Content uploaded by Jonathan Schubauer
Author content
All content in this area was uploaded by Jonathan Schubauer on Mar 06, 2018
Content may be subject to copyright.
Jonathan Schubauer, Cyber Security Risk Management M.S. • David Argast, Secure Computing M.S.
• L. Jean Camp, Faculty Advisor
Indiana University School of Informatics, Computing, and Engineering & Cybersecurity, Bloomington, Indiana
Lessig Was Right: Influences on Android Permissions
Application Permission Trends Over Time (2012-2017)
Our Process
Our efforts were focused on the top 540 Android
applications in each of three application categories
(Social, Lifestyle, Games Ages 5 & Under) and three
countries (United States, Germany and South Korea)
on the Google Play Store as of November, 2017.
Findings
•Google Rank & File Size have no correlation
to permission count.
•Location and Application Category have
significant influences Android permissions.
•Application permission counts grow over
time, with social applications growing the
quickest.
•The use of dangerous permissions
decreases monotonically due to privacy
legislation.
Conclusions
We conclude that apps increase the permissions
requested over time; however, the use of dangerous
permissions decreases monotonically. We conclude
that the Google Play Store policy changes that are
aligned with the General Data Protection Regulation
have had an impact on American and Korean as well
as German apps. The trends in mobile gaming in
Korea support an argument for the importance of
social trends in app permissions. Code maturity may
also play a role, as the age of the application was
significant. We found evidence for governance by the
law, social norms, and the architecture of the Play
Store in the app market.
Application Dangerous Permissions Over Time (2012-2017)
IT Privacy Legislation (2011-2018)
0.00
10.00
20.00
30.00
40.00
50.00
60.00
70.00
1/1/12 7/1/12 1/1/13 7/1/13 1/1/14 7/1/14 1/1/15 7/1/15 1/1/16 7/1/16 1/1/17 7/1/17
Application Permission Trends
(Game) Angry Birds (Game) Candy Crush (Game) Fruit Ninja (Lifestyle) Tinder (Lifestyle) Poing
(Lifestyle) Starbucks (Social) Badoo (Social) Snapchat (Social) Facebook
0
2
4
6
8
10
12
14
16
1/1/12 7/1/12 1/1/13 7/1/13 1/1/14 7/1/14 1/1/15 7/1/15 1/1/16 7/1/16 1/1/17 7/1/17
Application Permissions (Dangerous) Over Time
(Game) Angry Birds (Game) Candy Crush (Game) Fruit Ninja (Lifestyle) Tinder (Lifestyle) Poing
(Lifestyle) Starbucks (Social) Badoo (Social) Snapchat (Social) Facebook
•Network Act (SK) - July
•EC Proposes EU Data Protection Reform
•Official Draft of GDPR Published - January
•Personal Information Protection Act (PIPA) (SK)
Enacted- March
•PIPA Amendment Act No. 11690- March
•Asia-Pacific Economic Cooperation endorses
Privacy Framework-September
•Organization for Economic Co-operation and
Development Revises Privacy Principles
•Location Information Act Amended
•European Parliament Adopts Several Proposed
Amendments of the GDPR – May
•Electronic Communications Privacy Act
Amendments Act (S.356) – February
•FCC published the final rule on its new "Net
Neutrality" regulations (Open Internet Order) - April
•Cloud Computing Act-September
•EU Declares U.S. Safe Harbor Laws Invalid –October
•Privacy Act of 1974 Amended (2015 Edition) -
November
•Judicial Redress Act-enacted -February
•GDPR Regulation published in EU Official Journal –
May
•Google Play revises Application Guidelines -June
•Google Play Updates Privacy and Security Policies
and User Generated Content - July
•FCC Releases Rules to Protect Broadband
Consumer Privacy -November
•Standard Data Protection Model –November
•Council of EU confirms agreement of GDPR terms -
December
•German Data Protection Amendment Act (GDPAA)
Published in Federal Law Gazette - July
•EU-U.S. Privacy Shield adopted -November
•Privacy & Data Security Update - January
•FTC updates COPPA Compliance Plan for Business -
June
•Google Play revises Application Guidelines -June
•General Data
Protection Regulation
Effective - May
Android Permissions
Individuals in the mobile ecosystem can putatively
protect their privacy with the use of permissions.
This requires that mobile device owners
understand permissions and their privacy
implications. Research has consistently found
that neither users nor even app developers have
a well-grounded understanding of the interaction
of permissions and privacy. Given this repeatedly
validated result, we ask what impinges
permissions in practice? To answer this question
we performed statistical analysis on 4623 Android
Application Packages (APK) on the Google Play
Store against a variety of externalities.
We find that in general, application permission counts increase over time. As shown, Social applications
grow in permission count much quicker than that of Lifestyle and Game applications. Game application
permission counts on the other hand often remain static. This permission growth can likely be attributed to
an increase in features over time.
We provide a time series analysis of dangerous permission usage in three countries in the regulatory
environment. In our findings, we observe that the use of dangerous permissions decreases
monotonically as data protection and privacy regulatory standards increase over time.
Strava Heatmap
The fitness tracking company Strava released more than 27 million users’ jogging,
running, and walking patterns. Over 12 billion GPS data points of exercise enthusiasts are
clearly identifiable. Strava is just one perfect example of how failure to implement
adequate privacy settings mixed together with negligent security practice can cause
unintended consequences at the national security level.
Turkish Patrol to the north of the Syrian city of Manbij (syria.liveuamap.com)
Among other things, Strava data has made previously confidential information such as
patrol routes and military bases public.
Acknowledgments
We would like to acknowledge the assistance of Dr.
Samir Patil who provided valuable feedback, as well as
Kenneth Bikoff who provided critical editing
contributions and Yonjae Lee who provide regional
policy insight.
Statistical analysis was then performed to determine
whether or not Android Permissions are influenced by
external variables such as location, age, popularity,
category and IT privacy legislation.
With the use of third-party tools such
as apkpure and apkmirror, raw
Android Package (APK) files were
collected and parsed to extract
permission information.