Michalis Diamantaris, Elias P. Papadopoulos, Evangelos P. Markatos, Sotiris Ioannidis and Jason Polakis.
In Proceedings of 9th ACM Conference on Data and Application Security and Privacy (CODASPY '19), March 2019. [Paper] [BibTex]
Android's app ecosystem relies heavily on third-party libraries as they facilitate code development and provide a steady stream of revenue for developers. However, while Android has moved towards a more fine-grained run time permission system, users currently lack the required resources for deciding whether a specific permission request is actually intended for the app itself or is requested by possibly dangerous third-party libraries.
In this paper we present Reaper, a novel dynamic analysis system that traces the permissions requested by apps in real time and distinguishes those requested by the app's core functionality from those requested by third-party libraries linked with the app. We implement a sophisticated UI automator and conduct an extensive evaluation of our system's performance and find that Reaper introduces negligible overhead, rendering it suitable both for end users (by integrating it in the OS) and for deployment as part of an official app vetting process. Our study on over 5K popular apps demonstrates the large extent to which personally identifiable information is being accessed by libraries and highlights the privacy risks that users face. We find that an impressive 65% of the permissions requested do not originate from the core app but are issued by linked third-party libraries, 37.3% of which are used for functionality related to ads, tracking, and analytics. Overall, Reaper enhances the functionality of Android's run time permission model without requiring OS or app modifications, and provides the necessary contextual information that can enable users to selectively deny permissions that are not part of an app's core functionality.
@inproceedings{Diamantaris:2019:RRA:3292006.3300027, author = {Diamantaris, Michalis and Papadopoulos, Elias P. and Markatos, Evangelos P. and Ioannidis, Sotiris and Polakis, Jason}, title = {REAPER: Real-time App Analysis for Augmenting the Android Permission System}, booktitle = {Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy}, series = {CODASPY '19}, year = {2019}, isbn = {978-1-4503-6099-9}, pages = {37--48}, url = {http://doi.acm.org/10.1145/3292006.3300027}, doi = {10.1145/3292006.3300027}, acmid = {3300027}, publisher = {ACM}, keywords = {android, dynamic analysis, permission origin, personally identifiable information, third-party libraries}, }
We made our source code available here.
Apps (md5, package name) used in our analysis can be found here.
Apps (md5, package name) used in evaluating the performance of UIHarvester can be found here.
Apps (md5, package name) used in evaluating the coverage of UIHarvester can be found here.
In case you have questions about this project, contact Michalis Diamantaris.