Detecting Permission Over-claim of Android Applications with Static and Semantic Analysis Approach

Android access control granularity based on its permission mechanism is relatively coarse, which cannot effectively protect the user privacy. Many Android applications do not strictly abide by the principle of least privilege (PLP). Both benign and malicious apps may request more permissions than those they really use. We rethink previous permission over-claim problem of Android applications, and extend it to three kinds of problems: Explicit Permission Over-claim, Implicit Permission Over-claim and Ad Library Permission Over-claim. The latter two problems are new that have not been raised by any previous work. Static analysis is to decompile the applications to generate intermediate code and then analyze the usage of permissions. Our static analysis on 10710 applications shows that 76.08% of them may have Explicit Permission Over-claim problem, among those there are 424 applications that have sensitive permissions, which are only used in the advertisement library’s code of the applications rather than developer’s own code. They have Ad Library Permission Over-claim problem. The main idea of our semantic analysis is to calculate the semantic similarity between apps’ descriptions and function phrases. If the similarity exceeds a certain threshold, the app is considered relevant to the corresponding function. We compare the results of the semantic analysis with those of manual reading of 102 Android application descriptions. The F-measures of the three chosen functions are 80.82%, 70.48% and 89.62%, respectively. The evaluation results show our method can efficiently detect the above three kinds of permission over claim problems which indicates that our method would be helpful for normal users to have a clear understanding of permission usage of Android applications.