Method-Level Permission Analysis Based on Static Call Graph of Android Apps

Abstract

Android permission system is important for protecting the privacy of mobile phone users. However, Android apps may not always use permissions correctly. In Android, accesses to priviledged hardware or private information are generally conducted by calling APIs protected by certain types of permissions. Thus, people can analyze the method call statistics to gain insights into the usage of permissions in the Android App code. For Android Apps whose source codes are not available, the analysis process will face two major challenges: (1) mapping permission to APIs; (2) handle the thousands of methods and method invocations. To deal with the challenges, we propose a method-level permission usage analysis, which is adopted to analyze the disassembled bytecode of an Android App. We model the behaviors of App code by its static call graph. A social ranking method is applied upon the static call graph, and generate a ranking of all the methods in the target Android App. Based on the ranking results, we further provide a configurable permission-sensitive subgraph generation algorithm to direct our analysis to high ranked method, and inspect permission-specific subgraph of that typical method to get a very clear view of the compact calling structure of permission-sensitive methods.