Post on 01-Apr-2015
Enhancing Users’ Comprehension of Android Permissions
Liu Yang, Nader Boushehrinejad, Pallab Roy, Vinod Ganapathy, Liviu Iftode
Department of Computer ScienceRutgers University
Android Apps
Social networking
Gaming
Entertainment
Communication
Transportation
Sports…
Online shopping
Resources on Android
App-based Permission Model: An Example
This app requests the following resources:Your accounts, your locations, your messages, network communication, your personal information, phone calls, system tools, …(39 permission in total)
App installed if user approves the request
No install if user rejects the request
Users Puzzled by Permissions
• 3% of users correctly answer three permission questions [Felt. et al. SOUPS’12, Kelly et al., USEC’12]– A lot of permissions defined (134, Android 2.2)– Not always self-explanatory, e.g.,
SUBSCRIBED_FEEDS_READ, WRITE_SYN_SETTINGS, …
• Confusion exists for developers [Felt et al. CCS’11]
Permission Misuse
LocationsIMEI ContactsIMEI
Phone number
com.antivirus com.kayak.android com.taskos com.kakao.talk com.myyearbook.m
[Hornyack et al., AppFence, CCS’11]
[Lin et al., Ubicom’12]
Locations: 45/110 apps
IMEI: 31/110 apps
Contacts: 7/110 apps
Phone#: 5/110 apps
com.facebook
Contacts
Our Contribution
• Enhancing users’ comprehension of permissions using crowdsourcing– Permission usage commented by app users– Permission comments shared among users
• Designing Droidganger which provides clues of permission usage– Record/replay + permission suppression
• Feasibility study
Architecture Overview
Permission comments
Permission comments
Permission comments
Comments Processing Server (CPS)
Droidganger
Droidganger
Droidganger
Permission comments aggregation and presentation
Internet
Crowdsourcing
• Users of same apps form user communities• Users use Droidganger to help permission
understanding• Each user reviews one permission (small task)• More users
– more permissions covered– more execution paths covered– more apps covered
Intuition of Droidganger
Permission changes
Capability changes
App behavior changes
Q: Behavior changes visible or understandable?
Q: How to capture changes? A: Record/replay + permission suppression
Overview of Droidganger
Record(all permissions
granted)
Replay(a permission suppressed)
Deviation Detection
User inputs permission comments
Execution trace
To Comment Processing Server
Record and Replay
• Record app execution– non-deterministic inputs and events, e.g.,
keystrokes, touches/drags, etc. (saved as a trace)– outputs, e.g., screenshots, etc.
• Replay a trace– each time a different permission suppressed– snapshots taken for comparison
Deviation Detection
SnapshotsSnapshotsSnapshots
SnapshotsSnapshotsSnapshots
Record phase Replay phase
Difference detector
User comments on detected difference
Comment Processing Server
Comments grouped by apps and permissions
Comments aggregation
Comments presented for pubic access
Feasibility Study
• Implementation of Droidganger– Android 4.0 + Emulator– Record: Intercepting KeyEvents and MotionEvents– Compiling events to Python scripts– Replaying scripts with Monkeyrunner
• Data Sets– AngryBirds Rio (6 permissions)– Antivirus (39 permissions)
Observations
Pairs of screenshots of AngryBirds
(a) Record stage (all requested permissions granted)
(b) Replay stage (INTERNET permission suppressed)
Observations (cont.)
Record Replay
(all requested permissions granted)
WRITE_SYNC_SETTINGS permission suppressed
Observations (cont.)Summary of observed effects with replay + permission suppression
Meaningful: permission suppression provides helpful clues of purposes of permissionsCrashed: app crashed due to permission suppressionSyslog only: execution deviation was only captured by syslogNone: no difference was observed with permission suppression
Challenges
• Network proxy: recording network traffic• Randomness, e.g., card games, etc.• Non-repeatable execution, e.g., online
payments, etc.• Application failure when permission
suppressed• User incentives
Comparison to Privacy as Expectations (PAE) [Lin et al., Ubicomp’12]
capturing users’ expectations on privacy
PAE Our work
Goals: improving users’ comprehension of permissions
Objects: Access to privacy related resources
Permissions requested by apps
Techs: CrowdsourcingTaintDroidNew interfaces
CrowdsourcingRecord/replay +Permission suppression
Related Work
• Information flow and permission misuse– AppFence [Hornyack et al., CCS’11]– TaintDroid [Enck et al., OSDI’10]– Permission demystified [Felt et al., CCS’11]
• Privacy-preserving– Apex [Nauman et al., AsiaCCS’10]– MockDroid [Beresford et al., Hotmobile’11]
• Permission comprehension and attention– [Felt et al., SOUPS’12], [Kelley et al., USEC’12]– [Lin et al., Ubicom’12]
Conclusion
• Crowdsourcing– Collections of users help each other on permission
understanding• Record/replay + permission suppression:
– Changes of app behavior provide clues of permission usage
• Feasibility study– Droidganger providing helpful clues on permission
usage