Presented at: 19th IEEE International Working Conference on Source Code Analysis and Manipulation Date of Conference: 30 Sept.-1 Oct. 2019 Conference Location: Cleveland, OH, USA DOI: https://doi.org/10.1109/SCAM.2019.00034

1. Permission Issues in Open-Source
Android Apps: An Exploratory Study
Gian Luca Scoccia, Anthony Peruma, Virginia Pujols, Ivano Malavolta, Daniel E. Krutz
19th IEEE International Working Conference on Source Code Analysis and Manipulation
September 30-October 01, 2019

2. Research Goal & Contributions
Replication package availability
Provide a better understanding of permission-related issues
(PRIs) introduced and fixed by developers in Android apps
Frequency of PRIs in
a project and their
decay time
Type of developers
introducing and fixing
PRIs
2

3. Research Questions
1. What are the most common types of permission-related issues in Android
apps?
○ Help developers understand the most prevalent PRIs in their apps and better plan
implementation and maintenance tasks
2. How long do permission-related issues tend to remain in Android apps
across their lifetime?
○ Help developers better prioritize the addressing of PRIs
3. How does developers’ status within the project correlate with the introduction
of permission-related issues?
○ Provides insight on who should be making permission-based decisions for an app
3

4. Permission-Related Issues (PRIs)
Prior published tools
O Over-permission: too many permissions (violates the least
privilege principle).
M-Perm
U Under-permission: not enough requested permissions. M-Perm
MC Missing Check: checkSelfPermission() is not called when
requesting a permission.
P-Lint
MRP Multiple Requests in Proximity: Multiple permission
requested in close proximity, possibly overwhelming the user.
P-Lint
4

5. Dataset Construction
F-Droid
GitHub Repositories
(2,002)
Filtering
(923)
Filtering
(574)
Google Play
Java and
AndroidManifest
MPerm & PLint
PRIs
Note:
Filtering includes: duplicate/forked
repositories, # of commits, weeks of activity
and availability on Google Play Store 5

6. Common Types of PRIs in Android Apps
Findings:
● Permission-related issues are a frequent phenomenon in Android apps
● Over and under-permissions are the two most common issues
Action Item: Developers should integrate permission analysis tools (e.g., MPerm,
PLint) into their development workflow
● Observed a dependence
between PRIs - existence of one
type of PRI indicates that other
types are also present in the
code
6

7. Decay Time of PRIs in Android Apps
Action Item: Developers should pay increased attention to code that has been
written during early project life
Findings:
● Majority of PRIs are fixed in a timespan of a few days after their introduction
● PRI’s can remain in apps for extended periods of time - even years!
● MC issues are harder to
introduce but also harder to fix
once introduced - due to non
trivial code changes
7

8. Developers Responsibility Related to PRIs
Action Item: Developers should be cognizant of PRIs when implementing apps
Findings:
● PRI’s are introduced and fixed by regular contributors and newcomers
● Regular contributors are responsible for the majority of introductions and fixes
● Low association between developers’ status and PRI types introduced/fixed
Developers’ status when introducing PRIs Developers’ status when fixing PRIs
8

9. Summary
● Investigated permission related issues on 574 open-source Android apps
● Permission issues are frequent in Android apps
● Most issues are fixed in a few days, but can also linger for extended periods of
time
● Regular project contributors are responsible for introducing and fixing
permission issues
● Replication package is publically available
9

10. Thanks!
10