Curbing Android Permission Creep

In Proceedings of the 2011 Web 2.0 Security and Privacy Workshop (W2SP 2011). Oakland, CA. May 2011.

Timothy Vidas
Carnegie Mellon ECE/CyLab

Nicolas Christin
Carnegie Mellon INI/CyLab

Lorrie Faith Cranor
Carnegie Mellon CS/CyLab


Android has a large number of application permissions, around 130. Many users have become accustom to accepting all the terms of service that go along with the application in order to get it to install. The problem is there are potential security and privacy hazards that may arise from this. Sometimes the app intends to send information to a third party server or it just requested more permissions then it actually needed.

The authors propose that applications are divided in to two categories. The set of apps that are utilizing a permission and the set of apps that request additional permission by mistake. Data for applications on the Android Market was mined and showed that INTERNET and ACCESS_NETWORK_STATE were the most popular permissions that appeared as duplication entries in the AndroidManifiest.xml file.

A tool, in the form of an Eclipse Plugin, was introduced that allows developers to assess which permissions their app is using and to perform additional checking to help keep a clean slim manifest file. Only permissions that were actually getting function calls are in the manifest.

Check out the plugin

About Frank Sposaro

Frank was the initial student to start the mobile lab with Dr. Tyson. After working on the first project, iFall, he and Dr. Tyson designed the Mobile Programming course as FSU. The course is used as a training base to recruit new students into the lab. His thesis researches several medical related applications, including iFall. Frank then went on to implement the redesign of the “favorite contacts” for Android’s Ice Cream Sandwich at Google HQ in Mountain View, California. He currently acts as a tech lead in the lab getting infrastructure and project management tools setup. He has special focus on native Android coding and UI design.