Haoyu Wang
Jason Hong
ABSTRACT
Understanding the purpose of why sensitive data is used could help improve privacy as well as enable new kinds of access control. In this paper, we introduce a new technique for inferring the purpose of sensitive data usage in the context of Android smartphone apps. We extract multiple kinds of features from decompiled code, focusing on app-specific features and text-based features. These features are then used to train a machine learning classifier. We have evaluated our approach in the context of two sensitive permissions, namely ACCESS_FINE_LOCATION and READ_CONTACT_LIST, and achieved an accuracy of about 85% and 94% respectively in inferring purposes. We have also found that text-based features alone are highly effective in inferring purposes.
- PrivacyGrade: Grading The Privacy of Smartphone Apps. http://privacygrade.org/.Google Scholar
- Almuhimedi, H., Schaub, F., Sadeh, N., Adjerid, I., Acquisti, A., Gluck, J., Cranor, L. F., and Agarwal, Y. Your location has been shared 5,398 times!: A field study on mobile app privacy nudging. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI '15) (2015), 787--796. Google ScholarDigital Library
- Amini, S., Lin, J., Hong, J. I., Lindqvist, J., and Zhang, J. Mobile application evaluation using automation and crowdsourcing. In Proceedings of the PETools (2013).Google Scholar
- Apktool: a tool for reverse engineering Android apk files. https://code.google.com/p/android-apktool/.Google Scholar
- Wikipedia App Store (iOS). http://en.wikipedia.org/wiki/App_Store_%28iOS%29.Google Scholar
- Au, K. W. Y., Zhou, Y. F., Huang, Z., and Lie, D. Pscout: Analyzing the Android permission specification. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS '12) (2012), 217--228. Google ScholarDigital Library
- Balebako, R., Jung, J., Lu, W., Cranor, L. F., and Nguyen, C. "little brothers watching you": Raising awareness of data leaks on smartphones. In Proceedings of the Ninth Symposium on Usable Privacy and Security (SOUPS '13) (2013), 12:1--12:11. Google ScholarDigital Library
- Bartel, A., Klein, J., Le Traon, Y., and Monperrus, M. Automatically securing permission-based software by reducing the attack surface: An application to Android. In the 27th IEEE/ACM Intl Conf on Automated Software Engineering (ASE '12) (2012). Google ScholarDigital Library
- Bartel, A., Klein, J., Monperrus, M., and Le Traon, Y. Static analysis for extracting permission checks of a large scale framework: The challenges and solutions for analyzing Android. IEEE Transactions on Software Engineering (TSE) (2014).Google Scholar
- Wikipedia C4.5 Algorithm. http://en.wikipedia.org/wiki/C4.5_algorithm.Google Scholar
- Chin, E., Felt, A. P., Sekar, V., and Wagner, D. Measuring user confidence in smartphone security and privacy. In Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS '12) (2012). Google ScholarDigital Library
- Wikipedia Cross-validation. http://en.wikipedia.org/wiki/Cross-validation_%28statistics%29#k-fold_cross-validation.Google Scholar
- dex2jar. https://code.google.com/p/dex2jar/.Google Scholar
- Egelman, S., Felt, A. P., and Wagner, D. Choice architecture and smartphone privacy: Theres a price for that. In Workshop on the Economics of Information Security (WEIS) (2012).Google Scholar
- Enck, W., Octeau, D., McDaniel, P., and Chaudhuri, S. A study of Android application security. In Proceedings of the 20th USENIX Conference on Security (SEC '11) (2011). Google ScholarDigital Library
- Felt, A. P., Chin, E., Hanna, S., Song, D., and Wagner, D. Android permissions demystified. In the 18th ACM Conference on Computer and Communications Security (CCS '11) (2011), 627--638. Google ScholarDigital Library
- Felt, A. P., Ha, E., Egelman, S., Haney, A., Chin, E., and Wagner, D. Android permissions: User attention, comprehension, and behavior. In Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS '12) (2012), 3:1--3:14. Google ScholarDigital Library
- Wikipedia Google Play. http://en.wikipedia.org/wiki/Google_Play.Google Scholar
- Gorla, A., Tavecchia, I., Gross, F., and Zeller, A. Checking app behavior against app descriptions. In Proceedings of the 36th International Conference on Software Engineering (ICSE '14) (2014), 1025--1035. Google ScholarDigital Library
- Harbach, M., Hettig, M., Weber, S., and Smith, M. Using personal examples to improve risk communication for security and privacy decisions. In Proceedings of the 32Nd Annual ACM Conference on Human Factors in Computing Systems (CHI '14) (2014). Google ScholarDigital Library
- Ismail, Q., Ahmed, T., Kapadia, A., and Reiter, M. Crowdsourced exploration of security configurations. In Proceedings of the ACM SIGCHI Conference on Human Factors in Computing Systems (CHI '15) (2015). Google ScholarDigital Library
- JD-Core-Java. http://jd.benow.ca/.Google Scholar
- Jing, Y., Ahn, G.-J., Zhao, Z., and Hu, H. Riskmon: Continuous and automated risk assessment of mobile applications. In Proceedings of the 4th ACM Conference on Data and Application Security and Privacy (CODASPY '14) (2014), 99--110. Google ScholarDigital Library
- Jung, J., Han, S., and Wetherall, D. Short paper: Enhancing mobile application permissions with runtime feedback and constraints. In Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM '12) (2012), 45--50. Google ScholarDigital Library
- Kelley, P. G., Cranor, L. F., and Sadeh, N. Privacy as part of the app decision-making process. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (CHI '13) (2013), 3393--3402. Google ScholarDigital Library
- Lin, J., Amini, S., Hong, J. I., Sadeh, N., Lindqvist, J., and Zhang, J. Expectation and purpose: Understanding users' mental models of mobile app privacy through crowdsourcing. In Proceedings of the 2012 ACM Conference on Ubiquitous Computing (UbiComp '12) (2012), 501--510. Google ScholarDigital Library
- Lin, J., Liu, B., Sadeh, N., and Hong, J. I. Modeling users' mobile app privacy preferences: Restoring usability in a sea of permission settings. In Proceedings of the 2014 Symposium On Usable Privacy and Security (SOUPS '14) (2014).Google Scholar
- Linares-Vásquez, M., Holtzhauer, A., Bernal-Cárdenas, C., and Poshyvanyk, D. Revisiting Android reuse studies in the context of code obfuscation and library usages. In Proceedings of the 11th Working Conference on Mining Software Repositories (MSR '14) (2014), 242--251. Google ScholarDigital Library
- Mallet: machine learning for language toolkit. http://mallet.cs.umass.edu/.Google Scholar
- Mancini, C., Thomas, K., Rogers, Y., Price, B. A., Jedrzejczyk, L., Bandara, A. K., Joinson, A. N., and Nuseibeh, B. From spaces to places: Emerging contexts in mobile privacy. In Proceedings of the 11th International Conference on Ubiquitous Computing (UbiComp '09) (2009), 1--10. Google ScholarDigital Library
- Wikipedia Maximum Entropy. http://en.wikipedia.org/wiki/Maximum_entropy.Google Scholar
- Evaluation methods in text categorization. http://datamin.ubbcluj.ro/wiki/index.php/Evaluation_methods_in_text_categorization.Google Scholar
- Macro- and micro-averaged evaluation measures. http://digitalcommons.library.tmc.edu/cgi/viewcontent.cgi?article=1026&context=uthshis_dissertations.Google Scholar
- Pandita, R., Xiao, X., Yang, W., Enck, W., and Xie, T. Whyper: Towards automating risk assessment of mobile applications. In Proceedings of the 22Nd USENIX Conference on Security (SEC '13) (2013), 527--542. Google ScholarDigital Library
- Permission Mappings. http://pscout.csl.toronto.edu/.Google Scholar
- The porter stemming algorithm. http://tartarus.org/martin/PorterStemmer/.Google Scholar
- Documented api calls mappings. http://pscout.csl.toronto.edu/download.php?file=results/jellybean_publishedapimapping.Google Scholar
- Content provider (uri strings) with permissions. http://pscout.csl.toronto.edu/download.php?file=results/jellybean_contentproviderpermission.Google Scholar
- Intents with permissions. http://pscout.csl.toronto.edu/download.php?file=results/jellybean_intentpermissions.Google Scholar
- Qu, Z., Rastogi, V., Zhang, X., Chen, Y., Zhu, T., and Chen, Z. Autocog: Measuring the description-to-permission fidelity in Android applications. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS '14) (2014), 1354--1365. Google ScholarDigital Library
- Scikit-learn machine learning in python. http://scikit-learn.org/stable/index.html.Google Scholar
- Shih, F., Liccardi, I., and Weitzner, D. Privacy tipping points in smartphones privacy preferences. In Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems (CHI '15) (2015), 807--816. Google ScholarDigital Library
- Shklovski, I., Mainwaring, S. D., Skúladóttir, H. H., and Borgthorsson, H. Leakiness and creepiness in app space: Perceptions of privacy and mobile app use. In Proceedings of the 32Nd Annual ACM Conference on Human Factors in Computing Systems (CHI '14) (2014), 2347--2356. Google ScholarDigital Library
- Wikipedia Approximate String Matching. http://en.wikipedia.org/wiki/Approximate_string_matching.Google Scholar
- Supervised Learning. http://en.wikipedia.org/wiki/Supervised_learning.Google Scholar
- Wikipedia Support Vector Machine. http://en.wikipedia.org/wiki/Support_vector_machine.Google Scholar
- Toch, E., Cranshaw, J., Drielsma, P. H., Tsai, J. Y., Kelley, P. G., Springfield, J., Cranor, L., Hong, J., and Sadeh, N. Empirical models of privacy in location sharing. In Proceedings of the 12th ACM International Conference on Ubiquitous Computing (UbiComp '10) (2010), 129--138. Google ScholarDigital Library
- Wang, J., and Chen, Q. Aspg: Generating Android semantic permissions. In Proceedings of the IEEE 17th International Conference on Computational Science and Engineering (2014), 591--598. Google ScholarDigital Library
- English Wordlist. http://www-personal.umich.edu/~jlawler/wordlist.Google Scholar
- Wu, L., Grace, M., Zhou, Y., Wu, C., and Jiang, X. The impact of vendor customizations on Android security. In the 2013 ACM SIGSAC Conference on Computer Communications Security (CCS '13) (2013), 623--634. Google ScholarDigital Library
- Yang, Z., Yang, M., Zhang, Y., Gu, G., Ning, P., and Wang, X. S. Appintent: analyzing sensitive data transmission in Android for privacy leakage detection. In Proceedings of the 2013 ACM SIGSAC conference on Computer and communications security (CCS '13) (2013), 1043--1054. Google ScholarDigital Library
Index Terms
- Using text mining to infer the purpose of permission use in mobile apps
Recommendations
Understanding the Purpose of Permission Use in Mobile Apps
Special issue: Search, Mining and their Applications on Mobile DevicesMobile apps frequently request access to sensitive data, such as location and contacts. Understanding the purpose of why sensitive data is accessed could help improve privacy as well as enable new kinds of access control. In this article, we propose a ...
Messing with Android's Permission Model
TRUSTCOM '12: Proceedings of the 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and CommunicationsPermission models have become very common on smartphone operating systems to control the rights granted to installed third party applications (apps). Prior to installing an app, the user is typically presented with a dialog box showing the permissions ...
SecuRank: Starving Permission-Hungry Apps Using Contextual Permission Analysis
SPSM '16: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile DevicesCompetition among app developers has caused app stores to be permeated with many groups of general-purpose apps that are functionally-similar. Examples are the many flashlight or alarm clock apps to choose from. Within groups of functionally-similar ...
Comments