Cited By
View all- Moore MDeBruhl B(2019)Investigating university student desires and use of smartphone privacy settingsJournal of Computing Sciences in Colleges10.5555/3344013.334403634:4(134-141)Online publication date: 1-Apr-2019
There are many apps for that: quantifying the availability of privacy-preserving apps
Pages 247 - 252
Abstract
The adage "there's an app for that" holds true in modern app stores. Indeed, app stores usually go further and provide multiple apps with very similar functionality; examples range from flashlight apps to alarm clocks. We call these functionally-similar apps. When searching for these apps, users are often presented with a vast array of choices, but no distinction is made in the user interface to highlight the relative privacy risks inherent in choosing one app over another. Yet the availability of many functionally-similar apps raises the question of whether some apps are significantly less invasive than others. In this paper, we take several steps toward answering this question. We begin by enumerating 2 500 groups of functionally-similar apps in the Google Play Store. Within groups of apps, we use static analysis to understand the real-world risks coming from apps with aggressive permission usage. By leveraging an established ranking system, and combining it with real-world data from over 28 000 Android devices, we quantify the improvements that can be made if users installed apps with privacy in mind. We observe that at least 25.6% of apps contain libraries that gratuitously exploit available permissions and find that 43.5% of apps could be swapped for comparable alternatives that require fewer permissions. Permissions saved may deliver important privacy and security improvements, including preventing access to the calendar (in 24% of cases), sending text messages (12%) and recording audio (8%). This is particularly important for apps which embed third-party libraries, since library code executes with the same permissions as the app itself.
References
[1]
Android. 2017. Requesting Permissions. (2017). https://developer.android.com/guide/topics/permissions/requesting.html
[2]
Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang, and David Lie. 2012. PScout: Analyzing the Android Permission Specification. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS '12). ACM, 217--228.
[3]
Michael Backes, Sven Bugiel, and Erik Derr. 2016. Reliable Third-Party Library Detection in Android and Its Security Applications. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (CCS '16). ACM, 12.
[4]
Pern Hui Chia, Yusuke Yamamoto, and N. Asokan. 2012. Is This App Safe?: A Large Scale Study on Application Permissions and Risk Signals. In Proceedings of the 21st International Conference on World Wide Web (WWW '12). ACM, 311--320.
[5]
Erika Chin, Adrienne Porter Felt, Vyas Sekar, and David Wagner. 2012. Measuring User Confidence in Smartphone Security and Privacy. In Proceedings of the 8th Symposium on Usable Privacy and Security (SOUPS '12). ACM, Article 1, 16 pages.
[6]
N. Eling, S. Rasthofer, M. Kolhagen, E. Bodden, and P. Buxmann. 2016. Investigating Users' Reaction to Fine-Grained Data Requests: A Market Experiment. In 2016 49th Hawaii International Conference on System Sciences (HICSS). 3666--3675.
[7]
Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. 2011. Android Permissions Demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS '11). ACM, 12.
[8]
Adrienne Porter Felt, Elizabeth Ha, Serge Egelman, Ariel Haney, Erika Chin, and David Wagner. 2012. Android Permissions: User Attention, Comprehension, and Behavior. In Proceedings of the 8th Symposium on Usable Privacy and Security (SOUPS 2012) (SOUPS '12). ACM, Article 3, 14 pages.
[9]
M. Frank, Ben Dong, A.P. Felt, and D. Song. 2012. Mining Permission Request Patterns from Android and Facebook Applications. In IEEE 12th International Conference on Data Mining (ICDM).
[10]
Alessandra Gorla, Ilaria Tavecchia, Florian Gross, and Andreas Zeller. 2014. Checking App Behavior Against App Descriptions. In Proceedings of the 36th International Conference on Software Engineering (ICSE 2014). ACM, 11.
[11]
iBotPeaches. 2017. Apktool - A tool for reverse engineering Android APK files. (2017). https://ibotpeaches.github.io/Apktool/
[12]
PatrickGage Kelley, Sunny Consolvo, LorrieFaith Cranor, Jaeyeon Jung, Norman Sadeh, and David Wetherall. 2012. A Conundrum of Permissions: Installing Applications on an Android Smartphone. In Financial Cryptography and Data Security, Jim Blyth, Sven Dietrich, and L.Jean Camp (Eds.). Lecture Notes in Computer Science, Vol. 7398. 68--79.
[13]
Jessica Lee. 2013. No. 1 Position in Google Gets 33% of Search Traffic. (2013). http://searchenginewatch.com/sew/study/2276184/no-1-position-in-google-gets-33-of-search-traffic-study
[14]
Rahul Pandita, Xusheng Xiao, Wei Yang, William Enck, and Tao Xie. 2013. WHYPER: Towards Automating Risk Assessment of Mobile Applications. In Proceedings of the 22nd USENIX Conference on Security. 16. http://dl.acm.org/citation.cfm?id=2534766.2534812
[15]
Dimitrios Papamartzivanos, Dimitrios Damopoulos, and Georgios Kambourakis. 2014. A Cloud-based Architecture to Crowdsource Mobile App Privacy Leaks. In Proceedings of the 18th Panhellenic Conference on Informatics (PCI '14). ACM, Article 59, 6 pages.
[16]
Hao Peng, Chris Gates, Bhaskar Sarma, Ninghui Li, Yuan Qi, Rahul Potharaju, Cristina Nita-Rotaru, and Ian Molloy. 2012. Using Probabilistic Generative Models for Ranking Risks of Android Apps. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS '12). ACM, 241--252.
[17]
Zhengyang Qu, Vaibhav Rastogi, Xinyi Zhang, Yan Chen, Tiantian Zhu, and Zhong Chen. 2014. AutoCog: Measuring the Description-to-permission Fidelity in Android Applications. In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS '14). ACM, 1354--1365.
[18]
Bhaskar Pratim Sarma, Ninghui Li, Chris Gates, Rahul Potharaju, Cristina Nita-Rotaru, and Ian Molloy. 2012. Android Permissions: A Perspective Combining Risks and Benefits. In Proceedings of the 17th ACM Symposium on Access Control Models and Technologies. ACM, 10.
[19]
Mohamed Nassim Seghir and David Aspinall. 2015. EviCheck: Digital Evidence for Android. Springer International Publishing, Cham, 221--227.
[20]
Jaebaek Seo, Daehyeok Kim, Donghyun Cho, Taesoo Kim, and Insik Shin. 2016. FLEXDROID: Enforcing In-App Privilege Separation in Android, In Proceedings of the 2016 Network and Distributed System Security Symposium. NDSS (2016).
[21]
Vincent F. Taylor and Ivan Martinovic. 2016. SecuRank: Starving Permission-Hungry Apps Using Contextual Permission Analysis. In Proceedings of the 6th ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM '16). ACM, 10.
[22]
Daniel T Wagner, Andrew Rice, and Alastair R Beresford. 2014. Device analyzer: Understanding smartphone usage. In Mobile and Ubiquitous Systems: Computing, Networking, and Services. Springer, 195--208.
[23]
Takuya Watanabe, Mitsuaki Akiyama, Tetsuya Sakai, and Tatsuya Mori. 2015. Understanding the Inconsistencies between Text Descriptions and the Use of Privacy-sensitive Resources of Mobile Apps. In Proceedings of the 11th Symposium On Usable Privacy and Security. https://www.usenix.org/conference/soups2015/proceedings/presentation/watanabe
[24]
Primal Wijesekera, Arjun Baokar, Ashkan Hosseini, Serge Egelman, David Wagner, and Konstantin Beznosov. 2015. Android Permissions Remystified: A Field Study on Contextual Integrity. In Proceedings of the 24th USENIX Security Symposium.
Recommendations
Serving Mobile Apps: A Slice at a Time
EuroSys '19: Proceedings of the Fourteenth EuroSys Conference 2019End users wanting to do more and more with mobile apps has led to explosive growth in the number of available apps. This has widened the gap between developers making apps available and end users being able to install all the apps they want on their ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
July 2017
297 pages
ISBN:9781450350846
DOI:10.1145/3098243
- General Chair:
- Guevara Noubir,
- Program Chairs:
- Mauro Conti,
- Sneha Kumar Kasera
Copyright © 2017 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
- SIGSAC: ACM Special Interest Group on Security, Audit, and Control
- NSF: National Science Foundation
- ACM: Association for Computing Machinery
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 18 July 2017
Check for updates
Qualifiers
- Short-paper
Funding Sources
- Google Focused Research Award
- Boeing Company
- EPSRC
- Rhodes Scholarship
Conference
WiSec '17: 10th ACM Conference on Security & Privacy in Wireless and Mobile Networks
July 18 - 20, 2017
Massachusetts, Boston
Acceptance Rates
Overall Acceptance Rate 98 of 338 submissions, 29%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 172Total Downloads
- Downloads (Last 12 months)5
- Downloads (Last 6 weeks)0
Reflects downloads up to 09 Jan 2025
Other Metrics
Citations
Cited By
View all- Moore MDeBruhl B(2019)Investigating university student desires and use of smartphone privacy settingsJournal of Computing Sciences in Colleges10.5555/3344013.334403634:4(134-141)Online publication date: 1-Apr-2019
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in