion downloads, http://officialandroid.blogspot.com/2012/09/google-play-hits-25-billion-downloads.html
Greasemonkey, http://www.greasespot.net
Mumayi, http://www.mumayi.com/
Smartphone sales to top 1.7 billion by 2017, dominate mobile phone market, http://www.inquisitr.com/230416/smartphone-sales-to-top-1-7-billion-by-2017-dominate-mobile-phone-market/
National Institue of Standards and Technology (NIST), Risk management guide for information technology systems (2002)
Alexander, C.: Market risk analysis: quantitative methods in finance. Wiley (2008)
Barrera, D., Kayacik, H.G., van Oorschot, P.C., Somayaji, A.: A methodology for empirical analysis of permission-based security models and its application to android. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, pp. 73–84 (2010)
Bradley, A.P.: The use of the area under the roc curve in the evaluation of machine learning algorithms. Pattern Recogn. 30(7), 1145–1159 (1997)
Chia, P.H., Yamamoto, Y., Asokan, N.: Is this app safe?: a large scale study on application permissions and risk signals. In: Proceedings of the 21st International Conference on World Wide Web, WWW 2012, pp. 311–320 (2012)
Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, pp. 235–245 (2009)
Fawcett, T.: An introduction to roc analysis. Pattern Recognition Letters 27(8), 861–874 (2006)
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 627–638 (2011)
Felt, A.P., Egelman, S., Wagner, D.: I’ve got 99 problems, but vibration ain’t one: a survey of smartphone users’ concerns. In: Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2012, pp. 33–44 (2012)
Felt, A.P., Greenwood, K., Wagner, D.: The effectiveness of application permissions. In: Proceedings of the 2nd USENIX Conference on Web Application Development, WebApps 2011, p. 7 (2011)
Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS 2012, pp. 3:1–3:14 (2012)
Frank, M., Dong, B., Felt, A.P., Song, D.: Mining permission request patterns from android and facebook applications. In: Proceedings of the IEEE International Conference on Data Mining, ICDM 2012 (2012)
Joh, H., Malaiya, Y.K.: Defining and assessing quantitative security risk measures using vulnerability lifecycle and cvss metrics. In: Proceedings of the 2011 International Conference on Security and Management, SAM 2011, pp. 10–16 (2011)
Sarma, B.P., Li, N., Gates, C., Potharaju, R., Nita-Rotaru, C., Molloy, I.: Android permissions: a perspective combining risks and benefits. In: Proceedings of the 17th ACM Symposium on Access Control Models and Technologies, SACMAT 2012, pp. 13–22 (2012)
Wei, X., Gomez, L., Neamtiu, L., Faloutsos, M.: Permission evolution in the android ecosystem. In: Proceedings of the 2012 Annual Computer Security Applications Conference, ACSAC 2012 (2012)
Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: Proceedings of the 33rd IEEE Symposium on Security and Privacy, Oakland 2012, pp. 95–109 (2012)
Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, you, get off my market: detecting malicious apps in official and alternative android markets. In: Proceedings of the 19th Network and Distributed System Security Symposium, NDSS 2012 (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Wang, Y., Zheng, J., Sun, C., Mukkamala, S. (2013). Quantitative Security Risk Assessment of Android Permissions and Applications. In: Wang, L., Shafiq, B. (eds) Data and Applications Security and Privacy XXVII. DBSec 2013. Lecture Notes in Computer Science, vol 7964. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39256-6_15
Download citation
DOI: https://doi.org/10.1007/978-3-642-39256-6_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-39255-9
Online ISBN: 978-3-642-39256-6
eBook Packages: Computer ScienceComputer Science (R0)