The install time permission system of android is designed to get users informed of the domain of access for a specific application and perhaps the risks associated with it. However this comes with some drawbacks as far as ordinary users are concerned. It is an “all or nothing” system in which users are left with no choice but to discard applications once they are not satisfied with even a single permission among the list. Furthermore, users may also lack the ability to understand each of those permissions listed making it hard to distinguish malwares and clean applications.

In this work I have carried out a comprehensive risk assessment for android permissions and applications by using statistical approaches on the patterns of permission requests from both clean and malware android applications. The result proved efficient for ranking risk levels of user applications. From a data set of 10256 applications of which 5100 were malware samples, I carried out an intuitive statistical analysis coupled with a classification technique in order to generate risk scores for android applications based on permission request patterns and market characteristics. The resulting system was able to accurately classify 66.6 percent of randomly selected samples from the data set. As a prove of concept, I developed a basic android application that can be able to show the risk ranking of user applications based on my approach.

The results prove to be useful as a first hand determination of trust of applications in environments such as third party android markets. It can also be used for fishing out over privileged user applications.

Declaration of Authorship i
Abstract iii
Acknowledgements iv
List of Figures vii
List of Tables viii
1 Introduction 1
1.1 Problem Statement . . . . . . . . . . . . . . . . . . 1
1.2 Contributions . . . . . . . . . . . . . . . . . . . . 3
1.3 Scope . . . . . . . .. . . . . . . . . . . . . . . . . 4
2 Background and Related Works 5
2.1 Background . . . . . . . . . . . . . . . . . . . . . . 5
2.1.1 Basic Android Security Architecture . . . . . . . . 5
2.1.1.1 System and kernel level security . . . . . . . . . 6
2.1.1.2 The Application Sandbox . . . . .. . . . . . . . . 7
2.1.2 Application Security and the Permission Model. . . . 8
2.1.2.1 Elements of an Application . . . . . . . . . . . . 8
2.1.2.2 The Permission Model . . . . . . . . . . . . . . . 8
2.1.2.3 Permission Levels . . . . . . . . . . . . . . . . 10
2.1.2.4 Granting Permissions . . . . . . . . . . . . . . 10
2.1.2.5 Sensitive APIs . . . . . . . . . . . . . . . . . 12
2.2 Related Works . . . . . . . . . . . . . . . . . . . . 13
2.2.1 Dynamic and Static solutions. . . . . . . . . . . . 14
2.2.2 Machine learning approaches. . . . . . . . . . . . 15
2.2.3 Detection using permissions. . . . .. . . . . . . . 15
3 Data Collection & Analysis 17
3.1 Data Collection . . . . . . . . . . . . . . . . . . . 17
3.1.1 Clean Applications . . . . . . . . . . . . . . . . 17
3.1.2 Malware Dataset . . . . . . . . . . . . . . . . . . 18
3.2 Statistical analysis . . . . . . . . . . . . . . . . 18
3.2.1 Clean applications . . . . . . . . . . . . . . . . 18
3.2.2 Malware applications . . . . . . . . . . . . . . . 19
4 Methodology & System Design 21
4.1 System Design . . . . . . . . . . . . . . . . . . . . 21
4.1.1 The Risk Enumerator . . . . . . . . . . . . . . . . 22
4.1.2 The Risk Meter . . . . . . . . . . . . . . . . . . 23
4.2 Risk Evaluation . . . . . . . . . . . . . . . . . . . 23
4.2.1 Risk Aggregation . . . . . . . . . . . . . . . . . 23
4.2.2 Risk Quantication . . . . . . . . . . . . . . . . . 24
4.2.2.1 Likelihood of permissions . . . . . . . . . . . . 25
4.2.2.2 Impact levels of permissions. . . . . . . . . . . 25
4.2.3 Risk scores . . . . . . . . . . . . . . . . . . . . 27
5 Implementation 28
5.1 The risk evaluator . . . . . . . . . . . . . . . . . 29
5.2 The risk monitoring service . . . . . . . . . . . . . 31
5.3 Presentation and Management Activities . . . . . . . 31
6 System Evaluation 34
6.1 Detection Rates . . . . . . . . . . . . . . . . . . . 34
6.2 Usability & Impact on Users . . . . . . . . . . . . . 36
7 Conclusion and Future work 38
Bibliography 40

[1] David Barrera, Jeremy Clark, Daniel McCarney, Paul C. van Oorschot. Understanding
and improving app installation security mechanisms through empirical
analysis of android. SPSM '12 Proceedings of the second ACM work-
shop on Security and privacy in smartphones and mobile devices, pages 81{92,
October 19 2012. doi: http://dx.doi.org/10.1145/2381934.2381949.
[2] Sang-Zo Nam. Evaluation of university students utilization of smartphone.
International Journal of Smart Home, 7(4), July 2013.
[3] Rhomobile Inc. Top trends in smartphones and how rhomobile
helps you write apps to take advantage of them, 2011. URL http:
//www.motorolasolutions.com/web/Business/Products/Software%
20and%20Applications/RhoMobile_Suite/_Documents/_StaticFiles/
Top_Trends_in_Smartphones.pdf.
[4] emarketer. Smartphone users worldwide will total 1.75 billion
in 2014, 2014. URL http://www.emarketer.com/Article/
Smartphone-Users-Worldwide-Will-Total-175-Billion-2014/1010536.
[5] Christopher Ratcli. 65% of global smartphone owners use android
os: stats, 2014. URL https://econsultancy.com/blog/
64376-65-of-global-smartphone-owners-use-android-os-stats#i.
vsnkrrhitfo9q0.
[6] F-Secure Corporation. Threat report h2 2013. 2013. URL
http://www.f-secure.com/static/doc/labs_global/Research/Threat_
Report_H2_2013.pdf.
[7] F-Secure Corporation. Mobile threat report q1 2014. 2014. URL
http://www.f-secure.com/static/doc/labs_global/Research/Mobile_
Threat_Report_Q1_2014.pdf.
[8] Adrienne Porter Felt, Elizabeth Ha, Serge Egelman, Ariel Haney, Erika Chin
and David Wagner. Android permissions: User attention, comprehension,
and behavior. Symposium on Usable Privacy and Security (SOUPS), 3:3{3,
July 2012. doi: http://dx.doi.org/10.1145/2335356.2335360.
[9] Jennifer King, Airi Laminen and Alex Smolen. Privacy: Is there an app for
that? International Journal of Smart Home, July 2011.
[10] Daniel Arp, Michael Spreitzenbarth, Malte Hubner, Hugo Gascon and Konrad
Rieck. Drebin: Eective and explainable detection of android malware in your
pocket. NDSS14 SanDiego,CA,USA, February 2014.
[11] Android Open Source Project. Android security overview.
URL https://source.android.com/devices/tech/security/
#elements-of-applications.
[12] Xuetao Wei, Lorenzo Gomez, Iulian Neamtiu, Michalis Faloutsos. Permission
evolution in the android ecosystem. ACSAC '12 Proceedings of the 28th An-
nual Computer Security Applications Conference, pages 31{40, December 3-7
2012. doi: http://dx.doi.org/10.1145/2420950.2420956.
[13] Je Six. An in-depth introduction to the android permission model
and how to secure multi-component applications. AppSecDC, 3 April
2012. URL https://www.owasp.org/images/c/ca/ASDC12-An_InDepth_
Introduction_to_the_Android_Permissions_Modeland_How_to_Secure_
MultiComponent_Applications.pdf.
[14] William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon
Jung, Patrick McDaniel and Anmol N. Sheth. Taintdroid: an information-
ow
tracking system for realtime privacy monitoring on smartphones. OSDI'10
Proceedings of the 9th USENIX conference on Operating systems design and
implementation, October 2010.
[15] Machigar Ongtang, Stephen McLaughlin, William Enck and Patrick Mc-
Daniel. Semantically rich application-centric security in android. ACSAC
'09 Proceedings of the 2009 Annual Computer Security Applications Confer-
ence, December 2009. doi: http://dx.doi.org/10.1109/ACSAC.2009.39
[16] Sven Bugiel, Lucas Davi, Alexandra Dmitrienko, Thomas Fischer and Ahmad-
Reza Sadeghi. Xmandroid: A new android evolution to mitigate privilege escalation
attacks. Technical Report TR-2011-04, Technische Universitat Darmstadt,
Apr 2011.
[17] Yiming Jing, Gail-Joon Ahn, Ziming Zhao andHongxin Hu. Riskmon: continuous
and automated risk assessment of mobile applicationss. CODASPY
'14 Proceedings of the 4th ACM conference on Data and application security
and privacy, March 2014.
[18] Rubin Xu, Hassen Saidi, Ross Anderson. Aurasium: practical policy enforcement
for android applications. Security'12 Proceedings of the 21st USENIX
conference on Security symposium, August 2012.
[19] William Enck, Machigar Ongtang and Patrick McDaniel. On lightweight
mobile phone application certication. CCS '09 Proceedings of the 16th ACM
conference on Computer and communications security, November 2009. doi:
http://dx.doi.org/10.1145/1653662.1653691.
[20] Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song and David Wagner.
Android permissions demystied. CCS '11 Proceedings of the 18th ACM
conference on Computer and communications security, October 2011.
[21] Yang Wang, Jun Zheng, Chen Sun, and Srinivas Mukkamala. Quantitative
security risk assessment of android permissions and applications. DBSec'13
Proceedings of the 27th international conference on Data and Applications
Security and Privacy, pages 226{241, July 2013. doi: http://dx.doi.org/10.
1007/978-3-642-39256-6 15.
[22] Yajin Zhou, Zhi Wang, Wu Zhou and Xuxian Jiang. Hey, you, get o of my
market: Detecting malicious apps in ocial and alternative android markets.
Proc. of Network and Distributed System Security Symposium (NDSS), 2012,
May 2012.
[23] Michael Grace, Yajin Zhou, Qiang Zhang, Shihong Zou and Xuxian Jiang.
Riskranker: scalable and accurate zero-day android malware detection. Mo-
biSys '12 Proceedings of the 10th international conference on Mobile systems,
applications, and services, June 2012.
[24] Mario Frank, Ben Dong, Adrienne Porter Felt and Dawn Song. Mining permission
request patterns from android and facebook applications. pages 870{
875, 12 2012. ISSN 1550-4786. doi: 10.1109/ICDM.2012.86.
[25] Hao Peng, Chris Gates, Bhaskar Sarma, Ninghui Li, Alan Qi, Rahul
Potharaju, Cristina Nita-Rotaru and Ian Molloy. Using probabilistic generative
models for ranking risks of android apps. CCS12, Raleigh, North
Carolina, USA., October 2012.
[26] B. Sanz, I. Santos, C. Laorden, X. Ugarte-Pedrero, P.G. Bringas, G. lvarez.
Puma: Permission usage to detect malware in android. International Joint
Conference CISIS12-ICEUTE `12-SOCO` 12 Special Sessions, 2013.
[27] Rassameeroj and Y. Tanahashi. Various approaches in analyzing android applications
with its permission-based security models. Proceedings of the IEEE
International Conference on Electro/Information Technology, May 2011.
[28] Veelasha Moonsamy,Jia Rong, Shaowu Liu. Mining permission patterns for
contrasting clean and malicious android applications. Future Generation
Computer Systems, 36, September 2013. doi: http://dx.doi.org/10.1016/j.
future.2013.09.014.
[29] Gary Stoneburner, Alice Goguen and Alexis Feringa. Risk management guide
for information technology systems. Proceedings of the Symposium on Usable
Privacy and Security, SOUPS, 800-30:54, July 2002.