Curbing Android Permission Creep
In Proceedings of the 2011 Web 2.0 Security and Privacy Workshop (W2SP 2011). Oakland, CA. May 2011.
Carnegie Mellon ECE/CyLab
Carnegie Mellon INI/CyLab
Lorrie Faith Cranor
Carnegie Mellon CS/CyLab
Android has a large number of application permissions, around 130. Many users have become accustom to accepting all the terms of service that go along with the application in order to get it to install. The problem is there are potential security and privacy hazards that may arise from this. Sometimes the app intends to send information to a third party server or it just requested more permissions then it actually needed.
The authors propose that applications are divided in to two categories. The set of apps that are utilizing a permission and the set of apps that request additional permission by mistake. Data for applications on the Android Market was mined and showed that INTERNET and ACCESS_NETWORK_STATE were the most popular permissions that appeared as duplication entries in the AndroidManifiest.xml file.
A tool, in the form of an Eclipse Plugin, was introduced that allows developers to assess which permissions their app is using and to perform additional checking to help keep a clean slim manifest file. Only permissions that were actually getting function calls are in the manifest.
Check out the plugin http://www.ece.cmu.edu/~tvidas/PermCheckTool.jar