Top

International Journal of Information Security

Published in:

07-01-2021 | Regular Contribution

Attention: there is an inconsistency between android permissions and application metadata!

Authors: Huseyin Alecakir, Burcu Can, Sevil Sen

Published in: International Journal of Information Security | Issue 6/2021

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Since mobile applications make our lives easier, there is a large number of mobile applications customized for our needs in the application markets. While the application markets provide us a platform for downloading applications, it is also used by malware developers in order to distribute their malicious applications. In Android, permissions are used to prevent users from installing applications that might violate the users’ privacy by raising their awareness. From the privacy and security point of view, if the functionality of applications is given in sufficient detail in their descriptions, then the requirement of requested permissions could be well-understood. This is defined as description-to-permission fidelity in the literature. In this study, we propose two novel models that address the inconsistencies between the application descriptions and the requested permissions. The proposed models are based on the current state-of-art neural architectures called attention mechanisms. Here, we aim to find the permission statement words or sentences in app descriptions by using the attention mechanism along with recurrent neural networks. The lack of such permission statements in application descriptions creates a suspicion. Hence, the proposed approach could assist in static analysis techniques in order to find suspicious apps and to prioritize apps for more resource intensive analysis techniques. The experimental results show that the proposed approach achieves high accuracy.

previous article Enabling isolation and recovery in PLC redundancy framework of metro train systems

next article Securing the controller area network with covert voltage channels

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

https://wise.cs.hacettepe.edu.tr/projects/security-risks/dataset/.

We use Porter stemmer [44].

https://www.nltk.org/.

https://github.com/bsolomon1124/demoji.

https://dynet.readthedocs.io/en/latest/tutorial.html.

The implementation will be publicly available if the paper gets accepted.

Android developer guide. https://developer.android.com/. Last accessed in May, 2019 (2019)

Camera api. https://developer.android.com/guide/topics/media/camera.html. Last accessed in May, 2019 (2019)

Dangerous permissions. https://developer.android.com/guide/topics/permissions/overview#dangerous_permissions. Last accessed in September, 2019 (2019)

Intent—android developers. https://developer.android.com/reference/android/content/Intent.html. Last accessed in May, 2019 (2019)

Permissions overview. https://developer.android.com/guide/topics/permissions/overview. Last accessed in May, 2019 (2019)

Read external storage permission. https://developer.android.com/reference/android/Manifest.permission#READ_EXTERNAL_STORAGE. Last accessed in September, 2019 (2019)

Sending simple data to other apps—android developers. https://developer.android.com/training/sharing/send.html. Last accessed in May, 2019 (2019)

Arp, D., Spreitzenbarth, M., Hübner, M., Gascon, H., Rieck, K.: Drebin: Effective and explainable detection of android malware in your pocket (2014). https://doi.org/10.14722/ndss.2014.23247

Au, K.W.Y., Zhou, Y.F., Huang, Z., Lie, D.: Pscout: analyzing the android permission specification. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 217–228. ACM (2012)

10.

Aysan, A.I., Sakiz, F., Sen, S.: Analysis of dynamic code updating in android with security perspective. IET Inf. Secur. 13(3), 269–277 (2018)CrossRef

11.

Bahdanau, D., Cho, K., Bengio, Y.: Neural machine translation by jointly learning to align and translate (2014). arXiv:1409.0473

12.

Ban, T., Takahashi, T., Guo, S., Inoue, D., Nakao, K.: Integration of multi-modal features for android malware detection using linear svm. In: 2016 11th Asia SConference on Information Security (AsiaJCIS), pp. 141–146. IEEE (2016)

13.

Bird, S., Klein, E., Loper, E.: Natural Language Processing with Python: Analyzing Text with the Natural Language Toolkit. O’Reilly Media, Inc, Newton (2009)MATH

14.

Bojanowski, P., Grave, E., Joulin, A., Mikolov, T.: Enriching word vectors with subword information. TACL 5, 135–146 (2017)CrossRef

15.

Caira, J.R.J., Ey, T.: Heads up, app developers: Google is getting serious about privacy and data security in apps (Visited September 2020) (2020) https://www.natlawreview.com/article/heads-app-developers-google-getting-serious-about-privacy-and-data-security-apps

16.

Chawla, N.V.: Data Mining for Imbalanced Datasets: An Overview, pp. 853–867. Springer, Boston, MA (2005). https://doi.org/10.1007/0-387-25465-X_40CrossRef

17.

Cheng, X., Yan, X., Lan, Y., Guo, J.: Btm: topic modeling over short texts. IEEE Trans. Knowl. Data Eng. 26(12), 2928–2941 (2014)CrossRef

18.

Cho, K., van Merrienboer, B., Gülçehre, Ç., Bougares, F., Schwenk, H., Bengio, Y.: Learning phrase representations using RNN encoder–decoder for statistical machine translation (2014). CoRR arXiv:1406.1078

19.

Devlin, J., Chang, M.W., Lee, K., Toutanova, K.: Bert: Pre-training of deep bidirectional transformers for language understanding (2018). arXiv preprint arXiv:181004805

20.

Dong, L., Lapata, M.: Language to logical form with neural attention (2016). arXiv preprint arXiv:160101280

21.

Elman, J.: Finding structure in time. Cogn. Sci. 14(2), 179–211 (1990)CrossRef

22.

Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, ACM, New York, NY, USA, SOUPS ’12, pp. 3:1–3:14 (2012). https://doi.org/10.1145/2335356.2335360

23.

Feng, Y., Chen, L., Zheng, A., Gao, C., Zheng, Z.: Ac-net: assessing the consistency of description and permission in android apps. IEEE Access 7, 57829–57842 (2019). https://doi.org/10.1109/ACCESS.2019.2912210CrossRef

24.

Finegan-Dollak, C., Kummerfeld, J.K., Zhang, L., Ramanathan, K., Sadasivam, S., Zhang, R., Radev, D.: Improving text-to-sql evaluation methodology (2018). arXiv preprint arXiv:180609029

25.

Gabrilovich, E., Markovitch, S.: Computing semantic relatedness using wikipedia-based explicit semantic analysis. In: Proceedings of the 20th International Joint Conference on Artifical Intelligence, Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, IJCAI’07, pp. 1606–1611 (2007)

26.

Glorot, X., Bengio, Y.: Understanding the difficulty of training deep feedforward neural networks. In: AISTATS (2010)

27.

GooglePlay: Privacy, security and deception (Visited September 2020) (2020). https://play.google.com/intl/en-US/about/privacy-security-deception/

28.

Gorla, A., Tavecchia, I., Gross, F., Zeller, A.: Checking app behavior against app descriptions. In: Proceedings of the 36th International Conference on Software Engineering, ACM, New York, NY, USA, ICSE 2014, pp. 1025–1035 (2014). https://doi.org/10.1145/2568225.2568276

29.

Grave, E., Bojanowski, P., Gupta, P., Joulin, A., Mikolov, T.: Learning word vectors for 157 languages (2018)

30.

Hearst, M.A.: Support vector machines. IEEE Intell. Syst. 13(4), 18–28 (1998). https://doi.org/10.1109/5254.708428CrossRef

31.

Hochreiter, S., Schmidhuber, J.: Long short-term memory. Neural Comput. 9(8), 1735–1780 (1997). https://doi.org/10.1162/neco.1997.9.8.1735CrossRef

32.

Kong, D., Cen, L., Jin, H.: Autoreb: Automatically understanding the review-to-behavior fidelity in android applications. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 530–541. ACM (2015)

33.

Li, Z., Zhang, Y., Wei, Y., Wu, Y., Yang, Q.: End-to-end adversarial memory network for cross-domain sentiment classification. In: Proceedings of the 26th International Joint Conference on Artificial Intelligence, AAAI Press, IJCAI’17, pp. 2237–2243 (2017)

34.

Martín, A., Calleja, A., Menéndez, H.D., Tapiador, J., Camacho, D.: Adroit: android malware detection using meta-information. In: 2016 IEEE Symposium Series on Computational Intelligence (SSCI), pp. 1–8 (2016). https://doi.org/10.1109/SSCI.2016.7849904

35.

McAfee: Mcafee mobile threat report. (Visited August 2019) (2019). https://www.mcafee.com/enterprise/en-us/assets/reports/rp-mobile-threat-report-2019.pdf

36.

Mikolov, T., Chen, K., Corrado, G., Dean, J.: Efficient estimation of word representations in vector space (2013). arXiv preprint arXiv:13013781

37.

Mikolov, T., Sutskever, I., Chen, K., Corrado, G.S., Dean, J.: Distributed representations of words and phrases and their compositionality. In: Burges, C.J.C., Bottou, L., Welling, M., Ghahramani, Z., Weinberger, K.Q. (eds.) Advances in Neural Information Processing Systems 26, pp. 3111–3119. Curran Associates, Inc., New York (2013)

38.

Mikolov, T., Grave, E., Bojanowski, P., Puhrsch, C., Joulin, A.: Advances in pre-training distributed word representations. In: Proceedings of the International Conference on Language Resources and Evaluation (LREC 2018) (2018)

39.

Miller, G.A.: Wordnet: a lexical database for English. Commun. ACM 38(11), 39–41 (1995). https://doi.org/10.1145/219717.219748CrossRef

40.

Nguyen, D.C., Derr, E., Backes, M., Bugiel, S.: Short text, large effect: measuring the impact of user reviews on android app security & privacy. In: Proceedings of the IEEE Symposium on Security & Privacy, May 2019. IEEE, (2019). https://publications.cispa.saarland/2815/

41.

Oberheide, J., Miller, C.: Dissecting the android bouncer. In: SummerCon2012, New York (2012)

42.

Pandita, R., Xiao, X., Yang, W., Enck, W., Xie, T.: Whyper: towards automating risk assessment of mobile applications. In: Proceedings of the 22Nd USENIX Conference on Security, USENIX Association, Berkeley, CA, USA, SEC’13, pp. 527–542 (2013)

43.

Pascanu, R., Mikolov, T., Bengio, Y.: On the difficulty of training recurrent neural networks. In: Proceedings of the 30th International Conference on International Conference on Machine Learning—vol. 28, JMLR.org, ICML’13, pp. III–1310–III–1318 (2013)

44.

Porter, M.F.: Readings in Information Retrieval, Chap An Algorithm for Suffix Stripping, pp 313–316. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA (1997)

45.

Qu, Z., Rastogi, V., Zhang, X., Chen, Y., Zhu, T., Chen, Z.: Autocog: measuring the description-to-permission fidelity in android applications. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, ACM, New York, NY, USA, CCS ’14, pp. 1354–1365 (2014) https://doi.org/10.1145/2660267.2660287

46.

Rastogi, V., Chen, Y., Jiang, X.: Droidchameleon: evaluating android anti-malware against transformation attacks. In: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security. ACM, pp. 329–334 (2013)

47.

Sen, S., Aydogan, E., Aysan, A.I.: Coevolution of mobile malware and anti-malware. IEEE Trans. Inf. Forensics Secur. 13(10), 2563–2574 (2018)CrossRef

48.

Statista: Number of apps available in leading app stores as of 2nd quarter 2019. (Visited August 2019) (2019). https://www.statista.com/statistics/276623/number-of-apps-available-in-leading-app-stores/

49.

Toivonen, H.: Apriori Algorithm, p. 60. Springer, Boston, MA (2017). https://doi.org/10.1007/978-1-4899-7687-1_27CrossRef

50.

Wang, H., Li, Y., Guo, Y., Agarwal, Y., Hong, J.I.: Understanding the purpose of permission use in mobile apps. ACM Trans. Inf. Syst. (TOIS) 35(4), 43 (2017)

51.

Wang, R., Wang, Z., Tang, B., Zhao, L., Wang, L.: Smartpi: understanding permission implications of android apps from user reviews. IEEE Trans. Mobile Comput. 19, 2933–2945 (2019) CrossRef

52.

Watanabe, T., Akiyama, M., Sakai, T., Mori, T.: Understanding the inconsistencies between text descriptions and the use of privacy-sensitive resources of mobile apps. In: Eleventh Symposium on Usable Privacy and Security (SOUPS 2015), USENIX Association, Ottawa, pp. 241–255 (2015). https://www.usenix.org/conference/soups2015/proceedings/presentation/watanabe

53.

Wu, J., Yang, M., Luo, T.: Pacs: Pemission abuse checking system for android applictions based on review mining. In: 2017 IEEE Conference on Dependable and Secure Computing, pp. 251–258 (2017). https://doi.org/10.1109/DESEC.2017.8073813

54.

Xu, K., Ba, J., Kiros, R., Cho, K., Courville, A., Salakhutdinov, R., Zemel, R., Bengio, Y.: Show, attend and tell: Neural image caption generation with visual attention (2015). arXiv:1502.03044

55.

Xue, Y., Meng, G., Liu, Y., Tan, T.H., Chen, H., Sun, J., Zhang, J.: Auditing anti-malware tools by evolving android malware and dynamic loading technique. IEEE Trans. Inf. Forensics Secur. 12(7), 1529–1544 (2017)CrossRef

56.

Yang, Z., Yang, D., Dyer, C., He, X., Smola, A., Hovy, E.: Hierarchical attention networks for document classification. In: Proceedings of the 2016 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, pp. 1480–1489 (2016)

57.

Yang, Z., Yang, D., Dyer, C., He, X., Smola, A.J., Hovy, E.H.: Hierarchical attention networks for document classification. In: HLT-NAACL (2016)

58.

Yu, L., Luo, X., Qian, C., Wang, S.: Revisiting the description-to-behavior fidelity in android applications. In: 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER), vol. 1, pp. 415–426. IEEE (2016)

59.

Yu, L., Luo, X., Qian, C., Wang, S., Leung, H.K.: Enhancing the description-to-behavior fidelity in android apps with privacy policy. IEEE Trans. Softw. Eng. 44(9), 834–854 (2017)CrossRef

60.

Yu, L., Zhang, T., Luo, X., Xue, L., Chang, H.: Toward automatically generating privacy policy for android apps. IEEE Trans. Inf. Forensics Secur. 12(4), 865–880 (2017). https://doi.org/10.1109/TIFS.2016.2639339CrossRef

61.

Zhang, M., Duan, Y., Feng, Q., Yin, H.: Towards automatic generation of security-centric descriptions for android apps. In: Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, ACM, New York, NY, USA, CCS ’15, pp. 518–529 (2015). https://doi.org/10.1145/2810103.2813669

62.

Zhou, X., Wan, X., Xiao, J.: Attention-based LSTM network for cross-lingual sentiment classification. In: Proceedings of the 2016 Conference on Empirical Methods in Natural Language Processing, Association for Computational Linguistics, Austin, TX, pp. 247–256 (2016). https://doi.org/10.18653/v1/D16-1024

Title: Attention: there is an inconsistency between android permissions and application metadata!
Authors: Huseyin Alecakir
Burcu Can
Sevil Sen
Publication date: 07-01-2021
Publisher: Springer Berlin Heidelberg
Published in: International Journal of Information Security / Issue 6/2021
Print ISSN: 1615-5262
Electronic ISSN: 1615-5270
DOI: https://doi.org/10.1007/s10207-020-00536-1

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 6/2021

Enabling isolation and recovery in PLC redundancy framework of metro train systems

Outsourced cheating detection for secret sharing

Thresholdizing HashEdDSA: MPC to the Rescue

Web access monitoring mechanism via Android WebView for threat analysis

Securing the controller area network with covert voltage channels

Continuous improvement process (CIP)-based privacy-preserving framework for smart connected toys

Premium Partner