Reevaluating android permission gaps with static and dynamic analysis

Abstract

Recent studies on the Android permission system have found that there exists a permission gap between the requested permissions and permissions actually used in an Android app. However, current approaches face some challenges when detecting such permission gaps in Android apps due to the limitation of static analysis techniques. This paper proposes a novel approach to detect permission gaps in Android apps and determine the precise set of permissions that an app needs to run correctly. Our approach includes a static analysis technique to extract permission usage information from API invocations, and a dynamic testing technique to test and monitor the runtime permission usage behaviors of apps. By combining static analysis and dynamic testing, our approach can detect significantly more permission usage information compared to static analysis, indicating that our approach could improve the detection accuracy and reduce the false positives in permission gap detection. We have implemented a prototype to study more than 1,000 popular apps from Google Play. The results show that our approach could detect on average 30% more permissions that are used in apps, while more than 8% of the overprivileged apps detected by previous approaches are false positives.