Loading...

Android App Permission Analysis Based on Developer’s Privacy Policies

Saghaie, Fatemeh | 2021

188 Viewed
  1. Type of Document: M.Sc. Thesis
  2. Language: Farsi
  3. Document No: 54670 (19)
  4. University: Sharif University of Technology
  5. Department: Computer Engineering
  6. Advisor(s): Amini, Morteza
  7. Abstract:
  8. With the increasing use of mobile smartphones, securing the information and protecting the mobile users’ privacy is one of the important subjects in this context. Android, as one of the most popular operating systems for smartphones, uses strategies to provide system security and user privacy; one of these strategies is permission system. Applications should get permissions from users to access their sensitive data. Most related researches and the android itself, focuses on granting or revoking permissions to the program in a way that it doesn’t misuse the user’s sensitive data, but most of the time, the purpose of accessing data is not obvious and the user doesn’t have enough knowledge about application functionality to decide grant or invoke the permission to the application. Therefore, determining the purpose of the program to access sensitive user’s data is very important. One way to extract the intended purposes of an application, is to use the privacy policies published by the application developer, but these privacy policies, which are written in natural languages, are often long and most of their expressions are incomprehensible to normal users.The purpose of this study, is to analyze privacy policies using existing tools in order to extract the list of application purposes for using user's sensitive data and compare it to the list of purposes extracted from the program by analyzing some features of the program. For this purpose, in the proposed solution in this thesis, first the compressed apk file of the program is analyzed through static analysis and the required features are extracted. After saving features in vectors for each application, the vectors file, is introduced as input to the machine learning tool. For each purpose of the applications, which are ten purposes, there is an algorithm to predict that purpose. We collected a 300 normal android app dataset to train the machine learning. After training and testing machine learning algorithms with this dataset, we were able to predict each purpose whether the application was pursuing that purpose. On the other hand, each program includes a privacy policy that is analyzed by the Polisis tool in this study and we extracted The list of purposes claimed by the developer of the application. Finally, the list of purposes extracted from the analysis of the program is compared to the purpose list prepared through the Polisis tool. As the final output of the proposed method, we extracted the deviation of the purpose of using sensitive data by application, from what is stated in the program privacy policies. Ten known android malwares were used to evaluate the proposed solution and “legal purpose rates” of each program were announced, which indicated the degree of matching the purposes pursued in the application and the purposes stated in the program's privacy policy
  9. Keywords:
  10. Android Security ; Privacy ; Android Applications ; Application Analysis ; Android Permission

 Digital Object List

 Bookmark

No TOC