An Android application risk evaluation framework based on minimum permission set identification

Android utilizes a security mechanism that requires apps to request permission for accessing sensitive user data, e.g., contacts and SMSs, or certain system features, e.g., camera and Internet access. However, Android apps tend to be overprivileged, i.e., they often request more permissions than necessary. This raises the security problem of overprivilege. To alleviate the overprivilege problem, this paper proposes MPDroid, an approach that combines static analysis and collaborative filtering to identify the minimum permissions for an Android app based on its app description and API usage. Given an app, MPDroid first employs collaborative filtering to identify the initial minimum permissions for the app. Then, through static analysis, the final minimum permissions that an app really needs are identified. Finally, it evaluates the overprivilege risk by inspecting the app's extra privileges, i.e., the unnecessary permissions requested by the app. Experiments are conducted on 16,343 popular apps collected from Google Play. The results show that MPDroid outperforms the state-of-the-art approach significantly. (C) 2020 Elsevier Inc. All rights reserved.