research-article

AutoCog: Measuring the Description-to-permission Fidelity in Android Applications

Authors:
Zhengyang Qu

Northwestern University, Evanston, IL, USA

Northwestern University, Evanston, IL, USA
View Profile

,
Vaibhav Rastogi

Northwestern University, Evanston, IL, USA

Northwestern University, Evanston, IL, USA
View Profile

,
Xinyi Zhang

Fudan University, Shanghai, China

Fudan University, Shanghai, China
View Profile

,
Yan Chen

Northwestern University, Evanston, IL, USA

Northwestern University, Evanston, IL, USA
View Profile

,
Tiantian Zhu

Northeastern University, Shenyang, China

Northeastern University, Shenyang, China
View Profile

,
Zhong Chen

Wind Mobile, Toronto, ON, Canada

Wind Mobile, Toronto, ON, Canada
View Profile

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications SecurityNovember 2014Pages 1354–1365https://doi.org/10.1145/2660267.2660287

Published:03 November 2014Publication History

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

Pages 1354–1365

ABSTRACT

The booming popularity of smartphones is partly a result of application markets where users can easily download wide range of third-party applications. However, due to the open nature of markets, especially on Android, there have been several privacy and security concerns with these applications. On Google Play, as with most other markets, users have direct access to natural-language descriptions of those applications, which give an intuitive idea of the functionality including the security-related information of those applications. Google Play also provides the permissions requested by applications to access security and privacy-sensitive APIs on the devices. Users may use such a list to evaluate the risks of using these applications. To best assist the end users, the descriptions should reflect the need for permissions, which we term description-to-permission fidelity. In this paper, we present a system AutoCog to automatically assess description-to-permission fidelity of applications. AutoCog employs state-of-the-art techniques in natural language processing and our own learning-based algorithm to relate description with permissions. In our evaluation, AutoCog outperforms other related work on both performance of detection and ability of generalization over various permissions by a large extent. On an evaluation of eleven permissions, we achieve an average precision of 92.6% and an average recall of 92.0%. Our large-scale measurements over 45,811 applications demonstrate the severity of the problem of low description-to-permission fidelity. AutoCog helps bridge the long-lasting usability gap between security techniques and average users.

References

Android Captures Record 81 Percent Share of Global Smartphone Shipments in Q3 2013. http://blogs.strategyanalytics.com/WSS/post/2013/10/31/Android-Captures-Record-81-Percent-Share-of- Global-Smartphone-Shipments-in-Q3--2013.aspx.Google Scholar
K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. Pscout: analyzing the android permission specification. In ACM CCS, 2012. Google ScholarDigital Library
K. Benton, L. J. Camp, and V. Garg. Studying the effectiveness of android application permissions requests. In IEEE PERCOM Workshops, 2013.Google ScholarCross Ref
S. Bugiel, L. Davi, A. Dmitrienko, T. Fischer, A.-R. Sadeghi, and B. Shastry. Towards taming privilege-escalation attacks on android. In NDSS Symposium, 2012.Google Scholar
P. H. Chia, Y. Yamamoto, and N. Asokan. Is this app safe?: A large scale study on application permissions and risk signals. In ACM WWW, 2012. Google ScholarDigital Library
E. Chin, A. P. Felt, K. Greenwood, and D. Wagner. Analyzing inter-application communication in android. In ACM MobiSys, 2011. Google ScholarDigital Library
M. Dietz, S. Shekhar, Y. Pisetsky, A. Shu, and D. S. Wallach. Quire: Lightweight provenance for smart phone operating systems. In USENIX Security Symposium, 2011. Google ScholarDigital Library
Q. Do, D. Roth, M. Sammons, Y. Tu, and V. Vydiswaran. Robust, light-weight approaches to compute lexical similarity. Computer Science Research and Technical Reports, University of Illinois, 2009.Google Scholar
W. Enck, P. Gilbert, B. Chun, L. Cox, J. Jung, P. McDaniel, and A. Sheth. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In USENIX OSDI, 2010. Google ScholarDigital Library
A. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner. A survey of mobile malware in the wild. In ACM SPSM, 2011. Google ScholarDigital Library
A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In ACM CCS, 2011. Google ScholarDigital Library
A. P. Felt, S. Egelman, and D. Wagner. I've got 99 problems, but vibration ain't one: A survey of smartphone users' concerns. In ACM SPSM, 2012. Google ScholarDigital Library
A. P. Felt, K. Greenwood, and D. Wagner. The effectiveness of application permissions. In USENIX WebApps, 2011. Google ScholarDigital Library
A. P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner. Android permissions: User attention, comprehension, and behavior. In ACM SOUPS, 2012. Google ScholarDigital Library
A. P. Felt, H. J. Wang, A. Moshchuk, S. Hanna, and E. Chin. Permission re-delegation: Attacks and defenses. In USENIX Security Symposium, 2011. Google ScholarDigital Library
E. Gabrilovich and S. Markovitch. Computing semantic relatedness using wikipedia-based explicit semantic analysis. In IJCAI, 2007. Google ScholarDigital Library
W. Han, Z. Fang, L. T. Yang, G. Pan, and Z. Wu. Collaborative policy administration. IEEE TPDS, 25(2):498{507, 2014. Google ScholarDigital Library
P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall. These aren't the droids you're looking for: retrofitting android to protect data from imperious applications. In ACM CCS, 2011. Google ScholarDigital Library
M. G. Kendall. Rank correlation methods. 1948.Google Scholar
K. Kennedy, E. Gustafson, and H. Chen. Quantifying the effects of removing permissions from android applications. In IEEE MoST, 2013.Google Scholar
T. Kiss and J. Strunk. Unsupervised multilingual sentence boundary detection. Computational Linguistics, 32(4):485--525, 2006. Google ScholarDigital Library
C. Lim, N. Singh, and S. Yajnik. A log mining approach to failure analysis of enterprise telephony systems. In IEEE DSN, 2008.Google Scholar
J. Lin, S. Amini, J. I. Hong, N. Sadeh, J. Lindqvist, and J. Zhang. Expectation and purpose: understanding users' mental models of mobile app privacy through crowdsourcing. In ACM Ubicomp, 2012. Google ScholarDigital Library
R. Mihalcea, C. Corley, and C. Strapparava. Corpus-based and knowledge-based measures of text semantic similarity. In AAAI, 2006. Google ScholarDigital Library
D. L. Olson and D. Delen. Advanced data mining techniques. Springer, 2008. Google ScholarDigital Library
R. Pandita, X. Xiao, W. Yang, W. Enck, and T. Xie. Whyper: Towards automating risk assessment of mobile applications. In USENIX Security, 2013. Google ScholarDigital Library
R. Pandita, X. Xiao, H. Zhong, T. Xie, S. Oney, and A. Paradkar. Inferring method specifications from natural language api descriptions. In IEEE ICSE, 2012. Google ScholarDigital Library
R. Potharaju, N. Jain, and C. Nita-Rotaru. Juggling the jigsaw: Towards automated problem inference from network trouble tickets. In USENIX NSDI, 2013. Google ScholarDigital Library
T. Qiu, Z. Ge, D. Pei, J. Wang, and J. Xu. What happened in my network: mining network events from router syslogs. In ACM SIGCOMM, 2010. Google ScholarDigital Library
J. C. Reynar and A. Ratnaparkhi. A maximum entropy approach to identifying sentence boundaries. In Proceedings of the fifth conference on Applied natural language processing, 1997. Google ScholarDigital Library
R. Socher, J. Bauer, C. D. Manning, and A. Y. Ng. Parsing with compositional vector grammars. In Proceedings of the ACL, 2013.Google Scholar
L. K. Yan and H. Yin. Droidscope: seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis. In USENIX Security Symposium, 2012. Google ScholarDigital Library
Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets. In NDSS, 2012.Google Scholar

Index Terms

AutoCog: Measuring the Description-to-permission Fidelity in Android Applications
1. Software and its engineering

Recommendations

Android permissions demystified
CCS '11: Proceedings of the 18th ACM conference on Computer and communications security

Android provides third-party applications with an extensive API that includes access to phone hardware, settings, and user data. Access to privacy- and security-relevant parts of the API is controlled with an install-time application permission system. ...
Read More
PScout: analyzing the Android permission specification
CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

Modern smartphone operating systems (OSs) have been developed with a greater emphasis on security and protecting privacy. One of the mechanisms these systems use to protect users is a permission system, which requires developers to declare what ...
Read More
An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide Web

With the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security
November 2014
1592 pages
ISBN:9781450329576
DOI:10.1145/2660267
General Chair:
Gail-Joon Ahn
Arizona State University, USA
,
Program Chairs:
Moti Yung
Google -- Columbia University, USA
,
Ninghui Li
Purdue University, USA
Copyright © 2014 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 3 November 2014
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
android
google play
machine learning
mobile
natural language processing
permissions
Qualifiers
- research-article
Conference

Acceptance Rates
CCS '14 Paper Acceptance Rate114of585submissions,19%Overall Acceptance Rate1,261of6,999submissions,18%
More
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 145
  Total Citations
  View Citations
- 1,094
  Total Downloads
- Downloads (Last 12 months)86
- Downloads (Last 6 weeks)6
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

AutoCog: Measuring the Description-to-permission Fidelity in Android Applications

CCS '14: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Android permissions demystified

PScout: analyzing the Android permission specification

An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective