Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enhancing Users’ Comprehension of Android Permissions Liu Yang, Nader Boushehrinejad, Pallab Roy, Vinod Ganapathy, Liviu Iftode Department of Computer.

Published byJavier Crissey Modified over 9 years ago

Similar presentations

Presentation on theme: "Enhancing Users’ Comprehension of Android Permissions Liu Yang, Nader Boushehrinejad, Pallab Roy, Vinod Ganapathy, Liviu Iftode Department of Computer."— Presentation transcript:

1 Enhancing Users’ Comprehension of Android Permissions Liu Yang, Nader Boushehrinejad, Pallab Roy, Vinod Ganapathy, Liviu Iftode Department of Computer Science Rutgers University

2 Android Apps Social networking Gaming Entertainment Communication Transportation Sports … Online shopping

3 Resources on Android

4 App-based Permission Model: An Example This app requests the following resources: Your accounts, your locations, your messages, network communication, your personal information, phone calls, system tools, … (39 permission in total) App installed if user approves the request No install if user rejects the request

5 Users Puzzled by Permissions 3% of users correctly answer three permission questions [ Felt. et al. SOUPS’12, Kelly et al., USEC’12 ] – A lot of permissions defined (134, Android 2.2) – Not always self-explanatory, e.g., SUBSCRIBED_FEEDS_READ, WRITE_SYN_SETTINGS, … Confusion exists for developers [Felt et al. CCS’11]

6 Permission Misuse Locations IMEI Contacts IMEI Phone number com.antiviruscom.kayak.androidcom.taskoscom.kakao.talkcom.myyearbook.m [Hornyack et al., AppFence, CCS’11] [Lin et al., Ubicom’12] Locations: 45/110 apps IMEI: 31/110 apps Contacts: 7/110 apps Phone#: 5/110 apps com.facebook Contacts

7 Our Contribution Enhancing users’ comprehension of permissions using crowdsourcing – Permission usage commented by app users – Permission comments shared among users Designing Droidganger which provides clues of permission usage – Record/replay + permission suppression Feasibility study

8 Architecture Overview Permission comments Comments Processing Server (CPS) Droidganger Permission comments aggregation and presentation Internet

9 Crowdsourcing Users of same apps form user communities Users use Droidganger to help permission understanding Each user reviews one permission (small task) More users – more permissions covered – more execution paths covered – more apps covered

10 Intuition of Droidganger Permission changes Capability changes App behavior changes Q: Behavior changes visible or understandable? Q: How to capture changes? A: Record/replay + permission suppression

11 Overview of Droidganger Record (all permissions granted) Replay (a permission suppressed) Deviation Detection User inputs permission comments Execution trace To Comment Processing Server

12 Record and Replay Record app execution – non-deterministic inputs and events, e.g., keystrokes, touches/drags, etc. (saved as a trace) – outputs, e.g., screenshots, etc. Replay a trace – each time a different permission suppressed – snapshots taken for comparison

13 Deviation Detection Snapshots Record phaseReplay phase Difference detector User comments on detected difference

14 Comment Processing Server Comments grouped by apps and permissions Comments aggregation Comments presented for pubic access

15 Feasibility Study Implementation of Droidganger – Android 4.0 + Emulator – Record: Intercepting KeyEvents and MotionEvents – Compiling events to Python scripts – Replaying scripts with Monkeyrunner Data Sets – AngryBirds Rio (6 permissions) – Antivirus (39 permissions)

16 Observations Pairs of screenshots of AngryBirds (a) Record stage (all requested permissions granted) (b) Replay stage (INTERNET permission suppressed)

17 Observations (cont.) RecordReplay (all requested permissions granted) WRITE_SYNC _SETTINGS permission suppressed

18 Observations (cont.) Summary of observed effects with replay + permission suppression Meaningful: permission suppression provides helpful clues of purposes of permissions Crashed: app crashed due to permission suppression Syslog only: execution deviation was only captured by syslog None: no difference was observed with permission suppression

19 Challenges Network proxy: recording network traffic Randomness, e.g., card games, etc. Non-repeatable execution, e.g., online payments, etc. Application failure when permission suppressed User incentives

20 Comparison to Privacy as Expectations (PAE) [ Lin et al., Ubicomp’12 ] capturing users’ expectations on privacy PAE Our work Goals: improving users’ comprehension of permissions Objects: Access to privacy related resources Permissions requested by apps Techs: Crowdsourcing TaintDroid New interfaces Crowdsourcing Record/replay + Permission suppression

21 Related Work Information flow and permission misuse – AppFence [Hornyack et al., CCS’11] – TaintDroid [Enck et al., OSDI’10] – Permission demystified [Felt et al., CCS’11] Privacy-preserving – Apex [Nauman et al., AsiaCCS’10] – MockDroid [Beresford et al., Hotmobile’11] Permission comprehension and attention – [Felt et al., SOUPS’12], [Kelley et al., USEC’12] – [Lin et al., Ubicom’12]

22 Conclusion Crowdsourcing – Collections of users help each other on permission understanding Record/replay + permission suppression: – Changes of app behavior provide clues of permission usage Feasibility study – Droidganger providing helpful clues on permission usage

Download ppt "Enhancing Users’ Comprehension of Android Permissions Liu Yang, Nader Boushehrinejad, Pallab Roy, Vinod Ganapathy, Liviu Iftode Department of Computer."

Similar presentations

X platform A solution making PLM better. Outline Mobile trend and app market rising Looking for my data at any time Making a decision everywhere A easy.

X platform A solution making PLM better. Outline Mobile trend and app market rising Looking for my data at any time Making a decision everywhere A easy.
1 Linked In and Networking Debra Kurtz Vice President, HBA Chicago Chapter Founder and President Kurtz Consulting Inc.

1 Linked In and Networking Debra Kurtz Vice President, HBA Chicago Chapter Founder and President Kurtz Consulting Inc.
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Slide 1 FastFacts Feature Presentation September 6, 2012 To dial in, use this phone number and participant code… Phone number: 888-651-5908 Participant.

Slide 1 FastFacts Feature Presentation September 6, 2012 To dial in, use this phone number and participant code… Phone number: Participant.
2006 Adobe Systems Incorporated. All Rights Reserved. 1 End-user programming and Flash Jen deHaan Sr. Technical Writer April 23 rd 2006.

2006 Adobe Systems Incorporated. All Rights Reserved. 1 End-user programming and Flash Jen deHaan Sr. Technical Writer April 23 rd 2006.
Use cases for implementation of the NSI interface Takahiro Miyamoto, Nobutaka Matsumoto KDDI R&D Laboratories Inc. This work is partially supported by.

Use cases for implementation of the NSI interface Takahiro Miyamoto, Nobutaka Matsumoto KDDI R&D Laboratories Inc. This work is partially supported by.
1 Introducing the Specifications of the Metro Ethernet Forum.

1 Introducing the Specifications of the Metro Ethernet Forum.
PEREGRINE: Efficient Deterministic Multithreading through Schedule Relaxation Heming Cui, Jingyue Wu, John Gallagher, Huayang Guo, Junfeng Yang Software.

PEREGRINE: Efficient Deterministic Multithreading through Schedule Relaxation Heming Cui, Jingyue Wu, John Gallagher, Huayang Guo, Junfeng Yang Software.
SysAid IT 8.5.

SysAid IT 8.5.
University of Kansas Dr. Joseph B. Evans Dr. Daniel Deavours Leon S. Searl Information & Telecommunication Technology Center Bluetooth Interoperability.

University of Kansas Dr. Joseph B. Evans Dr. Daniel Deavours Leon S. Searl Information & Telecommunication Technology Center Bluetooth Interoperability.
Distributed System Services Prepared By:- Monika Patel.

Distributed System Services Prepared By:- Monika Patel.
Web Services for an Intelligent Tutoring System that Operates as a Virtual Reality Game Maria Virvou, George Katsionis Department of Informatics University.

Web Services for an Intelligent Tutoring System that Operates as a Virtual Reality Game Maria Virvou, George Katsionis Department of Informatics University.
NM Statewide Traffic Records System Ignition Interlock Data Analysis Application System Project Certification Overview Prepared by: NM-DOT Traffic Safety.

NM Statewide Traffic Records System Ignition Interlock Data Analysis Application System Project Certification Overview Prepared by: NM-DOT Traffic Safety.
Database System Concepts and Architecture

Database System Concepts and Architecture
© 2011 Peter Hornyack These Aren’t the Droids You’re Looking For Peter Hornyack, Seungyeop Han, Jaeyeon Jung, Stuart Schechter, David Wetherall Retrofitting.

© 2011 Peter Hornyack These Aren’t the Droids You’re Looking For Peter Hornyack, Seungyeop Han, Jaeyeon Jung, Stuart Schechter, David Wetherall Retrofitting.
Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.

Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.
Global States.

Global States.
THESE AREN’T THE DROIDS YOU’RE LOOKING FOR Peter Hornyack, Seungyeop Han, Jaeyeon Jung, Stuart Schechter, David Wetherall Retrofitting Android to Protect.

THESE AREN’T THE DROIDS YOU’RE LOOKING FOR Peter Hornyack, Seungyeop Han, Jaeyeon Jung, Stuart Schechter, David Wetherall Retrofitting Android to Protect.
Principles of Engineering System Design Dr T Asokan

Principles of Engineering System Design Dr T Asokan
Trnsport Test Suite Project Tony Compton, Texas DOT Charles Engelke, Info Tech.

Trnsport Test Suite Project Tony Compton, Texas DOT Charles Engelke, Info Tech.

Similar presentations

Ads by Google