PosterPDF Available

Lessig Was Right: Influences on Android Permissions

Authors:

Abstract

Individuals in the mobile ecosystem can putatively protect their privacy with the use of permissions. This requires that mobile device owners understand permissions and their privacy implications. Research has found that neither users nor app developers have a well-grounded understanding of the interactions between permissions and privacy. We examine 4,623 Android Application Packages (APK) on the Google Play Store to determine what impinges permissions in practice. We compare popularity, category, data protection regime, and privacy law across three application categories (Game Age 5, Social, and Lifestyle) in three countries (US, South Korea, and Germany) to evaluate influencing factors. We utilized the Android Parsing Package ”Androguard” to extract permissions data from the APK files. We then generated permission trends for both ”normal” as well as ”dangerous” run-time permission to identify differences across the three countries. We implemented an ANOVA test to discover which underlying factors appear to influence Android application permissions usage. We conclude that apps increase permissions requested over time; however, the use of dangerous permissions decreases monotonically. We conclude that the Google Play Store policy changes that are aligned with the General Data Protection Regulation have had an impact on American, Korean, and German apps. The trends in mobile gaming in South Korea support an argument for the importance of social trends in app permissions. Code maturity may also play a role, as the age of the application was significance. We found evidence for governance from changes in law, social norms, and the architecture of the Play Store in the Android app market.
Jonathan Schubauer, Cyber Security Risk Management M.S. • David Argast, Secure Computing M.S.
• L. Jean Camp, Faculty Advisor
Indiana University School of Informatics, Computing, and Engineering & Cybersecurity, Bloomington, Indiana
Lessig Was Right: Influences on Android Permissions
Application Permission Trends Over Time (2012-2017)
Our Process
Our efforts were focused on the top 540 Android
applications in each of three application categories
(Social, Lifestyle, Games Ages 5 & Under) and three
countries (United States, Germany and South Korea)
on the Google Play Store as of November, 2017.
Findings
Google Rank & File Size have no correlation
to permission count.
Location and Application Category have
significant influences Android permissions.
Application permission counts grow over
time, with social applications growing the
quickest.
The use of dangerous permissions
decreases monotonically due to privacy
legislation.
Conclusions
We conclude that apps increase the permissions
requested over time; however, the use of dangerous
permissions decreases monotonically. We conclude
that the Google Play Store policy changes that are
aligned with the General Data Protection Regulation
have had an impact on American and Korean as well
as German apps. The trends in mobile gaming in
Korea support an argument for the importance of
social trends in app permissions. Code maturity may
also play a role, as the age of the application was
significant. We found evidence for governance by the
law, social norms, and the architecture of the Play
Store in the app market.
Application Dangerous Permissions Over Time (2012-2017)
IT Privacy Legislation (2011-2018)
0.00
10.00
20.00
30.00
40.00
50.00
60.00
70.00
1/1/12 7/1/12 1/1/13 7/1/13 1/1/14 7/1/14 1/1/15 7/1/15 1/1/16 7/1/16 1/1/17 7/1/17
Application Permission Trends
(Game) Angry Birds (Game) Candy Crush (Game) Fruit Ninja (Lifestyle) Tinder (Lifestyle) Poing
(Lifestyle) Starbucks (Social) Badoo (Social) Snapchat (Social) Facebook
0
2
4
6
8
10
12
14
16
1/1/12 7/1/12 1/1/13 7/1/13 1/1/14 7/1/14 1/1/15 7/1/15 1/1/16 7/1/16 1/1/17 7/1/17
Application Permissions (Dangerous) Over Time
(Game) Angry Birds (Game) Candy Crush (Game) Fruit Ninja (Lifestyle) Tinder (Lifestyle) Poing
(Lifestyle) Starbucks (Social) Badoo (Social) Snapchat (Social) Facebook
Network Act (SK) - July
EC Proposes EU Data Protection Reform
Official Draft of GDPR Published - January
Personal Information Protection Act (PIPA) (SK)
Enacted- March
PIPA Amendment Act No. 11690- March
Asia-Pacific Economic Cooperation endorses
Privacy Framework-September
Organization for Economic Co-operation and
Development Revises Privacy Principles
Location Information Act Amended
European Parliament Adopts Several Proposed
Amendments of the GDPR – May
Electronic Communications Privacy Act
Amendments Act (S.356) – February
FCC published the final rule on its new "Net
Neutrality" regulations (Open Internet Order) - April
Cloud Computing Act-September
EU Declares U.S. Safe Harbor Laws Invalid –October
Privacy Act of 1974 Amended (2015 Edition) -
November
Judicial Redress Act-enacted -February
GDPR Regulation published in EU Official Journal –
May
Google Play revises Application Guidelines -June
Google Play Updates Privacy and Security Policies
and User Generated Content - July
FCC Releases Rules to Protect Broadband
Consumer Privacy -November
Standard Data Protection Model November
Council of EU confirms agreement of GDPR terms -
December
German Data Protection Amendment Act (GDPAA)
Published in Federal Law Gazette - July
EU-U.S. Privacy Shield adopted -November
Privacy & Data Security Update - January
FTC updates COPPA Compliance Plan for Business -
June
Google Play revises Application Guidelines -June
General Data
Protection Regulation
Effective - May
Android Permissions
Individuals in the mobile ecosystem can putatively
protect their privacy with the use of permissions.
This requires that mobile device owners
understand permissions and their privacy
implications. Research has consistently found
that neither users nor even app developers have
a well-grounded understanding of the interaction
of permissions and privacy. Given this repeatedly
validated result, we ask what impinges
permissions in practice? To answer this question
we performed statistical analysis on 4623 Android
Application Packages (APK) on the Google Play
Store against a variety of externalities.
We find that in general, application permission counts increase over time. As shown, Social applications
grow in permission count much quicker than that of Lifestyle and Game applications. Game application
permission counts on the other hand often remain static. This permission growth can likely be attributed to
an increase in features over time.
We provide a time series analysis of dangerous permission usage in three countries in the regulatory
environment. In our findings, we observe that the use of dangerous permissions decreases
monotonically as data protection and privacy regulatory standards increase over time.
Strava Heatmap
The fitness tracking company Strava released more than 27 million users’ jogging,
running, and walking patterns. Over 12 billion GPS data points of exercise enthusiasts are
clearly identifiable. Strava is just one perfect example of how failure to implement
adequate privacy settings mixed together with negligent security practice can cause
unintended consequences at the national security level.
Turkish Patrol to the north of the Syrian city of Manbij (syria.liveuamap.com)
Among other things, Strava data has made previously confidential information such as
patrol routes and military bases public.
Acknowledgments
We would like to acknowledge the assistance of Dr.
Samir Patil who provided valuable feedback, as well as
Kenneth Bikoff who provided critical editing
contributions and Yonjae Lee who provide regional
policy insight.
Statistical analysis was then performed to determine
whether or not Android Permissions are influenced by
external variables such as location, age, popularity,
category and IT privacy legislation.
With the use of third-party tools such
as apkpure and apkmirror, raw
Android Package (APK) files were
collected and parsed to extract
permission information.
... IoT toys, with their advanced technological capacity, pair wide ranging sensors and data collection capacity with internet connectivity [2]. Given their capabilities, even innocuous appearing IoT devices can be used for nefarious activities such as Stravas fitness tracker heat map which accidentally revealed the location of secret military bases worldwide [3]. The sensor capabilities of IoT toys along with other critical data, including location information, possess significant risk for malicious activity. ...
Conference Paper
The Internet of Things (IoT) has penetrated the global market including that of children's toys. Worldwide, Smart Toy sales have reached $9 billion in 2019 and is expected to exceed $15 billion by 2022. Connecting IoT toys to the internet exposes users and their data to multivariate risk due to device vulnerabilities. When IoT devices are marketed to individuals, especially children, the potential for negative impact is significant, so their design must result in robust security implementations. For our study, we performed penetration testing on a Fisher-Price Smart Toy. We were able to obtain root access to the device, capture live pictures and videos, as well as install remote access software which allows surreptitious recordings over WiFi network connections without user knowledge or permission. We propose solutions including adhering to rudimentary standards for security design in toys, a mobile application for IoT threat assessment and user education, and an ambient risk communication tool aligned with user risk perception. The proposed solutions are crucial to empower users with capabilities to identify and understand ambient risks and defend against malicious activities.
ResearchGate has not been able to resolve any references for this publication.