Concordia University

http://www.concordia.ca/content/shared/en/news/encs/info-systems-eng/defences/2018/12/11/understanding-permission-usage-contextuality-android-apps.html

notice

Master Thesis Defense - December 11, 2018: On Understanding Permission Usage Contextuality of Android Apps

December 4, 2018

 

Md Zakir Hossen

Tuesday, December 11, 2018 at 1:00 p.m.
Room EV011.119

You are invited to attend the following M.A.Sc. (Information Systems Security) thesis examination.

Examining Committee

Dr. W. Lucia, Chair
Dr. M. Mannan, Supervisor
Dr. A. Youssef, CIISE Examiner
Dr. E. Shihab, External Examiner (CSE)

 

Abstract

In the Runtime permission model, the context in which a permission is requested/used the first time may change later without the user’s knowledge. Prior research identifies user dissatisfaction on varying contexts of permission use in the install-time permission model. However, the contextual use of permissions by the apps that are developed/adapted for the runtime permission model has not been studied. Our goal is to understand how permissions are requested and used in different contexts in the runtime permission model, and compare them to identify potential abuse. We present ContextDroid, a static analysis tool to identify the contexts of permission request and use. Using this tool, we analyze 38,838 apps (from a set of 62,340 apps) from the Google Play Store. We devise a mechanism following the best practices and permission policy enforcement by Google to flag apps for using permissions in potentially unexpected contexts. We flag 30% apps for using permissions in multiple and dissimilar contexts. Comparison with VirusTotal shows that non-contextual use of permissions can be linked to unwanted/malicious behaviour. We find that most apps don’t show any rationale if the users previously denied a permission. Futhermore, 13% apps show behavior similar to the install-time permission model by requesting all dangerous permissions when the app is first launched. We hope this thesis will bring attention to non-contextual permission usage in the runtime model, and may spur research into finer-grained permission control.




Back to top

© Concordia University