Claim What You Need: A Text-Mining Approach on Android Permission Request Authorization

Android is one of the most popular mobile operating systems nowadays, whose popularity, however, also attracts even more crafty developers to develop malicious softwares, or malwares, to exploit illegitimate means for profit. As a basic countermeasure, Android enforces the permission request scheme, in which an application (App) is required to present to the user the system resources (permissions) it will access, and ask user's approval before installation. However, this approach has been proven ineffective as it delegates the whole responsibility of decision-making to the user, who usually lacks the professional knowledge to comprehend the interpretation of a permission. Alternatively, many current researches focus on identifying potential malwares based on attributes of individual Apps, such as inspecting their source code, which, unfortunately, fall in another extreme which tend to make the decision for the user. Nevertheless, from the user's perspective, a satisfactory solution should be an approach which assists users to make the decision of the App installation on their own, by providing them with lucid reasons and requiring minimum professional knowledge. Based on the observation that the description of an App is the most direct interface to communicate its functionality to the user, in this paper we are motivated to explore the relationship between the description and the requested permissions of an App, and further build a model to predict proper permissions based on its description. Our evaluation with Apps collected from the Google Play Market shows that our prediction can achieve as high as 87% accuracy. In this regard, provide a user has full understanding of the description of an App, our model can act as an effective reminder to the user if the App tries to stealthily request permissions that are inconsistent with its description, which is a major character commonly exploited by malwares.