Measuring and Characterizing (mis)compliance of the Android permission system

Abstract

Within the Android mobile operating system, Android permissions act as a system of safeguards designed to restrict access to potentially sensitive data and privileged components. Multiple research studies indicate flaws and limitations of the Android permission system, prompting Google to implement a more regulated and fine-grained permission model. In spite of its newly-introduced complexity, misgranted permissions continue to present a significant risk to users.

We present research on theoretical and practical misuse of permissions using our methodology that leverages unified permissions and call mappings. To guide the automated evaluation of permission use and compliance in Android apps, we develop PChecker, a tool that reports permissions requested by and granted to Android devices.

We evaluate four versions of the Android Open Source Project code (major versions 10--13) and shed light on the prevalence of discrepancies between the official Android guidelines for permissions and their implementation in the Android platform source code. We use PChecker to analyze the permission use of 3,681 Android apps showing the common prevalence and occasional severity of non-compliance in real-world scenarios.