Android permissions demystified

@inproceedings{Felt2011AndroidPD,
  title={Android permissions demystified},
  author={Adrienne Porter Felt and Erika Chin and Steve Hanna and Dawn Xiaodong Song and David A. Wagner},
  booktitle={CCS '11},
  year={2011}
}
Android provides third-party applications with an extensive API that includes access to phone hardware, settings, and user data. Access to privacy- and security-relevant parts of the API is controlled with an install-time application permission system. We study Android applications to determine whether Android developers follow least privilege with their permission requests. We built Stowaway, a tool that detects overprivilege in compiled Android applications. Stowaway determines the set of API… 
Tracking Security Model in Android Application
TLDR
This paper introduces tracking and monitoring of malicious activity of the apps that are installed by the user even from playstore using trusted permission based security model.
PScout: analyzing the Android permission specification
TLDR
An analysis of the permission system of the Android smartphone OS is performed and it is found that a trade-off exists between enabling least-privilege security with fine-grained permissions and maintaining stability of the permissions specification as the Android OS evolves.
AppGuard — Real-time policy en- forcement for third-party applications
TLDR
This work presents an inline reference monitor system that extends Android’s permission system to impede overly curious behaviors; it supports complex policies, and mitigates vulnerabilities of third-party apps and the OS.
NatiDroid: Cross-Language Android Permission Specification
TLDR
A prototype system to construct the protection mapping involved in the native libraries of the Android framework to present a complete and accurate specification of Android API protection, and identifies 24 components with at least one Native-triggered component hijacking vulnerability.
Enforcing Least Privilege with Android Permissions in Mobile App Development
TLDR
PermitMe is proposed, which is a tool built as a plugin for the Eclipse IDE for static analysis on Android applications that enforces “least privilege” by providing feedback to developers on missing or extraneous Android permissions.
Permlyzer: Analyzing permission usage in Android applications
TLDR
This evaluation using 51 malware/spyware families and over 110,000 Android applications demonstrates that Permlyzer can provide detailed permission use analysis and discover the characteristics of the permission uses in both benign and malicious applications.
Permission evolution in the Android ecosystem
TLDR
It is stated that the Android ecosystem is not becoming more secure from the user's point of view and the need to revisit the practices and policies of the ecosystem is suggested.
Android App Security Analysis
TLDR
Almost 30% of the apps examined were overprivileged, meaning they contained more permissions in their Manifest Files than were referenced in their source code, which could provide vulnerability for malicious software to exploit.
Android Security via Static Analysis Techniques
TLDR
A new benchmark app set for comparing and contrasting Android malware detection strategies and an extension to the Android permission mechanism, Flow Permissions, to provide visibility into the holistic behavior of the applications installed on a user’s phone.
PERMITME: integrating android permissioning support in the IDE
TLDR
PermitMe is presented, a tool developed as a plugin for the Eclipse IDE, to interactively guide developers on the set of required permissions when creating Android applications to enhance the developer's experience when deciding to include Android permissions in their mobile applications.
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 31 REFERENCES
Curbing Android Permission Creep
TLDR
A tool is described that is developed to assist developers in utilizing least privilege and that existing developer APIs make it difficult for developers to align their permission requests with application functionality.
The Effectiveness of Application Permissions
TLDR
The results indicate that application permissions can have a positive impact on system security when applications' permission requirements are declared up-front by the developer, but can be improved.
Analyzing inter-application communication in Android
TLDR
This work examines Android application interaction and identifies security risks in application components and provides a tool, ComDroid, that detects application communication vulnerabilities and found 34 exploitable vulnerabilities.
On lightweight mobile phone application certification
TLDR
The Kirin security service for Android is proposed, which performs lightweight certification of applications to mitigate malware at install time and indicates that security configuration bundled with Android applications provides practical means of detecting malware.
A Study of Android Application Security
TLDR
A horizontal study of popular free Android applications uncovered pervasive use/misuse of personal/ phone identifiers, and deep penetration of advertising and analytics networks, but did not find evidence of malware or exploitable vulnerabilities in the studied applications.
Android permissions: user attention, comprehension, and behavior
TLDR
It is found that current Android permission warnings do not help most users make correct security decisions, however, a notable minority of users demonstrated both awareness of permission warnings and reasonable rates of comprehension.
Taming reflection: Aiding static analysis in the presence of reflection and custom class loaders
TLDR
For the first time, TamiFlex enables sound static whole-program analyses on DaCapo and significantly improves code coverage of the static analyses, while for the former the approach even appears complete: the inserted runtime checks issue no warning.
A methodology for empirical analysis of permission-based security models and its application to android
TLDR
This work presents a methodology for the empirical analysis of permission-based security models which makes novel use of the Self-Organizing Map (SOM) algorithm of Kohonen (2001) and offers some discussion identifying potential points of improvement for the Android permission model.
Reflection Analysis for Java
TLDR
A static analysis algorithm is proposed that uses points-to information to approximate the targets of reflective calls as part of call graph construction and is effective for resolving most reflective calls without any user input.
JCrasher: an automatic robustness tester for Java
TLDR
JCrasher attempts to detect bugs by causing the program under test to ‘crash’, that is, to throw an undeclared runtime exception, to test the behavior of public methods under random data.
...
1
2
3
4
...