Liran Ma

Abdallah Khreishah
Yan Zhang
Mingyuan Yan (Eds.)

Wireless Algorithms,
LNCS 10251

Systems,
and Applications
12th International Conference, WASA 2017
Guilin, China, June 19–21, 2017
Proceedings

123
 3P Framework: Customizable Permission
Architecture for Mobile Applications

Sujit Biswas1,2 , Kashif Sharif1,2(B) , Fan Li1,2(B) , and Yang Liu3

1
School of Computer Science, Beijing Institute of Technology, Beijing, China
{sujitedu,7620160009,fli}@bit.edu.cn
2
Beijing Engineering Research Center of High Volume Language Information
Processing and Cloud Computing Applications, Beijing, China
3
State Key Laboratory of Networking and Switching Technology,
Beijing University of Posts and Telecommunications, Beijing, China
liu.yang@bupt.edu.cn

Abstract. Mobile applications & smart devices have drastically

changed our routine tasks, and have become an integral part of mod-
ern society. Along with the numerous benefits we get, major challenges
like privacy and safety have become complicated than before. The per-
mission based system for mobile applications is designed to empower the
user to decide which resources and information they want the application
to access. Most of these permissions are granted during installation of
application, but our study shows that the users make weak decisions in
protecting their information. Majority of the users, even with technical
backgrounds, blindly grant all permissions requested by the application
even if they are not necessary for the application to run. In order to
give more control to the user, and to enable them to make informed
decisions regarding permission, we have proposed a Privacy Permission
Policy Framework in this paper. This framework enables the user to
have greater control over the permission granting while installing the
mobile applications. The implementation and testing of the framework
also enabled us to run forensic analysis and understand the scope of per-
missions requested, based on which this framework can advise the user to
select minimum required permissions for the application to work. This
makes the users’ privacy more secure, and grants full control over the
process.

Keywords: Privacy behaviors · Mobile app privacy · Android security ·

Users privacy consciousness

1 Introduction
Smart phones have dramatically changed the mobile world within a very short
period. The global smart phone users exceeded 2.1 billion in 2016, and smart
This work is partially supported by the National Natural Science Foundation of
China under Grant Nos. 61370192, 61432015, and 61602038.

c Springer International Publishing AG 2017
L. Ma et al. (Eds.): WASA 2017, LNCS 10251, pp. 445–456, 2017.
DOI: 10.1007/978-3-319-60033-8 39
446 S. Biswas et al.

phone penetration in China will cross 60% by 2020 [1,2]. A tremendous growth
in the number of mobile apps, and app distribution platforms has also been
observed. Applications are used for various daily life purposes including commu-
nication, mobile payments, entertainment, navigation, etc. In essence a smart
phone contains a summary of complete daily life of a person. The on-line stores
to obtain application apks for android are uncountable. Although this has helped
in increasing the application development and ease of access, but at the same
time, it has created numerous new challenges, among which user security and
safety is a dominating one.
Android’s existing security is built upon a permission based mechanism which
restricts access of third-party Android applications to critical resources on a
device (e.g., wi-fi, camera, etc.), change phone settings, read or write data (e.g.
text message, contacts). App developers can use these permissions according
to the requirements and services in their applications. Unfortunately, malicious
and unscrupulous apps may also take benefit of these mechanisms for illegal
purposes [3–6]. Moreover, some developers lack of privacy awareness [7], due to
which, developers over-claim the permissions necessary to run the application.
In existing security system of Android users see those required permissions of an
application as a warning during installation or at runtime. In majority of cases,
the user of application struggles to understand at installation, what the permis-
sion actually will do. In this paper, we propose a comprehensive smartphone
permission policy framework, which sits between the kernel and the application
apks, and intercepts the permission process. This creates a comprehensive solu-
tion to control which permissions are being granted for the device resources and
user data. In order to better understand the awareness level of users regarding
permission process of applications, we have also conducted a survey. Based on its
recommendations, this framework assists users to fully control which permissions
are to be granted.
The rest of paper is organized as: Sect. 2 discusses related work regarding the
studies done about user awareness of security and privacy threats. In Sect. 3 we
present results collected from survey to determine the correlation between users’
educational background and the app permission awareness. Section 4 describes
the Privacy Permission Policy Framework in detail, followed by implementation
and analysis in Sect. 5. Conclusion is drawn in Sect. 6.

2 Related Works

Chin et al. [8] conducted a user study involving 60 smart phone users to gain
understanding into user perceptions of smart phone security and installation
habits. Their survey collects information about users such as; (a) users are more
concerned about privacy on their smart phones than their laptops, (b) users
are apprehensive about performing privacy-sensitive and financial tasks on their
smart phones than their laptops (c) users worry about physical theft and data
loss, malicious applications, and wireless network attackers. The conclude that
users need to be more vigilant about security, and should use applications that
 3P Framework: Customizable Permission Architecture for Mobile App 447

protect from intrusions, security breaches, and malware. They also suggest that
users need to be educated more about the safety and security of devices and data.
Felt et al. [9] ran a survey on 3115 users and suggested a ranking of the risks
of 54 smart phone application permissions. Lin et al. [10] framed mobile privacy
in the form of people’s expectations and concluded implication for employing
crowdsourcing as a privacy evaluation technique. Balebako et al. [7] surveyed
on 228 app developers to quantify privacy and security behaviors, suggested
tools and opportunities to reduce the barriers for app developers to implement
privacy and security best practices. In addition a number of papers address the
perception of users with regards to user confidence in security, the complexity
of permissions, and permission management [11–15]. Moreover there is a large
collection of mobile applications [16–20], that are available to change the privacy
settings, permissions, and other aspects. Majority of these tools are designed to
change settings after the application has been installed, which is an after the
fact situation.
Improvement and awareness of security situation is a continuous process. As
the technologies improve & evolve, and become available for mass public usage, it
becomes important to educate and make the user aware of the risks and concerns
of safety and privacy.

3 Users’ Privacy Awareness Analysis

The primary objective of user privacy awareness analysis is to understand the

behavior of people at the time of installing an application on their smartphone.
Once the user has granted permission for the application to access resources on
the phone, the app can legitimately access or modify the information for it’s pur-
pose. We have conducted a structured survey of 252 multinational smartphone
users. The online/offline survey questionnaire was designed to collect informa-
tion regarding the decision process at app installation time: i.e. how users take
decisions about permissions, and how much they are conscious about privacy and
security. In addition the survey was focused towards people who have engineer-
ing background. The survey has 90% participants who are studying in different
engineering disciplines and most of them are scholars studying in China from
different countries. A follow-up survey was done on 30 participants, where they
provided open-ended explanations of their feelings about smart phone security
behavior.

Demographics: Participant ages range from 11 to 40 years (76.1% were 21–30,

12.5% between 31–40 years) while 35.9% were female and 64.1% were male. We
classified participants basically in two categories, i.e. Engineers (all engineering
students & professionals) and Others (other professionals like medical, adminis-
trator, etc.). In the survey sample, 69.5% were engineer and 30.5% belonged to
other professionals. The predominant group of 78.1% were students and 15.6%
were professionals. Within the students 76.4% were engineering students.
448 S. Biswas et al.

Table 1. Summary of responses regarding smartphone security and privacy

No Knowledge Engineers Others

1 Read information before installation
2 Heard about permissions
3 Used security software
4 Have idea about effects of permissions
5 Noticed any privacy risk before
6 Knows that all photos tag geo location
by default
7 Effect of malicious apps/permission on
email, credit card, private data
8 Apps can be used for other purpose than 49.4% 50.6% 35.9% 64.1%
declared
Yes No Yes No
30.5% 39.1% 13.3% 17.1%
85.4% 14.6% 79.5% 20.5%
46.1% 53.9% 33.3% 66.7%
42.7% 57.3% 33.3% 66.7%
49.4% 50.6% 35.9% 64.1%
43.8% 56.2% 28.2% 71.8%
80.9% 19.1% 53.8% 46.2%

Survey Results: The percentage of users who expressed their perception on

security related issues at time of app installation or later is presented in Table 1.
It is observed that most of the people (39.10% out of 69.60%, 17.10% out of
30.40% engineering & non engineering respectively) do not read about apps pri-
vacy/permission information before installation. Surprisingly 14.60% engineers
didn’t know about permissions while 20.50% from other disciplines expressed
lack of knowledge about permissions related to apps. 57.3% engineers who heard
about permissions, but had no idea about the effects of permitting. It is very
interesting to note that 80.90% of engineers do have concerns regarding malicious
apps stealing their private data like email, credit card etc. Most of the responder
(engineers 50.60% and 64.10% others) do not have any idea that one application
can be used for other purposes than what it declares to do. In summary, as
shown in Fig. 1, only 39.68% responders claim to have knowledge about permis-
sions effect. About 19.05% users never read information while 30.30% rarely read
about information and instructions at installation time. Only 42.06% of respon-
ders claimed to have used safety software for privacy or security. About 56%
engineers have no idea about the effect of permissions on smart phone whereas
non-engineers percentage in this regard is about 69%.
Based on the survey results, we form the following hypotheses about the
privacy and security behavior of smart phone users.
Hypothesis (H1): Technological education and privacy knowledge relationship
is positive but weakly correlated.
We examined this hypothesis based on the participants’ opinion and calcu-
lated their correlation which has been shown in Table 2. The correlations between
educational background and answer of question number 1 to 8 are very weak.
This observation supports the hypothesis that educational background has no
significant effect on: (a) reading warnings during installation, (b) hearing about
 3P Framework: Customizable Permission Architecture for Mobile App 449

Fig. 1. Privacy consciousness statistics

permission and its effect on security (c) knowledge about the effect of malicious
apps on personal data, or (d) utilization of apps.
During the follow-up interviews with selected participants, similar observa-
tion was made. Users are often surprised about the permissions requested, data
collected by apps, and the recipients of such data. We also observed that users
do not understand privacy notices. In essence most of the users have little or no
idea about permissions, privacy & security practices, and don’t read applications
documentation to fully understand the risk. Hence it becomes impossible to con-
sciously arrive at a permission decision. Most of the users accept all permissions
requests, because of their desire to use the application for it’s advertised purpose.

Table 2. Correlation matrix for questions in survey

Engr 1 2 3 4 5 6 7 8
Engr 1
1 0.008 1
2 0.093 .345** 1
3 0.105 0.119 0.018 1
4 0.029 .254** .262** 0.106 1
5 .287** .176* 0.137 0.035 0.129 1
6 .218* .198* .213* 0.046 .189* 0.101 1
7 0.169 0.035 .312** 0.046 .213* .205* 0.168 1
8 0.146 0.167 0.089 0.065 .307** .320** .224* .243** 1
**Correlation is significant at the 0.01 level (2-tailed).
*Correlation is significant at the 0.05 level (2-tailed).

4 Privacy Permission Policy (3P) Framework

In light of the survey results and review of literature, we propose a new frame-
work for ensuring privacy and permission control for different types of smart
450 S. Biswas et al.

phone users. This Privacy Permission Policy (3P) framework takes smart deci-
sions about warning the users of all permissions requested and assist in choosing
the minimum required permissions based on user needs. As shown in Fig. 2, the
framework is essentially a middleware, which takes into account the preferences
& behavior of the user, detailed permissions requested in the application apk,
and ensures that only those permissions are granted which will not go beyond
the intended use of application. The framework enables user to pick and choose
which permissions to grant and which not, which is contrary to majority of
the installation processes. Current installers only show the users a subset of
requested permissions, and denying them usually results in rejection of applica-
tion installation. Hence the user has no choice to either accept all, or not use
the application.

Fig. 2. 3P framework

Our frame work has three major modules, which work with each other and
interact with the user to customize the permission process. These are explained
in the following subsections.
APK Parser: This module is responsible of parsing the .apk file to extract
the permissions from AndroidM anif est.xml file. This customized parser looks
for all the different types of permissions requested and then feeds them to the
classifier module for further analysis. In case the parser is unable to locate the
manifest file, or the format is not understandable, the application is immediately
rejected and marked as a security threat.
Permission Classifier: This module plays a major role in the whole installation
process, as it is responsible for identifying and classifying the permissions into
 3P Framework: Customizable Permission Architecture for Mobile App 451

different categories. The permissions can primarily be classified into three cate-
gories. Android SDK provides a list of permissions which are available to appli-
cation developers, for gaining access to different resources/information available
on the smart device. In addition the application developers provide informa-
tion on application distribution stores, regarding which permissions they will be
requesting/requiring to use the application. In light of this, the permission classi-
fier categorizes the list based on manifest file as: (a) Requested and listed in app
description, (b) Requested but not listed in app description, and (c) Requested
but not listed and are not part of the standard list of permissions available with
SDK (details in Sect. 5).
The permission classifier maintains a Legal Permission Database, which
extracts information from the available and regularly updated permission lists
for Android SDK online [21]. It also maintains a historical listing and changes
in it.
User Behavior and Policy Manager: This is another core module of the
customized installer, as it has a multi facet job. It is responsible for interacting
with the user, categorization of apps, maintain/enforce the permission policy
for installation of the app. Fundamentally this module classifies the application
into different categories and then limits the permissions required for a specific
category. It is a tricky task to categories the large number of applications that
are available online, but Google Play store fundamentally divides all apps into
Games and Applications. Games are further divided into 17 subcategories, and
Applications into 30 subcategories, as of writing of this paper. It is mainly for
searching, but we make use of this classification in order to limit the permission
requirement1 .
This module interacts with the user to check which subcategory the appli-
cation falls in, and shows them the minimum required permissions for that cat-
egory. For Example, the applications in Photography category do not need to
have access to account manager or read contacts permission. Hence the mini-
mum default permissions are set based on apps services, purpose, and users’
requirements. In addition the users do have the option to custom select the
permissions as they seem fit.
The information is stored in the policy database, and it is updated to learn
the behavior of the user. For instance, if the user specifically grants a permission
that is not the default for the category, next time the user installs a similar
application (or the same) it is highlighted. The user interface shows the user
options to select minimum default recommended, accept what the application
has requested, or customize completely for advanced users.

1
Change is categories at Google Play Store does not effect implementation of this
research. Other application categorizations can also be as effectively used as this
one.
452 S. Biswas et al.

5 Implementation and Analysis

The 3P Framework as a whole is implemented at the Application Framework
layer of the Android 5.1.1 OS, with API 25 for permissions. The Legal Permission
Database and Policy Database are implemented as libraries. As shown in Fig. 2,
the .apk file may come through the application layer or directly selected from
the local memory by the user. After permission classification is done, the min-
imum required permissions are granted and applications are installed. We have
used our framework to install three applications: i.e. Facebook (v76.0.0.0.27),
WeChat (v6.5.4), QQi (International v5.1.2) obtained from Google Play store.
In this section we describe the permission classification, forensic analysis, and
installation with minimum required permissions.
The objective of this exercise is to understand the process of permission
requests and users’ capability to select which to allow and which not to. Hence
the intention is not to highlight security vulnerabilities in these apps, but rather
to empower the user to select the permission while still being able to use the
application.

5.1 Permission Classification Analysis

The permission Classifier module classifies the permission requested by the appli-
cation into three categories, as described in earlier sections. It is important to
note the difference among the three. The first category is legitimate, but the
second is of concern, as the user is not aware or notified about the permis-
sions required. Moreover many of the installation platforms group the permission
broadly, which hides the detail and depth of permissions requested from the user.
Lastly the third category is surprising to even exist. There could be a number of
reasons for them to be present, including multi-platform compatibility, version
revisions, internal application working, etc. But as they are listed in manifest
file, it is important to be aware of their existence.
Table 3 summarizes parsed permissions from the apk files of the above men-
tioned applications for Android. The listed permissions are taken from the
Android SDK reference. This table shows permissions which were listed in the
app description and requested, not listed but requested, and not requested at
all. We can see that Facebook requests 30 permissions in total, but only 11 are
listed in the Google Play description of it2 . Keeping in view that Facebook is
a rich social platform, the number of permissions required is large, but listing
them explicitly for the information of user is important. WeChat is an even com-
prehensive application with micro-banking and other capabilities. It requests 40
permissions from the user, out of which 15 are listed on the Google Play descrip-
tion page for it. QQi which is the international version of the QQ application,
and is primarily a communication app, requests 44 permissions and only 18 of
them are listed on the Google Play description page.
2
All observations regarding number of permissions is based on the information avail-
able at the time of writing this paper. This information is subject to change at
anytime.
 3P Framework: Customizable Permission Architecture for Mobile App 453

Table 3. Permissions requested by mobile apps. L: Listed, NL: Not Listed,

R: Requested, NR: Not Requested

Permission Facebook WeChat QQi

ACCESS COARSE LOCATION L, R L, R L, R
ACCESS FINE LOCATION L, R L, R L, R
ACCESS NETWORK STATE L, R L, R L, R
ACCESS WIFI STATE L, R L, R L, R
AUTHENTICATE ACCOUNTS L, R NL, R L, R
BATTERY STATS NL, R NR NR
BLUETOOTH NR NL, R L, R
BLUETOOTH ADMIN NR NL, R L, R
BODY SENSORS NR L, R NR
BROADCAST STICKY NL, R NL, R NL, R
CALL PHONE NR NR NL, R
CAMERA L, R L, R L, R
CHANGE CONFIGURATION NR NR NL, R
CHANGE NETWORK STATE NL, R NR L, R
CHANGE WIFI MULTICUST STATE NR NR NL, R
CHANGE WIFI STATE NL, R L, R L, R
DISABLE KEYGUARD NR NR NL, R
DOWNLOAD WITHOUT NOTIFICATION NR NL, R NR
FLASHLIGHT NR NR NL, R
GET ACCOUNTS NL, R NL, R L, R
GET PACKAGE SIZE NR NL, R NR
GET TASKS NL, R NL, R NL, R
INSTALL SHORTCUT NR NL, R NL, R
INTERNET L, R L, R L, R
KILL BACKGROUND PROCESSES NR NR NL, R
MANAGE ACCOUNTS NL, R NL, R NL, R
MODIFY AUDIO SETTINGS NR L, R NL, R
NFC NR L, R L, R
PERSISTENT ACTIVITY NR NR NL, R
READ CALENDER L, R NR NL, R
READ CONTACTS NL, R L, R L, R
READ EXTERNAL STORAGE L, R NR NR
READ LOGS NR NR NL, R
READ PHONE STATE NL, R NL, R NL, R
READ PROFILE NL, R NL, R NR
READ SETTINGS NR NR NL, R
READ SMS NL, R NR NL, R
READ SYNC SETTINGS NL, R NL, R NR
RECEIVE BOOT COMPLETED NL, R NL, R NL, R
RECORD AUDIO NL, R L, R L, R
RESTART PACKAGES NR NR NL, R
SEND SMS NR NR NL, R
SET ALARM NR NL, R NR
SYSTEM ALERT WINDOW NL, R NL, R NL, R
UNINSTALL SHORTCUT NR NL, R NR
USE CREDENTIALS NR NL, R NR
USE FINGERPRINT NR NL, R NR
VIBRATE NL, R NL, R L, R
WAKE LOCK NL, R NL, R L, R
WRITE APP BADGE NR NL, R NR
WRITE CALENDER L, R NR NL, R
WRITE CONTACTS NL, R NL, R NL, R
WRITE EXTERNAL STORAGE L, R NR L, R
WRITE SETTINGS NR NL, R NL, R
WRITE SYNC SETTINGS NL, R NL, R NL, R
454 S. Biswas et al.

In addition the above permissions, the parser module detected unknown

permissions, for example: facebook.pages.app.provider.access, smartdevice. per-
mission.broadcast, tencent.mm. location.permission.send view, to name a few.
Most of these permissions seem to be remnants of older version of the appli-
cations or cross-platform development. For example nokia.pushnotification and
htc.launcher are most probably hardware specific permissions that are required
by customized Android OS on these devices. Nonetheless, these permissions are
in fact hidden from the user, and by default accepted for the application to be
installed.

5.2 Post-installation Analysis

Once the Permission Classifier has categorized all the permissions requested they
are forwarded to User Behavior and Policy Manager. To evaluate basic permis-
sion set against the working of application, we allowed only the basic minimum
permissions listed in Google API as well as declared in the application descrip-
tion. For Facebook, only 11 listed permissions were granted and application was
installed. The application installed successfully and launched normally, which
proves that it is not necessary for the user to accept all the permissions in
order to install the application. Similarly, for WeChat 15 basic permissions were
granted and app was installed. For QQi, 18 permissions were granted and appli-
cation was installed. It is very important to note that after successful launch
of weChat, prompt was given for other permissions, which were required to use
some of the features of the application. This is acceptable behavior as, it clearly
informs the user of permission related to the service they are about to use.
In addition, an important factor that masks the visibility of requested permis-
sions from the users is the UI of operating system, especially if it customized by
the hardware vendor. In our implementation, we tested the framework on three
different hardware, i.e. XiaoMi, LG, and Huawei. For Facebook installation the
total number of permissions requested as shown by XiaoMi were 34, while LG
showed 22, and Huawei 28. This is mainly attributed how the different flavors
of Android customization groups and perceives the requested permissions. This
extends to a potential future work of our system. After installation of the appli-
cation, if the app requests new permissions, they need to be intercepted and user
needs to be notified if any bulk permissions are being granted.

6 Conclusion

Privacy of mobile application users is a major security concern. Android based

applications access different device resources and personal information by seek-
ing permissions from the user. Although this system is designed to inform the
user of what they are allowing on their device, but in reality the user has no
real knowledge of what permissions do, or which permissions they are granting.
In this paper, we presented results from a survey of smartphone users, with an
 3P Framework: Customizable Permission Architecture for Mobile App 455

emphasis on how technical education is related to permissions/privacy knowl-

edge. We found that although the correlation is positive, but has no real signifi-
cance. This drives the need to have permission frameworks, which can assist and
truly inform the user of which permissions they are granting. We have proposed
and implemented a Privacy Permission Policy (3P) framework, which essentially
helps the user and gives them more control over granting application access at
installation. We also have found that, not only the applications request a number
of unnecessary permissions, but have permissions that are not listed in Android
API 25. Our framework enables the user to custom select these permissions, so
that they are more secure.

References
1. Statista: Number of Smartphone Users Worldwide from 2014 to 2020. https://
www.statista.com/statistics/330695/number-of-smartphone-users-worldwide/
2. Statista: Share of Mobile Phone Users that Use a Smartphone in China
from 2013 to 2019. https://www.statista.com/statistics/257045/smartphone-user-
penetration-in-china/
3. Felt, A.P., Finifter, M., Chin, E., Hanna, S., Wagner, D.: A survey of mobile
malware in the wild. In: ACM Workshop on Security and Privacy in Smartphones
and Mobile Devices (SPSM), pp. 3–14 (2011)
4. Thurm, S., Kanel, Y.I.: Your apps are watching you. Wallstreet J. (2010)
5. Zhang, L., Cai, Z., Wang, X.: FakeMask: a novel privacy preserving approach for
smartphones. IEEE Trans. Netw. Serv. Manag. 13(2), 335–348 (2016)
6. He, Z., Cai, Z., Li, Y.: Customized privacy preserving for classification based appli-
cations. In: Proceedings of the ACM Workshop on Privacy-Aware Mobile Comput-
ing, pp. 37–42. ACM (2016)
7. Balebako, R., Marsh, A., Lin, J., Hong, J., Cranor, L.F.: The privacy and security
behaviors of smartphone app developers. In: Workshop on Usable Security UsEC,
February 2014
8. Chin, E., Felt, A.P., Sekar, V., Wagner, D.: Measuring user confidence in smart-
phone security and privacy. In: Proceedings of Symposium on Usable Privacy and
Security SOUPS. ACM, July 2012
9. Felt, A.P., Egelman, S., Wagner, D.: I’Ve got 99 problems, but vibration ain’t
one: a survey of smartphone users’ concerns. In: ACM Workshop on Security and
Privacy in Smartphones and Mobile Devices (SPSM), pp. 33–44 (2012)
10. Lin, J., Amini, S., Hong, J.I., Sadeh, N., Lindqvist, J., Zhang, J.: Expectation
and purpose: understanding users’ mental models of mobile app privacy through
crowdsourcing. In: Proceedings of the ACM Conference on Ubiquitous Computing
(UbiComp), pp. 501–510. ACM, September 2012
11. Benenson, Z., Kroll-Peters, O., Krupp, M.: Attitudes to IT security when using
a smartphone. In: Federated Conference on Computer Science and Information
Systems (FedCSIS), pp. 1179–1183, September 2012
12. Mylonas, A., Kastania, A., Gritzalis, D.: Delegate the smartphone user? Security
awareness in smartphone platforms. Comput. Secur. 34, 47–66 (2013)
13. Fife, E., Orjuela, J.: The privacy calculus: mobile apps and user perceptions of
privacy and security. Int. J. Eng. Bus. Manag. 5(1) (2012)
456 S. Biswas et al.

14. Balebako, R., Jung, J., Lu, W., Cranor, L.F., Nguyen, C.: Little brothers watch-
ing you: raising awareness of data leaks on smartphones. In: Proceedings of the
Symposium on Usable Privacy and Security SOUPS. ACM (2013)
15. Kelley, P.G., Consolvo, S., Cranor, L.F., Jung, J., Sadeh, N., Wetherall, D.: A
conundrum of permissions: installing applications on an Android smartphone. In:
Blyth, J., Dietrich, S., Camp, L.J. (eds.) FC 2012. LNCS, vol. 7398, pp. 68–79.
Springer, Heidelberg (2012). doi:10.1007/978-3-642-34638-5 6
16. Beresford, A.R., Rice, A., Skehin, N., Sohan, R.: MockDroid: trading privacy for
application functionality on smartphones. In: Proceedings of the Workshop on
Mobile Computing Systems and Applications, pp. 49–54. ACM (2011)
17. Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These aren’t the droids
you’re looking for: retrofitting Android to protect data from imperious applica-
tions. In: Proceedings of the ACM Conference on Computer and Communications
Security, pp. 639–652. ACM (2011)
18. Zhou, Y., Zhang, X., Jiang, X., Freeh, V.W.: Taming information-stealing smart-
phone applications (on Android). In: McCune, J.M., Balacheff, B., Perrig, A.,
Sadeghi, A.-R., Sasse, A., Beres, Y. (eds.) Trust 2011. LNCS, vol. 6740, pp. 93–107.
Springer, Heidelberg (2011). doi:10.1007/978-3-642-21599-5 7
19. Au, K.W.Y., Zhou, Y.F., Huang, Z., Lie, D.: PScout: analyzing the Android per-
mission specification. In: Proceedings of the ACM Conference on Computer and
Communications Security, pp. 217–228. ACM (2012)
20. Mueller, K., Butler, K.: Flex-P: flexible Android permissions. In: IEEE Symposium
on Security and Privacy, May 2011
21. Android, S.D.K.: Android Manifest Permission API 25. https://developer.android.
com/reference/android/Manifest.permission.html