Master Thesis Defense - December 11, 2018: On Understanding Permission Usage Contextuality of Android Apps
Md Zakir Hossen
Tuesday, December 11, 2018 at 1:00 p.m.
You are invited to attend the following M.A.Sc. (Information Systems Security) thesis examination.
Dr. W. Lucia, Chair
Dr. M. Mannan, Supervisor
Dr. A. Youssef, CIISE Examiner
Dr. E. Shihab, External Examiner (CSE)
In the Runtime permission model, the context in which a permission is requested/used the first time may change later without the user’s knowledge. Prior research identifies user dissatisfaction on varying contexts of permission use in the install-time permission model. However, the contextual use of permissions by the apps that are developed/adapted for the runtime permission model has not been studied. Our goal is to understand how permissions are requested and used in different contexts in the runtime permission model, and compare them to identify potential abuse. We present ContextDroid, a static analysis tool to identify the contexts of permission request and use. Using this tool, we analyze 38,838 apps (from a set of 62,340 apps) from the Google Play Store. We devise a mechanism following the best practices and permission policy enforcement by Google to flag apps for using permissions in potentially unexpected contexts. We flag 30% apps for using permissions in multiple and dissimilar contexts. Comparison with VirusTotal shows that non-contextual use of permissions can be linked to unwanted/malicious behaviour. We find that most apps don’t show any rationale if the users previously denied a permission. Futhermore, 13% apps show behavior similar to the install-time permission model by requesting all dangerous permissions when the app is first launched. We hope this thesis will bring attention to non-contextual permission usage in the runtime model, and may spur research into finer-grained permission control.