Mining Android Apps to Recommend Permissions

Permission mechanisms play a crucial role for ensuring privacy and security of Android mobile applications (apps). An Android app that requires access to the device resources must be granted specific permissions for its correct operation. Oftentimes, the requested permissions depend on the APIs being used, e.g., a location-based service API may need a specific permission to access the device's GPS or an API supporting data persistence may need another permission to write to the device's external storage. App developers need to be aware of this API from/to permission traceability, which is not necessarily explicitly documented, for the proper functioning of the desired app feature. This paper presents an approach, named ApMiner, which relies on association rule discovery to identify co-occurrence patterns of Android APIs and permissions. Based on the usage of APIs and permissions in other apps published in a marketplace, the approach is able to learn and help a developer of a new app to recommend the permissions to be added given the APIs being used. ApMiner has been empirically evaluated on 600 apps from F-Droid, a marketplace for free and open source apps. We compared ApMiner with the state-of-the-art approaches Androguard and PScout, which rely on traditional static and dynamic analyses to recommend permissions. Results show that ApMiner has substantial precision gains (about 1.5 to 2 times) over the compared approaches, while keeping a similar and slightly better level of recall. Overall, our findings suggest that a mining based approach could offer much improved effectiveness in automatically recommending permissions in developing (new) Android apps.