Hey Doc, Is This Normal?: Exploring Android Permissions in the Post Marshmallow Era

Billions of hand-held devices are used globally in daily basis. The main reasons for their wide adoption can be considered the introduction of various sensors that have completely reshaped user interaction standards as well as the development of myriads of applications that provide various services to the users. Due to the daily usage of these applications and the wide information that can be deduced from the sensors, a lot of private and sensitive information can be leaked unless access control is applied to the installed applications. In Android, this control was applied upon installation of each application, when the user would be asked to grant the requested permissions. However, this policy has changed in the last versions, allowing users to revoke permissions and grant "dangerous" permissions on demand. In this work we illustrate several flaws in the new permission architecture that can be exploited to gain more access to sensitive user data than what the user considers to have granted.